Back to Glossary

Mastercard MMP (Merchant Monitoring Program)

Mastercard's Merchant Monitoring Program (MMP) is a mandatory compliance framework requiring acquirers, payment service providers (PSPs), and payment facilitators (PayFacs) to perform continuous, documented monitoring of merchant activity throughout the full merchant relationship lifecycle. The program is governed by Mastercard's Security Rules and Procedures Manual and was substantially updated effective January 1, 2026. The 2026 revision introduced mandatory use of certified Merchant Monitoring Service Providers (MMSPs), pre-transaction scanning requirements, gated content monitoring obligations, and structured audit trail standards.

The MMP is operationally distinct from Mastercard's chargeback monitoring programs. Chargeback programs respond to elevated dispute rates after transactions have occurred. The MMP is designed to identify and remediate merchant risk before violations generate financial or reputational harm to the payment ecosystem.

Context and Background

Mastercard established the MMP to address a structural gap in how acquirers managed merchant risk. Traditional merchant oversight concentrated heavily on underwriting at onboarding and periodic post-onboarding reviews. This created intervals during which merchants could operate outside permitted boundaries without detection. A merchant that passed initial underwriting could later introduce prohibited products, change its business model, or facilitate transactions on behalf of undisclosed third parties.

The MMP framework addresses this by requiring continuous oversight rather than periodic reviews. The 2026 updates extended the program's scope to include gated and members-only content, requiring that monitoring cover areas of a merchant's digital presence that are not visible to standard web crawlers.

How Mastercard's MMP Works

The MMP operates through four core requirements that acquirers must implement through certified MMSPs:

1. Pre-Transaction Scanning

Before a merchant processes its first transaction, an initial scan must be completed using Mastercard-required data inputs:

  • Legal business name and all DBAs (doing-business-as names)
  • All merchant URLs and associated digital properties
  • MMSP-specific identifiers and monitoring data

This scan must be documented and retained as part of the acquirer's compliance record. The pre-transaction timing is a program requirement.

2. Continuous Monitoring

After onboarding, merchants must be monitored on an ongoing basis for:

  • BRAM violations: Content, products, or business practices that violate Mastercard's Global Brand Protection Program (GBPP)
  • Transaction laundering: Merchants processing transactions on behalf of undisclosed businesses or individuals
  • MCC misalignment: Mismatches between a declared merchant category and the actual goods or services sold
  • Gated content: Material visible only behind login walls, membership barriers, or age verification screens

The 2026 updates make gated content monitoring an explicit program requirement. Web monitoring tools that scan only public-facing pages do not satisfy this requirement.

3. 15-Day Issue Resolution

When monitoring identifies a violation, acquirers must:

  • Document the finding with supporting evidence
  • Initiate an investigation
  • Resolve and close the issue within 15 calendar days

An issue that remains open beyond 15 calendar days constitutes a separate compliance failure under MMP rules. Compliance teams should implement structured workflows for violation tracking that make the resolution timeline visible and enforceable across the full portfolio.

4. Audit Trail Maintenance

Acquirers must retain evidence of both the initial scan and ongoing monitoring activity. Reports must meet Mastercard's data integrity standards and may not be altered after generation. Mastercard may request this documentation during scheme audits. The documentation must be a structured compliance record, not a retrospective reconstruction.

Why the 2026 Updates Matter

The January 2026 MMP updates represent a structural change in how acquirer liability for merchant conduct is defined.

Expanded post-onboarding liability: The updated standards establish that an acquirer's compliance responsibility extends throughout the full merchant relationship. A merchant that was compliant at onboarding can become a liability if its business model, products, or ownership changes after activation and ongoing monitoring does not detect it.

Mandatory certified MMSP engagement: Acquirers cannot satisfy MMP requirements through internal teams alone unless those teams hold MMSP certification. The program requires that monitoring be performed by or in conjunction with a Mastercard-approved provider. This changes the evaluation criteria for acquirers that previously managed monitoring entirely in-house.

Gated content as a baseline requirement: The explicit inclusion of gated and members-only content monitoring reflects Mastercard's determination that a material portion of prohibited merchant activity occurs behind access barriers. Monitoring programs that cover only public-facing content now have a documented compliance gap against the 2026 standards.

Audit documentation standards: The requirement that reports meet Mastercard's data integrity standards and cannot be altered after generation raises the bar above what many general-purpose monitoring tools and manual review processes produce.

Key Implementation Challenges

Compliance teams implementing MMP programs encounter several structural challenges:

  • Portfolio scale: Continuous monitoring of a large merchant portfolio cannot be managed manually. Automation is required to maintain coverage without generating alert volumes that exceed the review capacity of the compliance team.

  • Gated content access: Accessing password-protected and membership-gated merchant areas requires purpose-built technical capabilities. Standard web crawlers and general monitoring platforms do not provide this access.

  • False positive management: Detection systems calibrated too broadly generate alert volumes that create operational pressure without improving risk outcomes. Effective MMP implementation requires calibration that balances sensitivity with team throughput.

  • Audit documentation at scale: Maintaining structured, unaltered records of every monitoring event across a large portfolio requires infrastructure designed for compliance reporting, not general-purpose data collection.

  • 15-day resolution discipline: Meeting the resolution window consistently requires defined escalation workflows, clear ownership, and visibility into open items. Ad hoc investigation processes do not provide this reliably.

We usually advise compliance teams to map their existing workflows against these five dimensions before selecting an MMSP, because a gap in any one of them will create recurring compliance pressure regardless of the vendor chosen.

MMP and Other Card Scheme Programs

The MMP operates in parallel with other card scheme compliance frameworks. It is worth noting that Visa introduced its own merchant risk program, VAMP (Visa Acquirer Monitoring Program), during the same period. While the two programs share a common goal of continuous merchant oversight, they differ in scope and emphasis. Compliance teams managing both Visa and Mastercard portfolios should review the requirements of each program separately, as the specific obligations, monitoring scope, and reporting standards are not identical.

How Ballerine Addresses Mastercard MMP Requirements

Ballerine is a Mastercard-certified MMSP, meeting the program's requirements for BRAM and transaction laundering monitoring.

For pre-transaction scanning, Ballerine completes initial merchant scans using the required Mastercard data inputs at onboarding, generating an audit record before merchant activation.

For ongoing monitoring, Ballerine's platform accesses password-protected and membership-gated merchant content, satisfying the gated content requirement that took effect in January 2026.

Every monitoring event produces structured, exportable reports that are generated programmatically and cannot be altered after creation, meeting Mastercard's data integrity standards for audit documentation.

Ballerine's platform tracks identified violations from detection through resolution, providing compliance teams with visibility into open items and supporting the 15-day resolution requirement.

The Bottom Line

Mastercard's MMP now establishes continuous, documented monitoring as the compliance baseline for every acquirer in the Mastercard network. The 2026 updates did not raise the bar on an existing program in incremental ways. They redefined what compliance means: pre-transaction coverage, gated content access, mandatory MMSP certification, and a 15-day resolution discipline enforced through structured audit documentation. For compliance and risk teams, the practical question is not whether to implement MMP-compliant monitoring, but whether the current program and provider arrangement specifically meets the requirements that took effect in January 2026.

Trusted by

Related Articles

FinCEN NPRM: New AML Rules and What They Mean for Payment Companies
Merchants
Compliance
Andy Vrabel
Apr 29, 2026
FinCEN NPRM: New AML Rules and What They Mean for Payment Companies

Turning Acceptable Use Policies into a Dynamic Decision Engine
Product update
Gadi Ben-Amram
Apr 13, 2026
Turning Acceptable Use Policies into a Dynamic Decision Engine

Apply your own Acceptable Use Policy automatically during merchant onboarding and monitoring, with clear decisions, clear reasoning, and audit-ready outcomes.

FinCEN NPRM: New AML Rules and What They Mean for Payment Companies
Merchants
Compliance
Andy Vrabel
Apr 29, 2026
FinCEN NPRM: New AML Rules and What They Mean for Payment Companies

Turning Acceptable Use Policies into a Dynamic Decision Engine
Product update
Gadi Ben-Amram
Apr 13, 2026
Turning Acceptable Use Policies into a Dynamic Decision Engine

Apply your own Acceptable Use Policy automatically during merchant onboarding and monitoring, with clear decisions, clear reasoning, and audit-ready outcomes.

Trusted by Leaders in the Payments Ecosystem

70%

Reduced manual efforts

49%

Improved review resolution time

30%

Increase in 
detected fraud

“We were able to downsize our compliance staff’s workload significantly, which allowed us to allocate the savings and workforce into more improvement projects.”

Shmulik Davar

VP Product at Fido

67%

Reduced Hiring Time

“Proactively navigating fintech regulations requires faster technology adoption. Next-gen compliance infrastructures should seamlessly integrate with existing and new systems and data sources.”

Ran Nachman

VP Regulation Solutions 
at eToro

67%

Reduced Hiring Time

“Proactively navigating fintech regulations requires faster technology adoption. Next-gen compliance infrastructures should seamlessly integrate with existing and new systems and data sources.”

Vicente Mederos

Head of Risk 

at Access Group

98%

Local Compliance

“User-friendly, reliable, and fast. It’s exactly what we needed to scale without adding complexity.”

Emily Rivera

Co-Founder

4.8 rating from 1.5k reviews

Author ImageAuthor ImageAuthor ImageAuthor Image

10+

Download from app store

Download for iOS

Ready to transform how your bank onboards, underwrites, and manages merchant risk?

Schedule Demo

Try it for free