Related Questions
Acquirers, payment facilitators (PayFacs), and independent sales organizations (ISOs) processing Mastercard volume are now working against a firm compliance deadline. Mastercard's Merchant Monitoring Service Provider (MMSP) program establishes who is permitted to perform merchant risk monitoring on behalf of acquiring institutions, and how that monitoring must be conducted.
July 24, 2026 is the hard enforcement date for the most recent set of revised standards, published under Mastercard document GLB 12772, which updates the Security Rules and Procedures governing scam merchant investigation obligations.
This article explains what the MMSP program actually requires, what the July 24 deadline means operationally, and how to evaluate your options before the window closes.
The MMSP program is Mastercard's certification framework for third-party providers that perform merchant monitoring on behalf of acquirers. It is not an advisory guideline or a best-practice recommendation. Mastercard requires acquirers to either work with a certified MMSP or demonstrate equivalent in-house capability meeting the same standards.
The program governs two distinct functions.
Merchant onboarding risk assessment. Evaluating merchants at the point of application, before card volume begins flowing. This includes web presence analysis, digital footprint analysis, content categorization, and risk scoring against Mastercard's prohibited and restricted merchant categories, including those covered under the Business Risk Assessment and Mitigation (BRAM) program.
For a detailed breakdown of BRAM requirements and what they mean for acquirers, see Ballerine's BRAM reference.
Ongoing transaction and content monitoring. Continuous or periodic review of active merchant accounts for content changes, URL-level risk signals, and transaction pattern anomalies that may indicate a merchant's actual activity has drifted from what was disclosed at onboarding.
Under the January 2026 MMP updates, acquirers are required to carry out periodic reviews covering total transaction count and volume, refund and chargeback rates, average ticket size, and activities inconsistent with the merchant's stated business model.
The distinction between onboarding and ongoing monitoring matters operationally. Many legacy approaches treated onboarding as the primary risk gate. The MMSP program and the updated MMP standards treat both as equally required and ongoing obligations, not point-in-time events.
The program is governed by Mastercard's Security Rules and Procedures (the SPME Manual). The scam merchant investigation requirements effective July 24, 2026 are specifically outlined in GLB 12772.
The July 24, 2026 deadline is not a transition milestone. It is the effective date for revised standards that introduce defined investigation obligations when specific triggers are present.
Under the revised standards, acquirers and PayFacs must initiate an investigation within 72 hours if any of the following conditions indicate a merchant may be a potential scam operation:
If the investigation confirms scam activity, the acquirer must stop the merchant from submitting Mastercard and Maestro transactions immediately. Acquirers are also required to conduct daily checks of the FLD for new scam merchant listings.
The July 24 deadline is not a grace period extension. The January 1, 2026 MMP updates covering ongoing deposit monitoring and screening standards are already in effect. July 24 adds the scam-specific investigation
Certification under the MMSP program is not a one-time audit. It carries ongoing operational obligations. Based on our experience working within this framework, certification requires demonstrating capability across three areas.
Technical requirements. Providers must demonstrate real-time or near-real-time web scanning at the URL level, content categorization that maps to Mastercard's prohibited and restricted merchant category taxonomy (including BRAM categories), and the ability to detect risk signals across a merchant's full digital footprint, including secondary URLs, subdomains, and linked properties.
Ballerine's merchant monitoring platform is built specifically around these requirements, covering initial scans at onboarding and continuous portfolio-level monitoring.
Keyword-matching approaches alone are generally insufficient for this level of categorization. Contextual analysis, which evaluates the meaning and intent of content rather than the presence of specific terms, produces significantly better detection accuracy.
In our experience, contextual AI-based monitoring consistently produces far fewer false positives than keyword-matching approaches, with a meaningful reduction in manual review overhead as a direct result.
Operational requirements. Certified providers must maintain defined escalation workflows, documented audit trails, and structured reporting cadences to the acquiring institutions they serve. The monitoring function must produce evidence, not just outputs. If a merchant is flagged, escalated, or cleared, that process needs to be traceable, and the documentation needs to hold up during a Mastercard audit.
Compliance and audit obligations. Mastercard retains audit rights over certified providers. Recertification is periodic. Providers must demonstrate continued compliance with updated standards as Mastercard's category definitions evolve. The January 2026 and July 2026 changes are examples of this ongoing evolution, and both required meaningful updates to monitoring logic.
The practical implication for acquirers: certification transfers certain obligations to the MMSP, but not all accountability. If your monitoring provider is certified, your exposure is materially reduced. If your provider loses certification or fails an audit, that exposure returns to you.
Some acquirers have explored building in-house monitoring capability that meets MMSP-equivalent standards. The build path is feasible, but the total cost of ownership is consistently underestimated.
In-house build costs include:
The category mapping maintenance point deserves emphasis. An in-house system that is accurate today may require significant re-engineering after a scheme update. Certified providers absorb this update cycle as part of their service, because their own certification depends on staying current.
The fine offset calculation. BRAM violations carry fines in the range of $5,000 to $200,000 per violation, with exposure potentially reaching six figures per transaction in the most serious cases. In our experience working with acquirers across multiple jurisdictions, documented monitoring programs have consistently supported meaningful fine mitigation outcomes during scheme reviews.
The principle is straightforward: a certified MMSP produces an auditable record of due diligence that an unsupported in-house process cannot replicate, and Mastercard's own program structure creates incentives for acquirers to use certified providers precisely because certified coverage reduces scheme-level exposure.
This is a hard dollar consideration, not a soft reputational benefit. Compliance leads should model the potential fine exposure explicitly when building the internal business case.
Using a certified provider typically involves:
The build vs. buy comparison is rarely close when modeled at full cost over a three-to-five-year horizon, particularly for mid-sized acquirers and PayFacs who would otherwise need to build and maintain a dedicated monitoring function.
Acquirers who do not have compliant merchant monitoring in place by July 24, 2026 face two categories of risk.
Scheme-level consequences. Mastercard audits surface monitoring gaps. Acquirers without compliant monitoring, whether through a certified MMSP or a verified in-house equivalent, face increased exposure to BRAM fines and potential restrictions on merchant volume.
Public sources place the BRAM fine range at $5,000 to $200,000 per violation. Beyond fines, the July 2026 standards create specific procedural obligations with time-bound requirements. Missing a 72-hour investigation window after a qualifying trigger is a documented compliance failure, not an ambiguous gray area.
Portfolio liability. The more significant long-term risk for many acquirers is retroactive exposure on existing merchant portfolios. Merchants who were onboarded or monitored using non-compliant processes represent potential liability if problematic activity is later identified. Without a documented monitoring record, the acquirer's position in any scheme review is materially weaker.
The daily FLD check requirement, now mandatory under the revised standards, is a concrete example of an obligation that creates an audit trail, or its absence. Acquirers who cannot demonstrate consistent FLD monitoring have a gap that is visible and verifiable during a scheme review.
Certification is table stakes. The major providers operating in this space are all MMSP certified. Certification status alone does not differentiate them.
The evaluation criteria that matter operationally are:
Detection methodology. Does the provider use contextual AI-based analysis or keyword matching? Contextual analysis produces materially better accuracy across ambiguous content categories, which is where the most consequential merchants tend to operate. The false positive rate is a useful proxy metric. High false positive rates create manual review overhead that scales poorly with portfolio growth.
URL-level granularity. Merchant-level monitoring is insufficient. Certified monitoring must operate at the URL and subdomain level, because high-risk content is frequently hosted on secondary pages or linked properties that are not visible at the root domain.
Monitoring frequency. How often are active merchants re-scanned? What triggers an out-of-cycle review? The July 2026 standards require daily FLD checks and 72-hour investigation response times. Provider monitoring cadence must be compatible with those obligations.
Integration approach. API-first providers allow compliance teams to integrate monitoring outputs directly into existing workflows, case management systems, and reporting structures. Portal-only providers require manual process steps that create audit trail gaps and increase operational overhead.
Escalation workflows. Ask how the provider handles edge cases. What is the documented process when a merchant flags at a borderline risk level? How quickly does the provider update its category mappings after a Mastercard scheme update? How are acquirers notified of newly identified risks in their existing portfolios?
Reporting quality. Scheme audits require documentation. Ask to see sample reports. The output needs to be structured for audit use, not just operational use.
These questions apply equally to any certified provider. We recommend using them as a standard evaluation checklist regardless of which vendor is under review.
The July 24, 2026 deadline is a hard enforcement date, not a guideline. If your monitoring program does not currently meet the investigation response requirements and daily FLD check obligations introduced under GLB 12772, the gap is measurable and auditable.
Start with an honest assessment of two things: what your merchant onboarding process currently captures at the point of application, and whether your ongoing merchant monitoring produces the audit trail and escalation documentation that scheme reviews require.
Any certified MMSP should be able to walk through their certification scope, technical methodology, and integration requirements in a structured conversation. We have worked with compliance teams at acquirers and PayFacs on exactly this scoping exercise. If a structured checklist or gap assessment framework would be useful, we are glad to share one.
MMSP compliance is not a static certification exercise. Merchant risk evolves after onboarding: business models shift, web content changes, new URLs appear, and transaction patterns drift from what was disclosed at application. That is why the monitoring function needs to be continuous, evidence-driven, and auditable at every step, not a point-in-time review that satisfied a checklist at signup.
Ballerine is a certified MMSP that helps acquirers, PayFacs, and ISOs meet their Mastercard obligations across both dimensions of the program. At onboarding, Ballerine's merchant risk assessment evaluates web presence, digital footprint, business model classification, and content categorization against Mastercard's prohibited and restricted merchant category taxonomy.
After onboarding, ongoing merchant monitoring tracks content changes, URL-level risk signals, and transaction pattern anomalies across the active portfolio on a continuous basis.
The platform is built API-first, which means monitoring outputs integrate directly into existing acquirer workflows, case management systems, and audit trail infrastructure.
Escalation logic, investigation documentation, and reporting cadence are all configurable to match the procedural requirements that Mastercard audits look for, including the 72-hour investigation response window and daily FLD check obligations that take effect July 24, 2026.
For compliance teams building an internal business case ahead of the deadline, we are glad to walk through how the certification scope maps to your current monitoring gaps, and what a remediation timeline looks like from where you are today.
edited%205.webp)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
