Payment Facilitator (PayFac)

A Payment Facilitator (PayFac) is a service provider that operates under a master merchant account with an acquiring bank and enables multiple sub-merchants to process card transactions under that single account. The PayFac serves as the merchant of record with the acquirer and assumes responsibility for underwriting, compliance, funding, and risk management on behalf of its sub-merchant portfolio.

‍

‍

‍

The Challenge: Why PayFacs Face Concentrated Risk

‍

The PayFac model emerged to simplify merchant onboarding for platforms, marketplaces, and software providers that enable embedded payments. Instead of requiring each merchant to establish a direct relationship with an acquirer (a process that can take weeks), PayFacs onboard sub-merchants in hours or days by aggregating them under a master merchant identification number (MID).

‍

However, this efficiency creates concentrated risk. The PayFac assumes financial and regulatory responsibility for all activity conducted by sub-merchants, including:

‍

Fraud and chargeback liability: The PayFac, not the sub-merchant, is held accountable by the acquirer and card networks for fraudulent transactions and disputed charges.

‍

Compliance obligations: PayFacs must conduct Know Your Customer (KYC) and Know Your Business (KYB) checks, monitor transaction patterns, and maintain compliance with card network rules and regional regulations such as Anti-Money Laundering (AML) laws.

‍

Sub-merchant behavior: A single high-risk sub-merchant operating outside acceptable use policies can trigger enforcement actions, fines, or registration revocation for the entire PayFac portfolio.

‍

Reputational and operational exposure: Because sub-merchants share the PayFac's master MID, violations by one merchant can result in processing restrictions that affect all other sub-merchants under that account.

‍

The challenge intensifies as the portfolio scales. Without automated monitoring and strong underwriting controls, PayFacs struggle to detect bad actors, manage chargebacks, or prevent violations before they escalate. Card networks such as Visa and Mastercard require PayFacs to register and adhere to specific risk standards. Failure to meet these obligations can result in acquirer restrictions, financial penalties, or disqualification from the card networks.

‍

‍

‍

How to Build an Effective PayFac Risk Program

‍

We recommend five controls to manage the concentrated risk inherent in the PayFac model:

‍

‍

1. Implement risk-based underwriting at onboarding

‍

Before approving a sub-merchant, conduct thorough due diligence that includes:

• Verification of business identity (registration documents, principals, beneficial ownership)
• Assessment of business model and industry vertical (matching against prohibited or restricted categories)
• Screening against sanctions lists, fraud databases, and prior chargeback histories
• Website and social media review to validate legitimacy and detect misrepresentation

‍

High-risk verticals (digital goods, subscription services, nutraceuticals, adult content) require enhanced scrutiny or additional reserve requirements.

‍

‍

2. Automate transaction monitoring and behavioral analysis

‍

Manual review cannot scale to hundreds or thousands of sub-merchants processing millions of transactions.

‍

Deploy automated merchant monitoring systems that flag:

• Sudden spikes in transaction volume or average ticket size
• Unusual geographic patterns (transactions from regions inconsistent with the merchant's business location)
• Chargeback rate increases above card network thresholds
• Products or services inconsistent with the merchant's stated business model

‍

Effective monitoring systems combine rule-based alerts with behavioral models that detect anomalies relative to each sub-merchant's historical baseline.

‍

‍

3. Establish clear reserve and holdback policies

‍

Reserves protect the PayFac from liability if a sub-merchant incurs chargebacks or goes out of business before settling disputes.

‍

Set reserve amounts based on risk factors such as:

• Industry vertical
• Transaction type (card-present vs. card-not-present)
• Prior performance data (if the merchant has a processing history)
• Chargeback ratios observed during the first 90 days

‍

Rolling reserves (holding back a percentage of each batch for 90 to 180 days) are more effective than fixed reserves for mitigating chargeback exposure in high-risk categories.

‍

‍

4. Maintain robust onboarding and ongoing documentation

‍

Card network audits and regulatory examinations require evidence that the PayFac has conducted proper due diligence.

‍

Retain:

• Signed merchant agreements
• KYC/KYB verification documents
• Underwriting decision records
• Transaction monitoring reports and alert dispositions
• Evidence of corrective actions taken when violations are detected

‍

Store documentation in a centralized system that supports audit trails and retrieval.

‍

‍

5. Register with card networks and comply with reporting requirements

‍

PayFacs must register with Visa, Mastercard, and other card networks they support.

‍

Registration involves:

• Meeting minimum financial and operational standards
• Submitting to periodic compliance audits
• Reporting sub-merchant data (including merchant category codes, processing volumes, and risk indicators)
• Implementing controls specified in network-specific risk programs (such as Visa's Merchant Monitoring Program Standards)

‍

Card networks may also impose transaction volume caps, restrict specific merchant categories, or require additional reserves for PayFacs with elevated chargeback or fraud rates.

‍

‍

‍

Real-World Scenario: When a Sub-Merchant Violates Policy

‍

Consider a PayFac supporting an e-commerce platform with 1,200 sub-merchants. One sub-merchant begins processing transactions for digital downloads but shifts to selling counterfeit goods. Customers dispute charges, triggering a spike in chargebacks.

‍

Without automated monitoring, the PayFac does not detect the shift until the chargeback rate for the entire portfolio exceeds card network thresholds. The card network imposes fines and places the PayFac in a remediation program requiring weekly reporting and tighter controls. The PayFac must freeze funds for the offending merchant, allocate reserves to cover chargeback losses, and conduct retroactive reviews of similar sub-merchants.

‍

Had the PayFac deployed transaction monitoring that flagged the category mismatch (digital downloads registered, physical goods shipped) and the rising chargeback rate early, it could have suspended the sub-merchant before the violations escalated. This scenario illustrates why proactive controls and merchant underwriting infrastructure are critical at scale.

‍

‍

‍

Strategic Impact on the Payments Ecosystem

‍

The PayFac model has accelerated access to payment acceptance for small and micro-merchants that would otherwise face barriers to acquiring relationships. Software-as-a-Service (SaaS) platforms, marketplaces, and vertical-specific solutions use PayFacs to deliver embedded payment experiences that generate additional revenue and improve user retention.

‍

However, PayFacs operate in a regulatory environment where responsibility cannot be outsourced. Unlike traditional Independent Sales Organizations (ISOs) that refer merchants to acquirers, PayFacs are direct participants in the payment chain. This means they face the same compliance, fraud prevention, and risk management obligations as banks and processors, but often with fewer resources and less mature infrastructure.

‍

We see increasing scrutiny from card networks and regulators focused on PayFac portfolios. Networks have tightened registration requirements, imposed stricter monitoring standards, and increased enforcement actions against PayFacs that fail to control sub-merchant risk. In parallel, acquirers are requiring PayFacs to demonstrate robust risk controls before approving sponsorship agreements.

‍

As a result, the operational bar for PayFacs has risen. Those that treat risk management as an afterthought face financial exposure, processing disruptions, and potential disqualification. Those that invest in automated underwriting, transaction monitoring, and compliance infrastructure position themselves for sustainable growth and stronger relationships with acquiring partners.

‍