Related Questions
edited%205.webp)
I see this confusion come up regularly among compliance and risk teams reviewing their merchant monitoring programs. It is not a trivial misunderstanding. Teams that conflate the two sometimes believe they are meeting Mastercard's requirements when they are not. Here is a precise account of what each term means and why the distinction matters operationally.
The Merchant Monitoring Program (MMP) is Mastercard's mandatory compliance framework requiring acquirers, PSPs, and payment facilitators (PayFacs) to perform continuous, documented monitoring of merchant activity throughout the full merchant relationship lifecycle.
The MMP defines what must be done. It requires a pre-transaction scan before merchant activation, ongoing monitoring for Brand Risk and Merchant Monitoring (BRAM) violations and transaction laundering, monitoring of gated and members-only merchant content, structured issue resolution within 15 calendar days of detection, and audit-ready documentation that satisfies Mastercard's data integrity standards.
The MMP does not specify how the monitoring is performed or who performs it, with one significant exception: the program requires that monitoring be conducted by or in conjunction with a Mastercard-certified Merchant Monitoring Service Provider. That requirement is where the MMSP comes in.
The MMP is governed by Mastercard's Security Rules and Procedures Manual. The program was substantially updated effective January 1, 2026.
A Merchant Monitoring Service Provider (MMSP) is a third-party organization that Mastercard has evaluated and certified to perform merchant monitoring services to the program's standards. The MMSP is the mechanism through which acquirers and PSPs fulfill their MMP obligations.
Mastercard certifies MMSPs against defined program criteria. Only providers approved through this process hold MMSP status. An acquirer that engages an uncertified monitoring vendor has not satisfied its MMP obligation, regardless of the technical quality of the monitoring that vendor performs.
This is the point that creates the most compliance exposure in practice. A monitoring vendor and a certified MMSP are not the same category. The former may be technically capable. Only the latter satisfies the program requirement.
MMP is the obligation. MMSP is the certified mechanism for meeting it.
One way to frame it: the MMP is the rule, and the MMSP is the licensed practitioner Mastercard requires you to engage to comply with it. The analogy is not exact, but it captures the structural relationship.
Having robust internal monitoring capability does not substitute for the MMSP certification requirement, just as having strong internal controls does not substitute for certain external audit obligations in regulated industries.
The January 2026 MMP updates formalized obligations that had previously been less precisely defined. Two specific changes made the MMSP certification requirement significantly more consequential.
First, the updates introduced a mandatory pre-transaction scan requirement. Before a merchant processes its first transaction, an initial scan must be completed using Mastercard-specified data inputs, including legal business names, DBAs (doing-business-as names), merchant URLs, and MMSP-specific data fields. This scan must be performed by or in conjunction with a certified MMSP and documented for audit purposes.
Second, the updates explicitly extended monitoring scope to gated and members-only merchant content. Merchants increasingly operate behind login walls, membership barriers, and age verification screens. Mastercard now requires that these areas be monitored as part of a compliant program. This rules out monitoring tools and vendor arrangements that only scan publicly accessible pages.
Compliance teams with existing monitoring arrangements faced a real gap assessment problem in early 2026. The relevant questions were: does the vendor hold current MMSP certification, and does the monitoring scope include gated content access? The answer to either being no means the MMP obligation is not being met, regardless of how long the monitoring arrangement has been in place.
If you are an acquirer or PSP reviewing your current merchant monitoring arrangements, we recommend confirming three things before treating existing arrangements as compliant with the January 2026 standards.
First, MMSP certification status. Does your current provider hold current Mastercard MMSP certification? This should be confirmed directly, not assumed from the vendor's own characterization of its capabilities.
Second, gated content access. Does the monitoring scope include password-protected and membership-gated merchant content? This is a baseline requirement under the updated MMP. We see compliance teams pass the first check and fail the second. Gated content access requires purpose-built technical capability. Most general-purpose web monitoring tools do not provide it.
Third, the 15-day resolution workflow. Are identified violations connected to an investigation and remediation process that consistently closes issues within Mastercard's required 15-day window? A monitoring trigger is only useful if it leads to timely, documented action.
The terms MMP and MMSP describe different layers of the same compliance obligation. The MMP sets the rules that every Mastercard acquirer must follow. The MMSP is the specific category of certified provider through which those rules must be satisfied.
Using a monitoring vendor that is not a certified MMSP does not constitute MMP compliance. Having a certified MMSP but lacking gated content monitoring capability does not constitute full MMP compliance under the 2026 standards. Both conditions must be met together.
We find this distinction matters most when compliance teams are onboarding a new vendor or reviewing an inherited arrangement. The question is not whether monitoring is happening. The question is whether the monitoring being performed, by a certified MMSP, covers the full scope the program now requires.
Ballerine is a Mastercard-certified MMSP, meeting the program's requirements for BRAM and transaction laundering monitoring. Our platform supports acquirers and PSPs in fulfilling MMP obligations through pre-transaction scanning at onboarding, continuous monitoring of both public and gated merchant content, audit-ready reporting, and structured issue resolution workflows. For compliance teams evaluating their current MMSP arrangements against the January 2026 standards, we are available to walk through what compliant monitoring scope looks like in practice.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
