For acquirers who assumed their existing review process was sufficient, the last 18 months have delivered a clear signal: it is not.
Card schemes have moved well beyond treating merchant monitoring as a best practice. Mastercard and Visa have each updated their compliance frameworks in ways that impose specific operational requirements on acquirers, not general guidance.
The gap between having a monitoring policy and running a compliant monitoring program has never been wider, and scheme auditors are now equipped to find it.
This article breaks down what has actually changed, what the schemes specifically require, and what a compliant program looks like in practice.
For years, most acquirers operated periodic review cycles: annual or semi-annual checks on merchant websites, transaction pattern reviews, and onboarding due diligence updated infrequently. That model was broadly acceptable when scheme requirements were written in general terms.
That era is over.
Mastercard's Security Rules and Procedures now codify a Merchant Monitoring Program (MMP) with specific requirements for frequency, scope, evidence standards, and service provider engagement. Visa's compliance framework for high-integrity risk merchants, formerly called the Global Brand Protection Program (GBPP) and replaced in May 2023 by the Visa Integrity Risk Program (VIRP), imposes parallel obligations.
Both programs now include defined enforcement mechanisms and financial penalties.
Acquirers who discover they are out of scope during a scheme audit do not receive a warning and a grace period. Fines begin, escalate, and create remediation timelines that add operational burden on top of the financial cost.
The Mastercard MMP operates under the Business Risk Assessment and Mitigation (BRAM) framework. The practical requirements for acquirers include:
Merchant Monitoring Service Provider (MMSP) engagement. Mastercard requires acquirers to engage one or more Mastercard-approved MMSPs. These are not optional monitoring tools. They are certified service providers that must be formally registered with Mastercard and contracted to perform both initial scans and ongoing monitoring.
Acquirers that attempt to self-certify without Mastercard MMSP approval must demonstrate compliance against the same technical and procedural standards.
Pre-transaction scanning. For merchants onboarded on or after January 1, 2026, acquirers must conduct a content and/or transaction laundering scan before the merchant processes their first transaction. This requirement eliminates the legacy practice of onboarding a merchant and monitoring them afterward once volume begins.
Full website coverage, including gated content. The revised MMP standards extend persistent monitoring requirements to members-only and password-protected areas of merchant websites. Surface-level scanning of the public homepage is no longer sufficient to satisfy the standard. If a merchant's business model includes subscription content or gated product areas, those sections must be within scope.
Risk-based review frequency. Higher-risk merchants require more frequent review cycles. The framework does not prescribe a single universal cadence. Instead, it requires acquirers to calibrate frequency based on a documented risk assessment for each merchant category.
Documented audit trail. Every monitoring action must be logged and retrievable. Scheme auditors reviewing compliance do not accept verbal assurances. They expect evidence: timestamps, scan records, remediation actions, and escalation decisions. The evidence requirement applies retroactively to the monitoring history acquirers maintain.
On enforcement, Mastercard's compliance manual references fines ranging from $5,000 to $200,000 per violation, with escalating penalties for repeat offenses and cases involving systemic non-compliance. The fine structure is not theoretical; acquirers with gaps in their monitoring programs have received formal notices.
Visa's framework operates on a comparable logic but through different program mechanics. The GBPP was replaced by VIRP in May 2023, introducing a tiered classification for high-integrity risk merchants and updated requirements for acquirer monitoring obligations.
Under VIRP, acquirers are responsible for:
Where Mastercard's MMP focuses heavily on the BRAM risk classification methodology and MMSP certification, Visa's VIRP is more explicit about merchant category risk thresholds and the registration obligations that trigger before processing begins. Acquirers with large portfolios in certain verticals face both sets of requirements simultaneously.
The two programs overlap substantially in intent but differ in the specifics of who qualifies as in-scope, what triggers a review, and what constitutes satisfactory evidence. Operating a single monitoring process designed for one scheme and assuming it satisfies the other is a common gap that auditors identify.
Most acquirers have a written merchant monitoring policy. Far fewer have a merchant monitoring program that satisfies what the schemes are now auditing for.
The distinction is operational. A policy describes what the acquirer intends to do. A program is the documented, evidence-generating process that demonstrates it was actually done.
The specific gaps we observe most frequently include:
The broader context is significant. According to a January 2026 Nilson Report study, payment card fraud losses totaled $33.41 billion worldwide in 2024, with projections rising toward $41 billion by 2030. Merchant-facilitated fraud, including transaction laundering and content violations, accounts for a meaningful portion of that exposure.
The scheme programs described above are, in part, a response to that trend. Acquirers that treat monitoring as a compliance exercise rather than a risk control function miss both dimensions of the problem.
A program that satisfies both Mastercard MMP and Visa VIRP requirements in practice includes the following components:
Initial scan before activation. Every newly onboarded merchant undergoes a structured content scan before their first transaction is processed. The scan covers the primary domain, any linked subdomains, and identifiable related properties.
Continuous web presence analysis. The merchant's website is monitored on an ongoing basis for content changes that could trigger a scheme classification (prohibited products, regulated services, brand misuse, MCC misalignment). This is not a monthly check-in. It is a persistent monitoring function with a defined review cycle calibrated to the merchant's risk tier.
MCC validation and drift detection. The merchant's actual business activity is compared against their registered Merchant Category Code on an ongoing basis. A merchant classified as a general retailer that begins selling regulated health products, for example, represents both a content risk and an MCC accuracy issue.
Gated and members-only content coverage. For merchants with subscription or access-controlled content, the monitoring program must include that content within scope. This requires a more structured approach than passive domain scanning.
Documented remediation and escalation records. When monitoring surfaces a potential issue, the acquirer's response, including assessment, communication, and resolution, must be logged. Auditors reviewing a monitoring program examine the exception workflow, not only the scanning process.
MMSP engagement and registration. For Mastercard MMP compliance, acquirers must formally engage an approved MMSP and maintain that relationship as a documented element of their compliance program.
Building a compliant merchant monitoring program against current MMP and VIRP requirements is primarily an infrastructure problem. The monitoring needs to be continuous, evidence-generating, and capable of covering the full scope of what the schemes now audit for, including pre-transaction scans, gated content, related domains, and MCC drift.
Most acquirers find that their existing tooling was built for a lighter standard.
We work with acquirers and payment facilitators to operationalize exactly the components described above. That means deploying AI agents that analyze merchant web presence continuously across public and access-controlled content, in any language, and generating structured audit-ready reports at scale.
For a portfolio under active scheme review, turnaround on a merchant report is typically around 10 minutes.
A few specifics relevant to MMP compliance:
Evidence trail output is structured for audit review: timestamped, searchable, and formatted to meet the documentation standard both Mastercard and Visa expect
For teams currently assessing their monitoring program against MMP or VIRP obligations, we offer 5 free merchant reports at ballerine.com/wp-trial to run against merchants already in your portfolio.
Ballerine provides AI-powered merchant risk and compliance infrastructure for acquirers, payment facilitators, and marketplaces operating at scale.
For acquirers managing Mastercard MMP and Visa VIRP obligations, Ballerine deploys contextual AI agents that analyze merchant web presence continuously, covering public content, gated areas, and related domains.
Reports are typically generated within approximately 10 minutes per merchant and are language-agnostic, supporting portfolio coverage across multiple geographies without manual translation or local vendor coordination.
Key capabilities relevant to scheme compliance: initial pre-transaction scans, persistent web presence monitoring, MCC validation, prohibited content detection, transaction laundering signals, and merchant acquiring risk management.
Every monitoring action generates a structured, timestamped evidence trail formatted for audit review, directly addressing the documentation requirements under both MMP and VIRP.
For teams building or upgrading their merchant monitoring program to meet current scheme standards, Ballerine offers 5 free merchant reports at ballerine.com/wp-trial or you can schedule a demo.