TL;DR. On July 24, 2026, Mastercard’s revised franchise standards take effect. When specific signals appear, acquirers and payment facilitators will have to investigate a merchant within 72 hours. If scam activity is confirmed, Mastercard and Maestro processing stops immediately. The rules apply globally (except Jordan) to every card-not-present merchant, with stricter thresholds for any business with less than six months of Mastercard acceptance history. For high-growth mid-market ecommerce businesses, the operational risk is not getting accused of running a scam. It is getting caught in a signal pattern that resembles one. The highest-risk pattern is being new.
The fast-moving merchant is not the target of this rule. The fast-moving merchant is the one most likely to be measured against it.
What is Mastercard’s scam merchant monitoring program?
Mastercard is revising the franchise standards that govern how acquirers and payment service providers manage merchant risk. The change is part of a broader strategy the company calls Merchant Trust Services, announced May 19, 2026. The strategy combines network-level intelligence, identity capabilities, and real-time analytics with two specific new mechanisms:
- A 72-hour investigation requirement for acquirers and payment facilitators when a merchant trips defined warning signals. If scam activity is confirmed, Mastercard and Maestro authorization and clearing must be blocked immediately.
- A Merchant Scam & Risk Indicator (MSRI) that gives issuers merchant-risk signals at the point of authorization. MSRI launches first in Europe and the United States, with global expansion planned within the year.
The rule change is what merchants directly experience. MSRI is what issuers use, and it shapes the upstream signals that may eventually trigger an investigation against a merchant.
In Mastercard’s own words from the announcement: “Starting in July, Mastercard is compressing the window between suspicious signals and enforcement by requiring acquirers and payment facilitators to actively monitor merchant behavior and to initiate an investigation within 72 hours when potential scam activity hits a certain risk threshold.”
When does it take effect?
July 24, 2026. That is two months from now if you are reading this near the publication date. For high-growth mid-market merchants (particularly those who have changed acquirers, entered new markets, or launched new entities in the last six months), the runway to operationalize the change is shorter than it looks.
Who does the program apply to?
The program is broad. The intensity of monitoring is what varies.
| Dimension | Scope |
|---|---|
| Geographic scope | Global, except Jordan |
| Merchant types | All card-not-present (CNP) merchants |
| Operational scope | Acquirers and payment facilitators conduct the investigations; merchants and sponsored merchants are subject to monitoring |
| New vs. established merchant | Merchants with less than six months of Mastercard acceptance history face additional, stricter triggers |
That “less than six months” line matters more than it sounds. A high-growth business that opens a new acquiring relationship, switches payment service providers, or launches a new legal entity in a new market starts a new six-month clock against that acquirer’s Mastercard portfolio. Growth and new-merchant status often arrive together.
What triggers a 72-hour investigation?
Four trigger categories. Each is signal-based, not intent-based, which means a legitimate business can match the criteria.
Trigger 1: Sharp authorization approval rate drop
Applies to: all CNP merchants.
The investigation duty begins when either of these conditions is met over a 72-hour period in which the merchant processes at least 25 purchase transactions:
- Authorization approval rate drops by at least 50 percentage points (for example, 95% to 45%), or
- Authorization approval rate falls below 30%.
Excluded: drops caused by BIN attacks and system issues at the acquirer or service provider level.
The intuition: a healthy, established business has stable approval rates. A sudden collapse usually means issuers have started declining the merchant’s traffic because something looks wrong to them. The trigger is calibrated to catch that issuer-side reaction quickly, before chargebacks pile up.
Trigger 2: Mastercard GRIP letter
Applies to: all CNP merchants.
When Mastercard’s Global Rules Investigation Program (GRIP) sends the acquirer a letter linking a merchant account to suspected scam activity, the investigation duty begins automatically. A GRIP letter means Mastercard’s own intelligence systems have flagged a concern; the acquirer’s job is to chase it down.
Trigger 3: New-merchant fraud signals
Applies to: merchants with six months or less of Mastercard acceptance history.
Any one of the following three conditions starts the 72-hour investigation duty:
- Multiple issuer fraud reports. At least two different issuers report one or more transactions as fraud reason code 56 (Manipulation of Cardholder).
- Chargeback documentation references scams. At least two issuers initiate chargebacks (fraud or non-fraud) with supporting documentation that mentions scams, manipulation, or similar language.
- Combined refund and chargeback rate over 5%. More than 5% of purchase transactions result in refunds or chargebacks (combined) during any rolling 30-day period in which the merchant processes at least 500 purchase transactions.
The third condition is the one mid-market subscription and ecommerce merchants should study carefully. A 5% combined refund-and-chargeback rate is not difficult to reach in a business with naturally higher refund volume, especially during a launch window where return policies, billing descriptors, and cancellation flows have not fully stabilized.
Trigger 4: MMSP alert
Applies to: all CNP merchants.
A Merchant Monitoring Service Provider (MMSP) is a third-party service that watches merchant behavior across signals not visible in the transaction ledger: website changes, marketing claims, dark web mentions, public complaints, and fraud network patterns. When an MMSP flags a merchant as a potential scam operator or suspected of illegal activity, the alert independently triggers the investigation duty.
This is the trigger most likely to produce surprises, because the signal sits outside the merchant’s own payment data. A merchant can have clean approval rates and a stable refund profile and still surface in an MMSP feed because of something an analyst found on the open web.
Why are high-growth mid-market ecommerce merchants particularly exposed?
Three structural reasons.
Growth motions reset the new-merchant clock. Spinning up a new entity, signing a new acquiring contract, expanding into a new region: each of these creates a “new merchant” status against the relevant Mastercard portfolio. The same business operating under the same brand can be subject to different scrutiny levels in different markets simultaneously.
Subscription and ecommerce models naturally generate more disputes than retail. Customer disputes over recurring charges, failed cancellation attempts, and delivery issues can push combined refund and chargeback rates near the 5% threshold without anything being wrong. The threshold was not designed with healthy subscription businesses in mind; it was designed to catch scam operators who run for 90 days and disappear.
The signals correlate with growth, not just with fraud. A sudden spike in approval declines because an issuer recalibrated its model. A new product line that confuses customers and generates support volume. A geographic expansion into a market with higher dispute rates. These are the textures of building a real business, and they look statistically similar to the textures of building a fake one.
This is not an argument against the rule. The rule is well-targeted at a real and growing problem: consumers lost $442 billion globally to online scams in 2025 according to the Global Anti-Scam Alliance. The point is that legitimate operators should plan for the rule’s measurement system, not just its purpose.
What happens if you are flagged by Mastercard scam merchant monitoring?
The acquirer or payment facilitator must initiate an investigation within 72 hours. The investigation focuses on whether the merchant’s behavior matches its stated business model: whether complaints suggest deception, whether the transaction data reflects genuine demand, and whether the merchant can substantiate fulfillment, refund handling, and customer communication.
Two outcomes:
| Outcome | What happens |
|---|---|
| Confirmed scam activity | Acquirer immediately blocks Mastercard and Maestro authorization and clearing for the merchant. |
| Investigation clears the merchant | Processing continues. The merchant remains under ongoing monitoring and can be flagged again if new criteria are met. |
A cleared investigation is not free. Even when the answer is “this merchant is legitimate,” the process consumes time, documentation, and acquirer attention. Repeated flags (even repeatedly cleared flags) change the relationship.
Mastercard Scam Merchant Monitoring: What should mid-market merchants do before July 24?
Six actions, ordered by leverage rather than by urgency.
1. See what your acquirer sees. Track authorization approval rate, refund rate, chargeback rate, and combined refund + chargeback rate on a rolling 30-day window. If the team responsible for growth and customer experience does not have day-by-day visibility into these metrics, that is the first gap to close. The rule rewards merchants who notice metric shifts before their acquirer does.
2. Treat the six-month window deliberately. When opening a new acquiring relationship, entering a new market, or launching a new entity, plan for heightened scrutiny. That means tighter operational controls on refunds and disputes during the early window, clearer communication to customers about what they are buying and how to cancel, and proactive outreach to the acquirer about expected business patterns.
3. Audit the subscription mechanics. The 5% combined refund-and-chargeback threshold is most often breached by avoidable subscription friction: unclear renewal language, confusing billing descriptors, hard-to-find cancellation flows, slow support response on legitimate refund requests. Each of these is a margin leak independent of the Mastercard rule. The rule just makes the cost legible.
4. Get ahead of disputes with prevention alerts. Networks like Ethoca and Verifi notify merchants of disputes before they become formal chargebacks. Every prevented chargeback is one that does not count toward a trigger threshold and one less customer who decides to dispute again next time. The economics of prevention alerts almost always pencil out for businesses with meaningful chargeback volume.
5. Keep your legitimacy story documented and current. If an investigation lands, the merchant has 72 hours of acquirer attention to demonstrate the business is real. Maintaining current versions of fulfillment records, refund and cancellation policy history, marketing claims, customer communications, and dispute outcomes is the difference between a same-day clearance and a multi-day processing freeze.
6. Pre-brief the acquirer on growth moves. When you expect seasonal spikes, new product launches, or geographic expansion, tell the acquirer ahead of time. That creates a paper trail that contextualizes the subsequent metric shifts. It is a small habit with disproportionate downstream value.
Mastercard Scam Merchant Monitoring: Where commerce risk is heading
The Mastercard scam merchant monitoring rule change is specific. The pattern is bigger and worth naming.
Commerce risk decisions are moving earlier. The franchise standards are explicit that suspected scam activity now warrants action before chargebacks accumulate. Acquirers will absorb that posture, which means merchants will encounter more questions, more documentation requests, and tighter onboarding, even when nothing is wrong.
At the same time, the signals that trigger reviews are getting noisier and less merchant-controlled. Third-party MMSP alerts, issuer-side fraud reports, and dark web monitoring are inputs the merchant cannot directly manage. Defending against them on a case-by-case basis is exhausting. The more durable posture is to build the kind of operational context that makes legitimate activity self-evident.
That is the real ask of the rule. Not “be perfect on dispute rates.” Not “block more transactions just in case.” The ask is to understand, at any given moment, what your shoppers are actually doing and why, and to be able to show that understanding when an acquirer asks.
Good shoppers should not face friction designed for bad actors. Trusted businesses should not absorb scrutiny designed for scam operators. The path through both is the same: better context, applied earlier, in the workflows where decisions get made.
FAQ
When does Mastercard’s scam merchant monitoring rule take effect? July 24, 2026. The rule revises Mastercard’s franchise standards and applies globally except in Jordan.
Who does the rule apply to? All card-not-present (CNP) merchants. Acquirers and payment facilitators carry the investigation duty. Merchants with less than six months of Mastercard acceptance history are subject to additional triggers.
What triggers an investigation? Four categories of trigger: a sharp authorization approval rate drop (50pp drop or below 30%), receipt of a Mastercard GRIP letter, new-merchant fraud signals (issuer fraud reports under reason code 56, scam-referenced chargebacks from multiple issuers, or a combined refund + chargeback rate above 5% over 30 days), and alerts from a Merchant Monitoring Service Provider.
What happens during an investigation? The acquirer or payment facilitator has 72 hours from the trigger to initiate review. They will request documentation and transaction evidence. If scam activity is confirmed, Mastercard and Maestro processing stops immediately. If the merchant is cleared, processing continues under ongoing monitoring.
How is “new merchant” defined? A merchant with less than six months of Mastercard acceptance history with the acquirer’s portfolio. Opening a new acquiring relationship or launching a new entity restarts this clock.
Can a legitimate merchant be flagged? Yes. The triggers are signal-based, not intent-based. Industry analyses treat false positives as expected, not exceptional. The defense is keeping documentation current and metrics visible so a flagged merchant can substantiate legitimacy quickly.
Does this rule replace VAMP (Visa Acquirer Monitoring Program)? No. VAMP is a separate Visa-network program with different mechanics. Mastercard’s scam merchant monitoring is specific to the Mastercard franchise standards and addresses different triggers, although the merchant-side disciplines that prepare a business for one tend to prepare it for the other.
Is there a public Mastercard document with the specific thresholds? Mastercard’s published newsroom piece confirms the 72-hour investigation requirement and the July 2026 timing. Specific numeric thresholds (50pp drop, below 30%, 5% combined rate, 500 transactions, 25 transactions) are reported consistently across industry analyses including Solidgate. The franchise standards document itself is typically accessed via acquirer-facing Mastercard portals.
Sources: Mastercard, “How to stop the scammers behind the storefronts” (May 19, 2026); Solidgate, “Mastercard’s revised scam merchant monitoring in 2026”; Global Anti-Scam Alliance, “Global State of Scams 2025”.
