Back to Glossary

What Is an MMSP (Merchant Monitoring Service Provider)?

A Merchant Monitoring Service Provider (MMSP) is an organization that Mastercard has formally approved to perform merchant monitoring on behalf of acquiring banks, payment service providers (PSPs), and payment facilitators (PayFacs). MMSPs carry out the continuous scanning, content review, and risk detection that acquirers are required to maintain under Mastercard's Merchant Monitoring Program (MMP). The MMSP designation is granted directly by Mastercard, and only approved providers may fulfill this function on behalf of regulated entities in the Mastercard ecosystem.

Why the MMSP Role Exists

Mastercard cannot directly monitor every merchant across every acquirer's portfolio. Instead, it delegates this responsibility to acquirers, who must either develop internal MMSP capabilities that satisfy Mastercard's approval criteria, or engage a certified third-party MMSP to perform monitoring on their behalf.

The driver behind this structure is BRAM - Mastercard's Business Risk Assessment and Mitigation program. BRAM places direct financial liability on acquirers when merchants in their portfolio engage in illegal, brand-damaging, or prohibited activity. Fines for individual BRAM violations have historically reached $150,000 or more. The MMSP framework is Mastercard's mechanism for ensuring that acquirers have a credible, auditable detection infrastructure in place - not just a policy on paper.

What MMSPs Are Required to Do

An approved MMSP performs a defined set of monitoring functions on behalf of the acquirer. These functions are not discretionary - they reflect Mastercard's Security Rules and Procedures and the updated MMP standards effective January 1, 2026.

Core MMSP responsibilities include:

  • Pre-transaction merchant scans: For all merchants onboarded on or after January 1, 2026, an initial scan must be completed before the merchant processes their first transaction. This scan validates the merchant's digital presence against Mastercard brand and content standards.

  • Continuous ongoing monitoring: After activation, merchants must remain under persistent surveillance throughout the lifecycle of the relationship - not just at periodic review intervals.

  • Gated and member-exclusive content monitoring: Monitoring must extend beyond publicly accessible pages to include password-protected areas, login-required sections, and subscription-only content. This requirement addresses merchants who deliberately conceal prohibited activity behind authentication walls.

  • Detection of BRAM violations: MMSPs are responsible for identifying prohibited or brand-damaging content, including counterfeit goods, unlicensed pharmaceuticals, illegal gambling, and adult content in restricted categories.

  • Transaction laundering detection: MMSPs look for indicators of laundering activity - undisclosed URLs, MCC mismatches, hidden storefronts, and merchants processing transactions on behalf of undisclosed entities.

  • Audit-ready documentation: MMSPs must generate and preserve evidence of every scan, monitoring activity, and finding. This documentation must be available to Mastercard during compliance audits.

  • 15-day remediation support: When a violation is detected, the acquirer has 15 days to investigate and resolve it. MMSPs provide the underlying evidence and reporting that make this timeline operationally achievable.

MMSP vs. MMP: Understanding the Distinction

These two terms are frequently confused, and the distinction is operationally significant.

Term What It Is
MMP (Merchant Monitoring Program) The compliance framework - the rules Mastercard requires acquirers to follow
MMSP (Merchant Monitoring Service Provider) The approved entity - the organization that executes the monitoring on the acquirer's behalf
Ballerine logo

MMP is the mandate. MMSP is the fulfillment mechanism. An acquirer subject to MMP requirements must either become an approved MMSP themselves or contract with one. Using an unapproved third party does not satisfy the requirement, regardless of what that provider monitors.

Who Needs to Work with an MMSP

The MMSP requirement flows through the acquiring chain. Different entities interact with it differently:

Acquirers (direct acquiring banks)

Acquirers bear primary responsibility under MMP. They must either obtain MMSP approval from Mastercard to conduct monitoring internally, or formally engage an approved third-party MMSP. Acquirers are the party fined by Mastercard when violations are detected and compliance cannot be demonstrated.

PSPs and PayFacs

Payment service providers and payment facilitators operating sub-merchant portfolios are typically required by their acquiring bank to submit complete merchant data - including legal names, DBAs, all operational URLs, and required MMSP data fields - to ensure monitoring coverage. PSPs and PayFacs that fail to maintain data quality undermine the accuracy of the monitoring their upstream MMSP performs.

ISOs and Processors

Independent Sales Organizations and processors should confirm that the acquirers they work with have verified MMSP coverage in place. Gaps in the acquiring chain create compliance exposure that can affect merchant relationships and program standing.

What Qualifies an MMSP

Mastercard's Service Provider Categories and PCI documentation defines MMSP as a formally recognized service provider category. Approval requires demonstrating specific technical and operational capabilities to Mastercard's satisfaction.

Providers seeking MMSP designation must typically demonstrate:

  • The ability to perform pre-transaction merchant scans at scale
  • Automated, persistent website monitoring capabilities that cover both public and gated content
  • Robust detection for BRAM violation categories and transaction laundering indicators
  • Documentation and audit trail generation that meets Mastercard's evidence standards
  • Established workflows for escalation, investigation, and remediation within mandated timeframes

The approval process is governed by Mastercard directly. Not all merchant monitoring vendors hold approved MMSP status, and acquirers should verify provider status before relying on a third party to fulfill this compliance obligation.

What MMSP Monitoring Covers in Practice

An effective MMSP monitors across several risk dimensions simultaneously:

Website and content monitoring

  • Public-facing product listings, landing pages, and marketing content
  • Member-exclusive areas and subscription content requiring login
  • Changes in product categories, pricing, or business model representation
  • Prohibited keywords, product types, or imagery associated with restricted content

Business ecosystem mapping

  • Undisclosed URLs or related storefronts operated by the same entity
  • Multiple business operations being processed under a single merchant account
  • Shared ownership structures that connect related merchants across portfolios

MCC and category validation

  • Verification that the merchant's stated Merchant Category Code aligns with actual products and services offered
  • Detection of category drift - when a merchant moves into restricted or prohibited territory after initial onboarding

Documentation and evidence

  • Timestamped scan records for initial and ongoing monitoring cycles
  • Exportable reports structured for Mastercard audit review
  • Evidence of issue detection and remediation actions taken within the 15-day window

MMSP in the Broader Compliance Landscape

MMSP sits within a wider set of card scheme compliance obligations that acquirers and PSPs must navigate simultaneously.

Related programs and frameworks:

  • Mastercard BRAM: The enforcement program that generates financial penalties when prohibited merchant activity reaches Mastercard through the acquiring chain. MMSP monitoring is the primary mechanism for preventing BRAM violations before they occur.

  • Mastercard MMP: The broader program framework within which MMSP operates, covering both monitoring requirements and reporting obligations.

  • Visa VAMP: Visa's parallel acquirer monitoring program, which focuses primarily on fraud rates and dispute ratios. While the enforcement mechanism differs from Mastercard's MMSP structure, the operational demand for continuous merchant intelligence is shared across both card schemes.

  • Transaction Laundering Detection: One of the primary detection use cases for MMSPs, requiring identification of merchants processing payments for undisclosed entities or businesses.

  • MATCH List: Merchants terminated for BRAM violations detected through MMSP monitoring may be reported to the MATCH list, restricting their ability to obtain processing services elsewhere.

How Ballerine Supports MMSP Compliance

Ballerine is a Mastercard-approved Merchant Monitoring Service Provider (MMSP), certified to perform merchant scans on behalf of acquirers operating within the Mastercard ecosystem.

The platform combines AI-native web intelligence with gated content access capabilities - allowing risk teams to monitor merchant websites beyond the login wall, where prohibited content is most often concealed. Automated initial scans complete before the first transaction is processed, satisfying the pre-transaction mandate without adding friction to merchant onboarding. Ongoing monitoring runs continuously, generating the audit-ready documentation Mastercard requires and surfacing violations within the 15-day remediation window.

Acquirers, PSPs, and PayFacs working toward Mastercard MMP compliance can use Ballerine's MMSP infrastructure instead of building monitoring capabilities internally.

Frequently Asked Questions

Can an acquirer act as its own MMSP?

Yes. Mastercard permits acquirers to obtain direct MMSP approval, allowing them to conduct monitoring internally rather than relying on a third-party provider. This path requires demonstrating to Mastercard that internal capabilities meet all MMSP standards. Most acquirers choose to engage an approved third-party MMSP given the technical investment required to build and maintain compliant scanning infrastructure.

Does every merchant need to be covered by an MMSP?

The January 2026 MMP updates apply to all merchants onboarded on or after January 1, 2026. These merchants must undergo an initial pre-transaction scan conducted by an approved MMSP. Ongoing monitoring requirements apply throughout the lifecycle of the merchant relationship.

What happens if an acquirer uses an unapproved monitoring vendor?

Using a monitoring vendor that lacks Mastercard MMSP approval does not satisfy the MMP requirement. Acquirers that cannot demonstrate coverage by an approved MMSP are exposed to BRAM enforcement actions, including financial penalties and potential program restrictions.

How long does the MMSP have to resolve a detected violation?

Mastercard mandates a 15-day window from detection to investigation and resolution. The MMSP provides the detection and evidence; the acquirer is responsible for executing remediation and documenting the outcome within this timeframe.

Is MMSP a Mastercard-specific requirement?

Yes. The MMSP designation is specific to Mastercard's MMP framework. Visa operates separate compliance programs, including VAMP and VIRP, which have different structures and approval mechanisms. Acquirers working across both card schemes need to ensure their monitoring infrastructure satisfies the distinct requirements of each program.

Trusted by

Related Articles

FinCEN NPRM: New AML Rules and What They Mean for Payment Companies
Merchants
Compliance
Andy Vrabel
Apr 29, 2026
FinCEN NPRM: New AML Rules and What They Mean for Payment Companies

Turning Acceptable Use Policies into a Dynamic Decision Engine
Product update
Gadi Ben-Amram
Apr 13, 2026
Turning Acceptable Use Policies into a Dynamic Decision Engine

Apply your own Acceptable Use Policy automatically during merchant onboarding and monitoring, with clear decisions, clear reasoning, and audit-ready outcomes.

FinCEN NPRM: New AML Rules and What They Mean for Payment Companies
Merchants
Compliance
Andy Vrabel
Apr 29, 2026
FinCEN NPRM: New AML Rules and What They Mean for Payment Companies

Turning Acceptable Use Policies into a Dynamic Decision Engine
Product update
Gadi Ben-Amram
Apr 13, 2026
Turning Acceptable Use Policies into a Dynamic Decision Engine

Apply your own Acceptable Use Policy automatically during merchant onboarding and monitoring, with clear decisions, clear reasoning, and audit-ready outcomes.

Trusted by Leaders in the Payments Ecosystem

70%

Reduced manual efforts

49%

Improved review resolution time

30%

Increase in 
detected fraud

“We were able to downsize our compliance staff’s workload significantly, which allowed us to allocate the savings and workforce into more improvement projects.”

Shmulik Davar

VP Product at Fido

67%

Reduced Hiring Time

“Proactively navigating fintech regulations requires faster technology adoption. Next-gen compliance infrastructures should seamlessly integrate with existing and new systems and data sources.”

Ran Nachman

VP Regulation Solutions 
at eToro

67%

Reduced Hiring Time

“Proactively navigating fintech regulations requires faster technology adoption. Next-gen compliance infrastructures should seamlessly integrate with existing and new systems and data sources.”

Vicente Mederos

Head of Risk 

at Access Group

98%

Local Compliance

“User-friendly, reliable, and fast. It’s exactly what we needed to scale without adding complexity.”

Emily Rivera

Co-Founder

4.8 rating from 1.5k reviews

Author ImageAuthor ImageAuthor ImageAuthor Image

10+

Download from app store

Download for iOS

Ready to transform how your bank onboards, underwrites, and manages merchant risk?

Schedule Demo

Try it for free