Risk Scoring (Merchant Risk Score)

A merchant risk score is a quantitative assessment that assigns a numerical value or risk rating to a business applying for payment processing services. Payment facilitators, acquirers, and compliance teams use these scores to determine whether to approve, reject, apply enhanced monitoring, or require additional safeguards such as reserves or rolling deposits.

‍

‍

‍

Why Risk Scoring Matters

‍

Merchant risk scoring addresses a fundamental tension in the payments ecosystem: enabling legitimate businesses to accept payments while preventing fraud, chargebacks, and regulatory violations. Payment providers face pressure from card networks to maintain acceptable fraud and chargeback ratios, while also needing to onboard merchants quickly to remain competitive.

‍

Without structured risk scoring, risk teams face:

‍

• Inconsistent underwriting decisions across analysts, leading to both missed fraud and rejected legitimate merchants

‍

• Inability to scale manual review processes as merchant volume grows

‍

• Regulatory exposure when high-risk merchants are approved without proper controls

‍

• Missed revenue when approval processes take too long and merchants move to competitors

‍

• Chargeback liability that threatens the provider's standing with card networks

‍

Card networks (Visa, Mastercard) require enhanced fraud detection and risk scoring for certain merchant categories, and non-compliance can result in fines or loss of processing privileges.

‍

‍

‍

The Challenge: False Positives and Model Drift

‍

‍

The Danger of False Positives

‍

Risk scoring models must balance two failure modes:

1. False negatives (approving merchants who later commit fraud or generate excessive chargebacks)
2. False positives (rejecting or delaying legitimate businesses)

‍

False positives impose direct costs. When a risk model flags a legitimate merchant as high-risk, the provider either rejects revenue or requires extensive manual review. High false positive rates force compliance teams to allocate disproportionate time to low-value cases, reducing capacity to investigate genuine threats. We see this most frequently in verticals that share characteristics with fraud patterns (travel agencies during booking surges, subscription services with legitimate recurring billing, international merchants in emerging markets).

‍

‍

Model Drift and Evolving Risk

‍

Risk models degrade over time as fraud tactics shift. A model trained on 2023 data will underperform against synthetic identity fraud or shell companies using AI-generated business documents. Static rule-based systems cannot adapt to new merchant behaviors or emerging compliance requirements, such as Mastercard's Merchant Monitoring Program (MMP) standards, which mandate continuous monitoring and re-evaluation beyond initial onboarding.

‍

‍

‍

How to Build an Effective Merchant Risk Scoring System

‍

‍

1. Define Risk Factors Based on Historical Performance

‍

Use historical data to identify features correlated with fraud, chargebacks, and compliance violations.

‍

Common risk factors include:

‍

• Business type and Merchant Category Code (MCC): Certain categories (nutraceuticals, adult content, travel, cryptocurrency-related services) statistically show higher fraud or chargeback rates.

‍

• Geographic location: Registration jurisdiction, beneficiary bank country, IP address location during application, and primary customer base.

‍

• Processing history: Prior merchant accounts, chargeback ratios with previous acquirers, terminated accounts.

‍

• Business maturity: Incorporation date, online presence age, domain registration date, and consistency between claimed business age and digital footprint.

‍

• Financial indicators: Credit scores, cash flow patterns, sudden volume spikes, mismatch between stated revenue and observed transaction patterns.

‍

• Ownership and beneficiary data: Beneficial owner identity verification, PEP (Politically Exposed Person) status, sanctions screening, cross-referencing owners against known fraud rings.

‍

We recommend starting with 15-25 core features and expanding based on model performance. Avoid overweighting single factors (a new business in a high-risk MCC is not automatically fraudulent).

‍

‍

2. Implement a Multi-Tier Scoring Framework

‍

A single risk score rarely provides sufficient granularity.

‍

We typically advise structuring scores into tiers:

‍

• Low risk (Tier 1): Established businesses with clean processing history, low-risk MCC, verified ownership, minimal manual review required.

‍

• Medium risk (Tier 2): Some elevated risk factors but manageable with standard controls (volume limits, delayed payouts, periodic review).

‍

• High risk (Tier 3): Multiple concerning indicators requiring enhanced due diligence, stricter reserves, and continuous monitoring.

‍

• Prohibited: Automatic rejection based on prohibited business types, sanctions hits, or policy violations.

‍

Tier thresholds should align with the provider's risk appetite and regulatory obligations. Tiering also allows differentiated pricing and monitoring intensity.

‍

‍

3. Incorporate Dynamic Data Sources Beyond Static Application Data

‍

Static data (application form, incorporation documents) provides a baseline, but dynamic data improves accuracy:

‍

• Web scraping and domain analysis: Current website content, SSL certificate status, contact information consistency, social media presence, and customer reviews. We look for mismatches between claimed business model and actual online presence.

‍

• Transaction behavior: First-month transaction patterns compared to projected volumes, average ticket size, refund rates, geographic distribution of customers.

‍

• Ecosystem mapping: Identifying other domains, storefronts, or merchant accounts operated by the same entity or beneficial owners. Fraudsters often operate multiple storefronts simultaneously or cycle through accounts after generating chargebacks. This is now a critical element of merchant underwriting under updated card network requirements.

‍

• Third-party risk intelligence: Feeds from fraud databases, chargeback alert networks (Ethoca, Verifi), and industry-specific watchlists.

‍

‍

4. Build in Continuous Re-Scoring and Monitoring

‍

Risk scoring cannot end at onboarding. Merchant risk profiles change as businesses grow, pivot business models, or experience financial stress.

‍

A scoring system must include:

‍

• Triggered re-scoring: Automatic re-evaluation when chargeback ratios exceed thresholds, transaction volumes spike unexpectedly, or website content changes significantly.

‍

• Periodic review cadence: High-risk merchants reviewed monthly, medium-risk quarterly, low-risk annually.

‍

• Event-based alerts: Integration with merchant monitoring systems that flag changes in website content, new negative reviews, sanctions list additions, or card network bulletins about specific merchant types.

‍

Continuous monitoring aligns with the Mastercard MMP requirement that acquirers maintain ongoing oversight of merchant risk, not just perform one-time due diligence.

‍

‍

5. Maintain Human Oversight and Model Explainability

‍

Automated risk scoring improves efficiency but cannot replace human judgment in edge cases.

‍

We usually advise teams to:

‍

• Require human review for borderline scores: Define score ranges where an analyst must validate the model output before making a final decision.

‍

• Document model rationale: Risk teams and merchants need to understand why a score was assigned. Explainability also supports audit and regulatory inquiries.

‍

• Establish appeal and escalation paths: Merchants flagged incorrectly should have a clear process to submit additional evidence. Repeated false positives on specific merchant types signal model miscalibration.

‍

• Regularly audit model performance: Track precision (percentage of flagged merchants that actually caused problems) and recall (percentage of problematic merchants that were flagged). Quarterly model reviews help identify drift.

‍

‍

‍

Example: Risk Scoring in Practice

‍

A payment facilitator receives an application from an online merchant selling dietary supplements. The merchant is newly incorporated (3 months old), projects $500,000 monthly volume, and lists a beneficiary owner with no prior merchant account history.

‍

Initial risk score calculation:

• High-risk MCC (nutraceuticals): +35 points
• New business (<6 months): +20 points
• No processing history: +15 points
• High projected volume relative to business age: +10 points
• Clean sanctions and PEP screening: 0 points
• Verified ownership documents: -5 points
• Professional website with clear product descriptions and refund policy: -10 points

‍

‍

Total initial score: 65/100 (High Risk, Tier 3)

‍

Decision: Approve with enhanced controls:

• Rolling reserve (10% of transaction volume held for 180 days)
• Monthly volume cap ($100,000 for first 90 days)
• Weekly monitoring of chargeback ratio and refund rate
• Mandatory re-scoring after 90 days based on actual transaction performance

‍

Outcome after 90 days:

• Chargeback ratio: 0.4% (below 1% threshold)
• Refund rate: 8% (within expected range for supplement industry)
• No customer complaints or regulatory issues
• Website content unchanged, positive customer reviews

‍

‍

Re-scored risk: 40/100 (Medium Risk, Tier 2)

‍

Controls adjusted: Rolling reserve reduced to 5%, volume cap increased to $300,000 monthly. Merchant moves to quarterly review cadence instead of weekly.

‍

‍

‍

Strategic Context: Risk Scoring as Competitive Differentiator

‍

Risk scoring directly impacts business outcomes beyond compliance.

‍

Payment providers with sophisticated scoring models can:

‍

• Approve more legitimate merchants faster: Reducing false positives and manual review time shortens onboarding from weeks to days, capturing revenue that competitors miss.

‍

• Price risk more accurately: Tiered pricing based on risk scores allows providers to charge appropriate rates for higher-risk merchants rather than rejecting them outright, expanding addressable market.

‍

• Reduce losses: Better fraud detection at onboarding prevents downstream chargeback costs and potential card network fines.

‍

• Demonstrate compliance to card networks: Visa and Mastercard increasingly audit acquirer risk management practices. Documented, data-driven risk scoring provides evidence of robust controls during audits.

‍

Risk scoring is not static compliance overhead. It is infrastructure that enables payment providers to scale merchant acquisition while maintaining acceptable risk exposure. Providers that treat risk scoring as a strategic capability rather than a checkbox gain material advantages in merchant approval rates, loss ratios, and regulatory standing.

‍