Related Questions
edited%205.webp)
A merchant with no website is no longer an edge case. Across emerging markets, the direct-to-consumer (D2C) segment, and micro-commerce, a growing share of active merchants operate entirely through social platforms: Instagram shops, Facebook Marketplace, TikTok Shop, WhatsApp catalogs. They take orders through stories, close sales through direct messages, and never register a domain.
For acquirers, this creates a compliance problem that most monitoring frameworks were not designed to handle, and that card scheme rules do not excuse.
Mastercard's Merchant Monitoring Program (MMP) and Visa's Integrity Risk Program (VIRP, formerly the Global Brand Protection Program, or GBPP, until May 2023) both require acquirers to monitor their merchant portfolios on an ongoing basis.
The stated purpose is consistent across both schemes: identify prohibited content, detect illegal goods, and flag brand-damaging activity before it generates chargebacks, regulatory exposure, or scheme violations.
Both frameworks were built around a central assumption: the merchant has a URL.
The merchant descriptor URL field is the standard anchor point in monitoring workflows. It is what gets submitted to Merchant Monitoring Service Providers (MMSPs). It is what gets crawled, analyzed, and included in the compliance report. The entire operational architecture of merchant monitoring flows through that field.
When the field is empty because no website exists, the monitoring workflow stalls. But the liability does not.
Neither Mastercard nor Visa provides an exemption for social-only merchants. The obligation to monitor applies regardless of whether the merchant operates a standalone website, sells through a marketplace, or runs entirely through a social platform.
Mastercard's MMP rules and compliance standards, updated with requirements taking effect in 2026, expand the scope of acquirer monitoring obligations and introduce defined investigation timelines for flagged merchants. Acquirers are expected to monitor wherever the merchant operates commercially.
Visa's VIRP carries a parallel standard. Per Visa's Payment Facilitator and Marketplace Risk Guide, the program monitors the Visa payment system for illegal activity and merchants with miscoded transactions, and acquirers bear responsibility for ensuring their portfolios comply. The channel through which a merchant operates does not reduce that obligation.
Neither scheme provides an exemption or reduced monitoring standard for social-only merchants. The acquirer owns the risk in full. For a detailed breakdown of how Mastercard's MMSP certification requirements apply to acquirer monitoring programs, see Ballerine's MMSP Compliance overview.
In our experience, acquirers fall into one of four patterns when a social-only merchant appears in their portfolio. None of these patterns fully addresses the compliance obligation.
Manual spot-checks. Compliance staff periodically review a merchant's social profiles by hand. This is labor-intensive, inconsistent, and difficult to document for audit purposes. It is also not scalable. The effort required to manually review even a small social-only portfolio meaningfully exceeds the capacity of most compliance teams.
No monitoring at all. This is the most common pattern we observe. The merchant passes onboarding, often with lighter scrutiny because there is less structured content to review, and is then effectively invisible to the monitoring program. The acquirer's liability continues to accrue; the early-warning signal does not.
Blanket refusal to board. Some acquirers have resolved the problem by not taking it on. Merchants without a URL are declined. This eliminates the monitoring gap, but it also means declining a commercially significant and structurally growing segment of small business commerce.
Requiring a URL as a boarding condition. Merchants are told to stand up a website before they can be onboarded. In practice, this often produces placeholder pages with minimal content. The URL exists; the substantive monitoring value does not. The checkbox is satisfied. The risk is not addressed.
None of these approaches reflects a considered solution. They are workarounds that either ignore the problem, decline the revenue, or create the appearance of compliance without the substance.
Established URL-based monitoring providers built capable technology for the environment their programs were designed to address: websites. They crawl URLs, analyze page structure and content, cross-reference product listings against prohibited category databases, and generate reports that acquirers can submit to schemes as evidence of due diligence.
Social media profiles are structurally different in ways that make this approach ineffective:
Content is ephemeral. Instagram Stories and TikTok videos disappear within 24 hours. A merchant can run a promotion for a prohibited product category, collect orders through direct messages, and leave no persistent record on their public profile. A crawl performed the following day finds nothing.
Activity occurs in private channels. A substantial portion of social commerce happens in direct messages, group chats, and stories visible only to approved followers. This content is inaccessible to any external scanner, regardless of how sophisticated the crawling logic is.
Platforms actively restrict commercial scraping. Social platforms enforce terms of service that prohibit automated data collection by third parties. Providers attempting social monitoring work against platform constraints that limit both coverage and consistency.
Content is primarily visual. Product listings on Instagram are images and videos, not structured text. A keyword-based scanner looking for the phrase "counterfeit goods" will not identify a video demonstrating replica luxury products. The monitoring logic needs to interpret visual content in context, not match text strings.
The cumulative effect is that MMSP-certified monitoring, the standard acquirers rely on for scheme compliance, addresses URL-based merchant activity. If a merchant's commercial activity lives on social platforms, the certification report does not reflect it.
Consider a social-only merchant in an emerging market that was onboarded with light diligence, assigned a broad Merchant Category Code (MCC), and never monitored after activation. Six months later, chargeback rates spike. A scheme audit identifies transaction laundering. The acquirer is fined.
At that point, the acquirer faces several compounding problems:
The liability is identical to that of a URL-based merchant with equivalent violations. The acquirer's operational position is materially worse, because the monitoring infrastructure that would normally provide early warning was absent from the start.
Social-only merchants frequently fall into higher-risk product and business categories. For context on how acquirers typically approach risk segmentation by vertical, see Ballerine's high-risk vertical coverage framework.
Closing this gap requires a different set of capabilities than traditional URL-based monitoring. Acquirers building or procuring a merchant monitoring program for social-only merchants need to evaluate providers against the following criteria:
Automated social profile analysis. Public-facing social profiles can be scanned for content that suggests prohibited product categories, anomalous pricing, platform policy violations, or MCC mismatches. This requires tooling built specifically for social platforms, not adapted from web crawlers.
Transaction pattern correlation. A merchant's social-facing commercial activity should be consistent with their registered MCC and transaction profile. We routinely evaluate discrepancies: a merchant marketing premium goods on social but processing at low average transaction values, or posting high-frequency product content in a category inconsistent with their registered business type.
These patterns warrant investigation before a problem becomes a liability event.
Contextual content analysis. Social media content uses informal language, regional slang, and coded terminology that keyword matching does not capture. Effective monitoring in this environment requires image recognition and natural language processing (NLP) that can interpret content in context, not just match against a prohibited-term list.
Continuous monitoring. Social profiles change on a daily basis. A quarterly manual review is not a monitoring program. It is a periodic snapshot of a moving target. The monitoring cadence needs to match the pace at which the risk environment changes.
Digital footprint stitching. Without a URL as the central anchor, risk assessment requires connecting multiple data points: social platform identities, payment descriptors, business registration records, beneficial ownership data, and transaction behavior.
Building a coherent risk profile without a URL requires assembling these signals into a unified view. This is operationally more demanding than URL-based monitoring, but it is the correct approach for a segment where the URL does not exist.
Social commerce is expanding at scale. The global social commerce market reached an estimated $2.6 trillion in 2026, with growth concentrated in mobile-first markets where social platforms serve as the primary commercial infrastructure. The segment of merchants operating without a standalone website is growing, not shrinking.
Acquirers face a straightforward choice: develop a credible monitoring capability for this segment, decline it as a matter of policy, or carry the liability of monitoring nothing while the portfolio grows.
The third option is not a risk management strategy. It is an unpriced liability.
The first option requires investment in monitoring tooling and operational processes that most legacy providers do not currently offer. It also requires rethinking the URL-centric architecture that underpins most existing compliance workflows.
Acquirers that develop this capability early will be positioned to serve a commercially attractive and underserved merchant segment with confidence. Those that wait will find the liability has accumulated in the meantime.
Ballerine provides merchant risk and compliance infrastructure for acquirers, payment facilitators, and marketplace operators. Our platform supports end-to-end merchant lifecycle management, including onboarding, ongoing monitoring, and risk decisioning for merchant portfolios that span both URL-based and social-only commerce. We work with risk and compliance teams to build monitoring programs that reflect the actual structure of their merchant base, not the assumptions of legacy tooling.
This article reflects practitioner observations and should not be construed as legal advice. Acquirers should verify current scheme rule obligations directly with Mastercard and Visa and consult qualified compliance counsel.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
