The New Rules for Mastercard's Scam Merchant Monitoring

Mastercard’s revised scam merchant monitoring rules are scheduled to take effect on July 24, 2026. The central change is a defined duty for acquirers and payment facilitators: when specified warning signals appear, an investigation must begin within 72 hours. If the review confirms scam activity, the merchant must be blocked from submitting Mastercard and Maestro transactions.

The update sits inside a broader payment network effort against fake storefronts, deceptive online businesses, and manipulation schemes that use ordinary card acceptance as part of the scam.

Mastercard has framed the issue as a merchant trust problem. Scam sellers can appear as real online businesses, accept card payments, generate complaints, create issuer disputes, and disappear before older monitoring models produce enough evidence for action.

Mastercard’s revised framework moves the acquiring side closer to the beginning of that pattern. It requires earlier review when transaction behavior, issuer reports, network notices, or third-party monitoring alerts suggest that a merchant may be operating as a scam.

The investigation may clear a legitimate business, yet the process still creates operational pressure. The acquirer will need answers, documentation, transaction evidence, and a credible explanation for the data pattern that triggered the review.

The program does not treat all merchants in the same way. Merchants with less than six months of Mastercard acceptance history face heightened scrutiny. That early period matters because scam operations often open new merchant accounts, process transactions for a short time, and exit before complaints mature into chargeback patterns.

The revised framework uses a shorter early-life lens to catch that conduct before losses grow. A new, legitimate merchant can therefore face review under conditions that would be less likely to apply to an established merchant.

What Triggers a Mastercard Scam Merchant Investigation

The first trigger for a scam investigation is a sharp drop in authorization approval rate. If a merchant conducts at least 25 purchase transactions during a 72-hour period and the approval rate drops by at least 50 percentage points, an investigation must begin. The same applies if the approval rate falls below 30% in that window.

A fall from 95% to 45% would meet the first version of the test. A merchant that drops below 30% would meet the second. Issues stemming from BIN attacks and system problems at the acquirer or service provider level are excluded.

A separate trigger category applies to merchants with six months or less of Mastercard acceptance history. Within that group, one of three early fraud signals can start the 72-hour investigation duty:

• Two issuers reporting a transaction under fraud reason code 56: Manipulation of Cardholder.
• Two issuers initiating chargebacks, fraud or non-fraud, with supporting documentation that mentions scams, manipulation, or similar language.
• A combined refund and chargeback rate of more than 5% of purchase transactions during any rolling 30-day period, provided the merchant has conducted at least 500 purchase transactions.

Another possible investigation trigger is a GRIP (Global Rules Investigation Program) letter. Receipt of a GRIP letter linking the merchant account to suspected scam activity independently requires investigation. This means Mastercard has already surfaced a concern and the acquirer must act.

The final trigger is an alert from a Merchant Monitoring Service Provider, often called an MMSP. These providers monitor merchant behavior and digital signals, including patterns that may suggest illegal activity or scam conduct. One or more alerts identifying the merchant as a potential scam merchant or suspecting illegal activity can require investigation.

That creates a channel for evidence from outside the transaction ledger. A merchant’s website, marketing claims, online complaints, dark web references, or other external indicators can be signals that trigger an investigation.

Why Legitimate Merchants Can Be Flagged

The revised program is aimed at scam operations, but legitimate merchants can still match the trigger conditions. The risk is highest for new merchants, especially in e-commerce. These merchants often have more disputes and lower approval rates in general, so a mistake in processing or operations can lead to an issue large enough to trigger an investigation.

The Investigation Process

Once a trigger condition is met, the acquirer or payment facilitator must begin an investigation within 72 hours. If the merchant is confirmed as a scam, Mastercard and Maestro authorization and clearing must be blocked immediately. If the merchant is cleared, processing can continue, although ongoing monitoring remains in place and later triggers can start another review.

The investigation will likely focus on whether the merchant’s behavior matches its stated business model, whether customer complaints point to deception, whether transaction data reflects genuine demand, and whether the merchant can substantiate fulfillment, refund handling, and customer communication.

What The Change Means For Payment Partners

Acquirers and payment facilitators will carry the heaviest procedural burden. The rules require active monitoring, quick investigation, and immediate blocking when scam activity is confirmed.

That may lead to more requests for merchant data, more conservative onboarding, or closer review of business models with high refund or dispute patterns. Payment facilitators may need stronger controls over sponsored merchants because one weak sub-merchant can create network risk for the broader portfolio.

Key Takeaways

The revised Mastercard scam merchant monitoring program creates a more exacting standard for identifying and investigating merchants that may be committing fraud. Its purpose is to remove scam operations before consumer harm and issuer losses build into a larger pattern. As a consequence, legitimate merchants, especially newly established ones, must keep a close eye on authorization and dispute rates, and must be prepared to prove their legitimacy if necessary.