Merchant Fraud Prevention

‍

Merchant fraud prevention refers to the controls, processes, and technologies that acquirers, payment service providers (PSPs), and payment facilitators (PayFacs) use to identify, block, and remediate fraudulent merchants before and after they access the payment ecosystem. It covers the full merchant lifecycle from initial onboarding through ongoing surveillance and, where necessary, termination.

‍

The target of these controls is the merchant itself, not the cardholder. The threat model includes businesses that misrepresent their operating model at application, pivot into prohibited activity after approval, launder transactions through approved merchant accounts, or use the payments infrastructure to defraud consumers at scale.

‍

‍

‍

Why Merchant Fraud Prevention Operates at the Ecosystem Level

‍

Individual acquirers, PSPs, and PayFacs are accountable under card scheme rules for the merchants they enable. Mastercard's Business Risk Assessment and Mitigation (BRAM) program and equivalent Visa programs hold acquiring institutions responsible for monitoring merchant portfolios and removing bad actors. Failures generate scheme fines, elevated chargeback ratios, and in repeated cases, loss of processing rights.

‍

The practical difficulty is information asymmetry. Fraudulent merchants invest in appearing legitimate: professional websites, plausible business names, and valid documentation. Standard onboarding reviews, built for throughput, often lack the depth to distinguish sophisticated fraud from genuine low-risk applications.

‍

Three structural gaps drive most failures:

‍

Point-in-time screening: Most verification happens once, at application. Merchants who pass initial review can shift into prohibited categories months later, with no automatic detection.

‍

Single-account visibility: Without cross-portfolio analysis, merchants operating multiple related storefronts under different legal entities can distribute risk across acquirers and evade detection at each individual relationship.

‍

Volume pressure: High application throughput creates incentive to automate before detection tooling is mature enough to support it.

‍

‍

‍

A Layered Framework for Merchant Fraud Prevention

‍

Effective merchant fraud prevention combines controls at onboarding with continuous post-approval surveillance. Each layer addresses a different attack vector.

‍

‍

1. Know Your Business (KYB)

‍

Know Your Business (KYB) verification confirms that the applicant is a legitimate, registered entity with a genuine operating model. It includes corporate registry confirmation, Ultimate Beneficial Owner (UBO) identification, sanctions screening, and adverse media review.

‍

Under FinCEN's Customer Due Diligence Final Rule (31 CFR Parts 1010, 1020, 1023, 1024, and 1026), covered financial institutions are required to identify and verify the identity of beneficial owners who own 25% or more of a legal entity customer. For acquirers and PayFacs, KYB is the practical operationalization of this obligation at the merchant level.

‍

KYB is the foundation of merchant fraud prevention because it determines whether the applicant should be permitted into the ecosystem at all. Gaps here create downstream exposure that post-approval monitoring alone cannot fully recover.

‍

‍

2. AI-Powered Web Analysis

‍

Fraudulent merchants frequently use websites designed to pass surface-level review while concealing the actual product or service being offered. Effective web analysis goes beyond keyword matching: it interprets content in context, analyzes images, detects gated or dynamically loaded pages, and maps the full ecosystem of domains and storefronts operated by the same entity or principal group.

‍

This analysis runs at onboarding and continues through the life of the merchant relationship, catching changes that occur after initial approval.

‍

‍

3. Scam Detection and Risk Intelligence

‍

Scam merchants share recognizable signal patterns: domain registration anomalies, fake testimonial structures, recurring billing trap language, unrealistic pricing claims, and jurisdiction-level compliance flags. AI-powered risk intelligence aggregates signals across multiple independent dimensions simultaneously, producing a severity score and structured reason codes that can be routed directly into decisioning logic without manual reconstruction.

‍

‍

4. Transaction Monitoring

‍

Post-approval transaction monitoring tracks live behavior against established baselines. Volume spikes, geographic anomalies, elevated refund rates, and descriptor mismatches indicate that an approved merchant may have shifted into prohibited activity or may be processing on behalf of an unauthorized third party, a practice known as transaction laundering.

‍

Tiered response protocols ensure that lower-confidence signals trigger automated review while high-risk patterns escalate to manual investigation, and where appropriate, settlement holds.

‍

‍

‍

5. MATCH List and Scheme Program Screening

‍

MATCH List (Member Alert to Control High-Risk Merchants) screening surfaces applicants previously terminated by Mastercard-affiliated acquirers for fraud, excessive chargebacks, or compliance violations. Per Mastercard Rules, acquirers are expected to query MATCH before approving new merchant relationships.

‍

MATCH entries expire after five years and cover only Mastercard-affiliated terminations. We treat MATCH as one input in a broader risk picture, not a standalone merchant fraud prevention resource.

‍

‍

‍

Regulatory and Scheme Obligations

‍

Bank Secrecy Act (BSA) and Anti-Money Laundering (AML): Under 31 CFR 1020.320, U.S. financial institutions must file Suspicious Activity Reports (SARs) within 30 days of detecting suspicious activity involving $5,000 or more. Failure to file carries civil and criminal penalties under the BSA.

‍

Mastercard MMP Standards: Effective January 1, 2026, revised Mastercard Merchant Monitoring Program (MMP) standards require acquirers to complete an initial scan before a merchant's first transaction, extend ongoing monitoring to gated and member-exclusive content, and close identified issues within a 15-day timeframe. Evidence of each scan and ongoing monitoring activity must be documented and audit-ready.

‍

OFAC sanctions screening: All merchants and their UBOs must be screened against OFAC's Specially Designated Nationals (SDN) list at onboarding and monitored for changes throughout the relationship.

‍

‍

‍

How Ballerine Supports Merchant Fraud Prevention

‍

Ballerine provides two products built specifically for merchant fraud prevention resources across the full merchant lifecycle:

‍

Scam & Fraud API: AI-powered risk intelligence that analyzes any merchant across six independent dimensions simultaneously: business identity, website content, business model, domain and registration signals, reputation, and compliance flags. Results return within 60 seconds, with a severity score, structured reason codes, and source-linked evidence. The API operates without a URL when needed, which matters because a significant portion of merchant inquiries arrive without a website.

‍

Merchant Monitoring (Mastercard MMSP certified): Continuous post-approval surveillance covering website content changes, transaction behavior, adverse media, MCC classification, and ecosystem relationships. AI agents access gated and member-exclusive content, meeting the updated MMP requirements that standard web crawlers cannot satisfy. False positives are reduced by up to 90% through configurable risk appetite triggers, blocked categories, and compliance thresholds by country, industry, and business model.