Comprehensive Merchant
Risk Management Glossary

Merchant onboarding is the initial process through which a business  whether a company or individual entrepreneur  is enabled to start accepting payments via a payment processor or aggregator. This step involves evaluating the merchant’s legitimacy, compliance standing, business model, and risk level before setting up a merchant account. Functionally, it's akin to opening a dedicated financial account for business transactions.During onboarding, the payment provider gathers key documentation such as business licenses, ownership details, and product information to verify that the merchant is operating lawfully and aligns with acceptable risk thresholds. For instance, an online retailer may need to provide company registration documents and explain its product catalog to rule out prohibited items or past fraudulent activity.A robust onboarding process is crucial to keeping bad actors out of the payments ecosystem. If ineffective, it can expose the provider to onboarding risk  where a seemingly legitimate merchant turns out to engage in fraud, accumulate excessive chargebacks, or breach regulatory obligations. To manage this risk, providers typically apply a mix of identity verification, background screening, and risk scoring mechanisms at this early stage.

Risk-Based Approach: A risk-based approach is a compliance and risk management strategy where financial institutions  including acquirers, PayFacs, and ISOs  allocate resources and apply controls based on the level of risk presented by a customer or transaction. Instead of applying the same checks across all merchants, a risk-based approach adjusts the intensity and frequency of due diligence based on factors like industry, geography, transaction behavior, and past activity.

For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business  such as an online pharmacy or gambling operator  would face enhanced verification, documentation, and transaction monitoring.

This approach is a cornerstone of AML (Anti-Money Laundering) and KYC/KYB frameworks and is encouraged by global regulators and standards bodies like the FATF (Financial Action Task Force). It helps payment providers remain compliant without overburdening low-risk merchants, balancing fraud prevention, regulatory requirements, and business efficiency.

KYC, or Know Your Customer, is a key compliance requirement that focuses on verifying the identities of customers during the onboarding process. It involves collecting and authenticating personal and business details such as legal names, addresses, identification numbers, and official documentation to confirm who the customer is and whether they pose a risk.

The core aim of KYC is to safeguard the financial system from threats like fraud, money laundering, and illicit financing by ensuring that payment providers and financial institutions understand exactly who they are working with. For example, before approving a merchant account, a provider may request official ID from the business owners and validate business registration data to ensure the enterprise is legitimate.For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business  such as an online pharmacy or gambling operator  would face enhanced verification, documentation, and transaction monitoring.

KYC isn't limited to a one-time check; many organizations continue to perform ongoing KYC or continuous monitoring, which involves tracking changes in customer behavior or newly emerging risks over time. In essence, KYC is not just a regulatory checkbox  it’s a cornerstone of secure, compliant, and trust-based onboarding.

Know Your Business (KYB): KYB, or Know Your Business, is a due diligence process focused on verifying the authenticity and legal standing of a business entity  an essential step when onboarding merchants. While it shares principles with Know Your Customer (KYC), KYB specifically targets business structures rather than individuals. It involves confirming company registration, reviewing business licenses, validating operational addresses, and  crucially  identifying key individuals behind the business.

A core part of KYB is uncovering Ultimate Beneficial Owners (UBOs)  the individuals who hold significant control or ownership stakes in the company. This ensures transparency and helps payment providers avoid engaging with shell companies or entities involved in illegal activities.For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business  such as an online pharmacy or gambling operator  would face enhanced verification, documentation, and transaction monitoring.

For example, when vetting a new merchant, a payment service provider might review corporate filings, confirm the identities of executives, and screen them against global watchlists or sanctions databases. KYB safeguards the financial ecosystem by ensuring that every merchant onboarded is a real, law-abiding business  not a cover for fraud, money laundering, or other illicit operations. When paired with KYC, KYB offers a complete picture of both the business and the people behind it.

Failing to identify or screen UBOs properly may result in onboarding shell companies, sanctioned entities, or businesses used as fronts for illicit activity. For example, a low-risk retail site might be controlled by a hidden UBO involved in a banned industry  making proper UBO discovery critical to understanding who’s truly behind a merchant account.

Ultimate Beneficial Owner (UBO): An Ultimate Beneficial Owner (UBO) is the individual  or individuals  who ultimately own or control a business, even if they are not listed as directors or legal representatives. In merchant onboarding and KYB processes, identifying UBOs is essential to ensure transparency and assess financial crime risk.

Customer Due Diligence (CDD): Customer Due Diligence (CDD) refers to the set of procedures financial institutions and payment providers use to verify a customer's identity and evaluate their risk profile. In the merchant onboarding context, CDD includes both KYC (Know Your Customer) and KYB (Know Your Business) measures, making it the broader framework that governs initial and ongoing assessments of a customer’s trustworthiness.

CDD typically involves gathering and validating identifying information, understanding the merchant’s business model, and checking for red flags like past financial misconduct or regulatory issues. Based on the level of perceived risk, providers may escalate to Enhanced Due Diligence (EDD)  a more in-depth review process for high-risk merchants. EDD might include collecting additional documentation, conducting deeper background checks, or monitoring transactions more closely, especially if the merchant operates in a regulated or high-risk sector.

In essence, CDD ensures that businesses and individuals allowed into the payment ecosystem are properly vetted and continuously assessed to prevent exposure to financial crimes, fraud, or reputational damage. It is a dynamic, risk-based process that scales in rigor based on the customer’s risk profile.

PEP Screening (Politically Exposed Person Screening): PEP screening is the process of identifying whether a merchant, business owner, or ultimate beneficial owner (UBO) is a politically exposed person someone who holds or has held a prominent public position, such as a senior government official, judge, military leader, or head of a state-owned enterprise.

Because PEPs are at higher risk of involvement in corruption, bribery, or illicit financial activity, acquirers and payment providers are required to apply enhanced due diligence (EDD) when onboarding or monitoring these individuals. This includes identifying their status, understanding the source of their funds, and maintaining closer scrutiny over their financial behavior.

PEP screening is a regulatory expectation under AML regimes globally and is typically performed during merchant onboarding and monitored on an ongoing basis. Ignoring PEP status can expose payment providers to legal, reputational, and regulatory risks  especially if transactions later become linked to financial crime or public scandals.

Sanctions Screening: Sanctions screening is the process of checking a merchant or associated individuals (such as business owners or UBOs) against government-issued sanctions lists to ensure they are not prohibited from doing business. These lists are maintained by organizations such as the U.S. Office of Foreign Assets Control (OFAC), EU, UN, and UK HM Treasury, and include individuals, entities, and countries subject to trade or financial restrictions.

Most providers automate sanctions screening using real-time database integrations and fuzzy-matching algorithms to detect name variations or potential false positives. If a match is found, the account is typically escalated for manual review, and in many cases, onboarding is paused or declined.

Adverse Media Screening:  Adverse media screening  also known as negative news screening  is the process of searching public sources for negative information about a merchant, its owners, or related entities. This includes checking news articles, legal filings, enforcement actions, regulatory blacklists, and media reports for signs of criminal activity, fraud, corruption, or reputational risk.

For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business  such as an online pharmacy or gambling operator  would face enhanced verification, documentation, and transaction monitoring.

This approach is a cornerstone of AML (Anti-Money Laundering) and KYC/KYB frameworks and is encouraged by global regulators and standards bodies like the FATF (Financial Action Task Force). It helps payment providers remain compliant without overburdening low-risk merchants, balancing fraud prevention, regulatory requirements, and business efficiency.

Adverse media findings don’t always trigger automatic rejection  but they signal that deeper investigation may be needed. Screening tools typically use AI and natural language processing to surface relevant matches, which are then manually reviewed by compliance teams.

By catching reputational red flags early, payment providers can prevent onboarding merchants that may later result in financial loss, regulatory issues, or brand damage.

Merchant Underwriting: Merchant underwriting is the process of evaluating a business’s risk level before approving it for a merchant account or payment processing services. This step happens during onboarding and serves as a safeguard for payment providers, acquirers, and banks. The goal is to determine whether the merchant falls within the provider’s acceptable risk threshold and under what terms they can be approved.

Underwriting involves a thorough review of the merchant’s background  this may include examining the industry category (such as whether it's high-risk, like CBD or adult content), financial health, credit history, chargeback patterns, and regulatory compliance. For example, a new e-commerce business selling nutraceuticals might be flagged for extra scrutiny due to industry risk, while a stable retailer with a clean history might be fast-tracked.

If concerns arise, underwriters might still allow the merchant to onboard but apply conditions such as rolling reserves, processing limits, or enhanced monitoring. Strong merchant underwriting helps prevent fraud, chargebacks, and reputational damage by ensuring only trustworthy businesses enter the payment system. It balances the need for quick onboarding with the responsibility of protecting financial infrastructure.

Risk Scoring (Merchant Risk Score): Risk scoring is the practice of assigning a numerical value or rating to a merchant during onboarding or underwriting to indicate their level of risk. This score helps payment providers, acquirers, and compliance teams make data-driven decisions about whether to approve, reject, or monitor a merchant more closely.

Risk scores are calculated using models that factor in variables such as business type, processing history, creditworthiness, geographic location, product category, and more. For instance, a brand-new merchant in a high-risk vertical  like dietary supplements or ticket resales  may receive a high risk score, while a long-established business with steady sales and low disputes would score much lower.

By quantifying risk in a consistent way, providers can streamline onboarding, flag potentially problematic merchants early, and implement safeguards like reserves or tiered monitoring. In high-risk sectors, card networks often require enhanced risk scoring and fraud detection as part of compliance. Ultimately, merchant risk scoring is a core tool for balancing growth and security in the payments ecosystem.

Merchant Category Code (MCC): A Merchant Category Code (MCC) is a four-digit number used by card networks to classify a merchant based on the type of goods or services they offer. Each merchant is assigned an MCC during onboarding, and this code helps payment processors, acquirers, and card schemes understand what kind of business they’re dealing with.

MCCs play an important role in risk management, compliance, and transaction routing. Some codes are associated with high-risk industries, which may require additional underwriting or monitoring.  For example:For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business  such as an online pharmacy or gambling operator  would face enhanced verification, documentation, and transaction monitoring.

Assigning the correct MCC is critical. If a business that sells regulated products  like dietary supplements or age-restricted items  is misclassified under a generic retail code, it could bypass important risk checks and create compliance issues. On the other hand, high-risk MCCs alert providers to potential challenges such as fraud, chargebacks, or regulatory exposure.

In short, MCCs help acquirers apply the right rules and risk controls from day one by categorizing merchants accurately based on their core business activity, while remaining in compliance with card-brand rules.

High-Risk Merchant: A high-risk merchant is a business that presents a greater-than-average risk to payment processors, acquiring banks, or card networks. This elevated risk may stem from the merchant’s industry type, business model, transaction behavior, or compliance history.

A merchant can also be deemed high-risk due to operational factors  such as a lack of processing history, high average order value, large volume spikes, or poor credit standing. For example, a newly launched electronics site accepting large upfront payments for future delivery might raise red flags due to the potential for customer disputes or fulfillment failures.

High-risk merchants often undergo enhanced underwriting, face higher processing fees, may be subject to rolling reserves, and are closely monitored. They may also be required to enroll in card brand compliance programs that apply stricter oversight.

While these merchants can generate significant processing volume, they require robust risk controls to protect the payment ecosystem from fraud, financial losses, and reputational damage.

Transaction Monitoring: Transaction monitoring is the ongoing process of analyzing financial transactions to identify behaviors that may signal fraud, money laundering, or other forms of financial crime. In the context of merchant acquiring, it refers to how acquirers, payment processors, and PayFacs track transaction activity within merchant accounts to detect anomalies and emerging risks.

For example, if a low-volume merchant that typically processes $50 orders suddenly begins handling hundreds of $1,000 transactions overnight, that activity would trigger alerts for further investigation.

Regulators in most jurisdictions mandate that financial institutions—including payment service providers—maintain robust transaction monitoring programs as part of their AML and fraud prevention obligations.

For payment providers, effective transaction monitoring is not just a checkbox—it’s a critical control layer that protects the integrity of the payments ecosystem, reduces exposure to regulatory penalties, and ensures that only legitimate merchants and transactions flow through the network.

Money Laundering: Money laundering is the process of concealing the criminal origin of funds by channeling them through legitimate financial systems to make them appear clean. For acquirers, PayFacs, and ISOs, this represents a significant compliance and reputational risk, as payment systems can be exploited to facilitate illicit financial flows if proper controls are not in place.

In the acquiring context, laundering schemes may involve transaction laundering, where criminals funnel illicit funds through what appears to be a compliant merchant account. For example, a seemingly normal e-commerce merchant might process fake purchases using prepaid cards or crypto tied to criminal funds, making illegal money look like legitimate sales.
‍
To mitigate exposure, payment providers are subject to Anti-Money Laundering (AML) regulations that mandate due diligence and ongoing transaction monitoring. This includes screening merchants at onboarding (KYB/KYC), flagging anomalous transaction patterns (e.g., excessive microtransactions, velocity spikes, suspicious geographies), and filing Suspicious Activity Reports (SARs) when warranted.
‍
Failing to detect laundering activity can result in regulatory penalties, loss of banking relationships, and brand damage. As such, robust AML programs  combined with real-time monitoring and risk-based controls  are critical to preventing abuse of the payments infrastructure.

Transaction Laundering: Transaction laundering also known as payment laundering or merchant laundering  is a form of financial fraud where an approved merchant processes credit or debit card payments on behalf of an unregistered, unauthorized third party. It allows bad actors to funnel payments for prohibited or illicit goods through seemingly legitimate merchant accounts, bypassing underwriting and compliance controls.
‍
This scheme poses a significant threat to acquirers, payment facilitators, and ISOs, as it allows high-risk or illegal businesses to operate covertly within the card network ecosystem. In a typical scenario, a front merchant (Merchant A) has an approved online store  such as one selling motorcycle parts  while an illicit business (Merchant B) sells narcotics, counterfeit goods, or other prohibited items. Merchant B routes its card transactions through Merchant A’s MID (merchant identification number), making the illegal sales appear legitimate in transaction records and cardholder statements.
‍
Because the visible transaction data points to an approved merchant, transaction laundering is notoriously difficult to detect. However, it is considered a severe violation by card brands and regulators, often resulting in immediate termination of processing privileges, fines, and even legal consequences.

Ultimately, transaction laundering exposes the payment provider to compliance violations, reputational damage, and regulatory penalties. Proactive detection and enforcement are essential to maintaining the integrity of the payment ecosystem and avoiding complicity in illicit financial activity.

Suspicious Activity: In the context of merchant risk management, suspicious activity refers to any transaction or behavior that deviates from normal patterns and may signal fraud or illegal operations. Payment providers must remain vigilant for unusual behaviors that could indicate issues such as stolen card testing, money laundering, or more organized financial crimes.

When a transaction monitoring system flags such anomalies, the risk team conducts a deeper investigation. While not every flagged event results in wrongdoing, patterns that align with known fraud or terrorist financing techniques may trigger serious actions. For instance, if a small boutique that normally records $50 purchases suddenly reports 100 transactions at exactly $500 each, it could warrant additional scrutiny  even if an innocent explanation such as a marketing promotion is possible.
‍
In cases where suspicious activity is confirmed  indicating potential large-scale fraud or terrorist financing  payment providers might pause processing and file a Suspicious Activity Report (SAR) with regulators. Ultimately, distinguishing between benign irregularities and malicious activity is a core component of effective risk management, ensuring the integrity of the payments ecosystem.

Chargeback: A chargeback is a forced reversal of a credit or debit card transaction, typically initiated by the cardholder’s issuing bank. When a customer disputes a charge  whether due to suspected fraud, non-delivery of goods, or dissatisfaction  their bank may refund the money to the cardholder and debit the amount from the merchant’s account.
‍
Chargebacks can arise for both legitimate reasons (e.g., unauthorized card use, billing errors, or failure to deliver) and illegitimate ones (e.g., "friendly fraud," where a customer disputes a valid charge). For acquirers and payment providers, chargebacks are a critical risk signal. A high volume of disputes may indicate operational issues, poor customer service, or even fraudulent merchant behavior.
‍
Card networks closely monitor each merchant’s chargeback activity. Excessive chargebacks  commonly defined as over 1% of total transactions  can result in financial penalties, enrollment in remediation programs (such as Visa’s VDMP or Mastercard’s ECP), or termination of processing privileges. For instance, a merchant with 500 transactions and 10 chargebacks in a month has a 2% chargeback ratio, well above the acceptable threshold.
‍
Effectively managing chargebacks is essential for preserving a merchant’s credibility and processing access. Tactics include improving fulfillment, offering responsive customer support, using clear billing descriptors, and implementing fraud prevention tools. For payment providers, chargebacks are not just a financial concern  they’re a vital part of ongoing merchant risk management.

Chargeback Ratio: The chargeback ratio is the percentage of a merchant’s total processed transactions that are reversed through chargebacks during a given period. It is calculated by dividing the number of chargebacks by the total number of transactions over that same timeframe:
‍
Chargeback Ratio = (Chargebacks ÷ Total Transactions) × 100
‍
For example, if a merchant processes 1,000 transactions in a month and receives 5 chargebacks, the chargeback ratio is 0.5%. Most card networks require this ratio to remain below a set threshold, often around 0.9% to 1.0%. Exceeding this limit may lead to penalties, enrollment in card brand monitoring programs, or eventual loss of processing capabilities.
‍
For acquirers, ISOs, and PayFacs, the chargeback ratio is a key risk metric. A rising ratio can point to poor merchant practices, product issues, deceptive marketing, or fraud exposure. Merchants with consistently high chargeback ratios are often reclassified as high-risk, may be required to implement mitigation strategies (e.g., 3D Secure, reserves, enhanced monitoring), or face processing limits.
‍
In short, a merchant’s chargeback ratio is a critical indicator of their health and trustworthiness within the payments ecosystem. Keeping it low is essential not only for the merchant’s longevity but also for maintaining the integrity and profitability of the acquirer’s portfolio.

Friendly Fraud (First-Party Fraud / Chargeback Fraud): Friendly fraud  also known as first-party fraud or chargeback fraud  occurs when a legitimate cardholder initiates a chargeback on a valid transaction. Unlike classic fraud, where a third party uses stolen card details, friendly fraud is committed by the customer themselves (or someone in their household), often claiming they didn’t authorize a charge when they actually did.

For example, a customer might purchase an expensive item online, receive it, and then falsely claim fraud to their bank. The bank processes a chargeback, the customer gets refunded, and the merchant suffers the loss  both of the product and the revenue.
‍
Friendly fraud is one of the leading causes of chargebacks, making it a significant concern for acquirers and payment facilitators managing merchant portfolios. It can erode trust in a merchant’s risk profile, inflate chargeback ratios, and trigger network monitoring programs if left unchecked.

Because banks often side with cardholders by default, clear billing descriptors, real-time transaction data, and proactive fraud detection tools are essential defenses. Ultimately, friendly fraud turns the customer into the fraudster, and reducing its impact requires a coordinated effort between merchants, acquirers, and technology providers.

Card-Not-Present (CNP) Transaction: A Card-Not-Present (CNP) transaction refers to any payment where the physical card is not presented to the merchant at the point of sale. This includes e-commerce, mobile app, mail order, and telephone order payments  any situation where the cardholder provides their payment details remotely.
‍
In CNP environments, the merchant doesn’t swipe, dip, or tap the card. Instead, the transaction is processed using card information (e.g. PAN, expiry date, CVV) entered by the customer. CNP transactions are the backbone of online commerce, offering convenience and reach  but they also come with elevated fraud risk.

From a risk perspective, CNP transactions are often subject to higher interchange fees to reflect the additional fraud exposure. Liability for fraud in CNP transactions typically falls on the issuer, unless the merchant adopts certain security protocols  at which point liability may shift to the merchant or be shared, depending on the scenario and card brand rules.
‍
For acquirers, PayFacs, and ISOs supporting merchants with online sales, CNP risk is a key focus. Ensuring merchants implement proper authentication tools and monitoring is critical to reducing fraud losses, minimizing chargebacks, and maintaining compliance with network requirements.

3D Secure (3DS): 3D Secure (3DS) is an authentication protocol designed to reduce fraud in card-not-present (CNP) transactions by verifying the identity of the cardholder before a payment is authorized. When a customer makes an online purchase, 3DS prompts them to confirm their identity  via a one-time password (OTP), mobile app push notification, biometric scan, or another method  before completing the transaction.
‍
Branded by card networks as Visa Secure, Mastercard Identity Check, American Express SafeKey, and others, 3DS helps merchants and payment providers ensure that the person using the card is the legitimate account holder.
‍
The protocol has evolved with 3DS 2.0, which supports mobile-first experiences, biometric verification, and “frictionless” flows for low-risk transactions. These improvements make 3DS more compatible with modern e-commerce and less likely to cause cart abandonment.

3DS is also a key tool for achieving compliance with Strong Customer Authentication (SCA) regulations in regions such as the EU.

Strong Customer Authentication (SCA): Strong Customer Authentication (SCA) is a regulatory requirement under the EU’s Revised Payment Services Directive (PSD2) that mandates two-factor authentication for many online and contactless card payments. The purpose of SCA is to enhance security and reduce payment fraud by ensuring that the person initiating a transaction is the legitimate account holder.

SCA applies primarily to electronic payments within the European Economic Area (EEA) and has become a central part of risk and compliance strategies for payment providers and merchants operating in Europe.
‍
In practice, 3D Secure (3DS) is the most widely used method to meet SCA requirements for card payments. When used correctly, it ensures compliance while enabling a secure checkout flow.
‍
SCA shifts liability for fraud in many cases to the card issuer, reducing risk exposure for merchants. However, it can also add friction to the checkout process, which is why merchants and acquirers often utilize SCA exemptions  such as for low-value transactions, recurring billing, or trusted beneficiaries  when permitted.
‍
For acquirers, PayFacs, and ISOs, ensuring that merchants adopt compliant authentication methods is critical to maintaining transaction approval rates, avoiding regulatory penalties, and minimizing fraud losses.

Merchant Web Monitoring (Website Monitoring): Merchant web monitoring, also referred to as website monitoring, is the ongoing process of scanning a merchant’s online presence to ensure that their website content, products, and services remain compliant with card network rules, legal requirements, and the merchant’s declared business model.
‍
For acquirers, PayFacs, and ISOs, web monitoring is a critical post-onboarding control. It helps verify that merchants continue to operate as approved—especially in environments where businesses can easily add prohibited goods, high-risk content, or misleading product listings after onboarding.

These activities may breach card network compliance programs such as Visa’s Global Brand Protection Program or Mastercard’s Business Risk Assessment and Mitigation (BRAM) program—exposing payment providers to fines and reputational damage.

For example, a merchant initially approved to sell protein powders might later list prescription weight-loss pills without informing the provider. Website monitoring tools would flag the update for review, enabling the acquirer or PayFac to intervene before further risk is incurred.
‍
In short, merchant web monitoring helps ensure that approved merchants stay within their agreed business scope and do not engage in prohibited activities—either intentionally or through third-party abuse. It’s a cornerstone of any effective merchant risk monitoring program.

Content Compliance (Card Network Content Rules): Content compliance refers to the requirement that merchants only offer products and services that are permitted under the rules set by payment card networks—such as Visa and Mastercard—and by applicable local laws and regulations. Acquirers, PayFacs, and ISOs are responsible for ensuring that their merchants meet these standards not only at onboarding, but on an ongoing basis.

To mitigate this risk, payment providers typically pair content compliance monitoring with web monitoring tools that scan merchant websites for high-risk keywords, images, or structural changes. These tools can identify when, for instance, a fashion retailer suddenly adds a page selling steroids, counterfeit items, or firearms.
‍
Ultimately, enforcing content compliance is about protecting the payments ecosystem, maintaining card brand integrity, and avoiding regulatory and reputational fallout. It ensures that merchants stay aligned with what they were approved to sell—and that acquirers can confidently stand behind the merchants in their portfolio.

Mastercard BRAM (Business Risk Assessment and Mitigation) Program: The Mastercard BRAM program—short for Business Risk Assessment and Mitigation—is a global compliance framework designed to protect the Mastercard brand and payments ecosystem from illegal or brand-damaging merchant activity. It places direct accountability on acquiring banks and their agents to ensure merchants do not engage in prohibited or high-risk transactions.

If Mastercard detects that a merchant under an acquirer’s portfolio is involved in such activity, it can issue enforcement actions—including significant monetary fines (often six figures per violation) and compliance mandates. In some cases, the merchant may be required to be terminated, and the acquirer may have to report them to the MATCH list (Mastercard Alert to Control High-risk Merchants).

BRAM has been a major driver behind the rise of merchant monitoring solutions, pushing the industry to adopt proactive tools for content scanning, transaction analysis, and early risk detection. For payment providers, failing to enforce BRAM compliance can lead to escalating penalties, reputational harm, and even loss of acquiring privileges.
‍
In summary, the BRAM program is Mastercard’s enforcement mechanism to ensure that acquirers take ownership of the risks posed by their merchants—prioritizing both legal compliance and brand protection.

Visa Acquirer Monitoring Program (VAMP): The Visa Acquirer Monitoring Program (VAMP) is Visa’s unified compliance framework designed to monitor and manage merchant risk across fraud, disputes, and content integrity. Launched as a successor to multiple legacy programs—including the Visa Integrity Risk Program (VIRP), Visa Fraud Monitoring Program (VFMP), and Visa Dispute Monitoring Program (VDMP)—VAMP consolidates these initiatives into a single, lifecycle-based risk management system.
‍
Effective April 1, 2025, VAMP introduces a proactive and standardized approach to monitoring merchant behavior, placing greater responsibility on acquirers, PayFacs, and ISOs to detect and mitigate risks before they escalate.

In summary, VAMP is Visa’s next-generation compliance model, providing a unified view of merchant risk and demanding a more proactive approach to fraud, dispute, and content monitoring from all acquirers and facilitators in the ecosystem.

Transaction Laundering Detection: Transaction laundering detection refers to the process of identifying situations where a legitimate merchant account is being used to process transactions on behalf of an undisclosed or unauthorized third party. This type of fraud bypasses onboarding, compliance, and monitoring protocols, making it a significant concern for acquirers, PayFacs, and ISOs.
‍
Unlike standard fraud, transaction laundering is not always evident in the payment data alone. It is primarily uncovered through web monitoring, content analysis, and investigative techniques that assess the digital footprint of the merchant.

For example, a merchant approved to sell motorcycle gear may appear legitimate—but deeper investigation might reveal that their checkout process is embedded in or serving a different website selling unapproved goods or services.

Transaction laundering detection is a critical layer of merchant oversight, supporting content compliance programs and protecting the broader payments ecosystem from abuse.

MATCH List (Member Alert to Control High-Risk): The MATCH List—short for Member Alert to Control High-Risk Merchants—is a confidential database used by acquiring institutions to share information about merchants who have been terminated for serious risk-related reasons. Often informally called the “Terminated Merchant File” (TMF), it serves as a risk control mechanism to prevent high-risk or non-compliant merchants from hopping between providers undetected.

…the acquirer may be required to report the merchant—and its associated principals or beneficial owners—to the MATCH List.Before onboarding a new merchant, payment providers are expected to check the MATCH List as part of their due diligence. If a match is found, it indicates that the merchant has been flagged within the past five years. While being on MATCH does not automatically disqualify a business from obtaining a new account, it significantly raises the bar for acceptance.

Merchants listed on MATCH are generally notified and provided with the applicable reason code. Removal from the list typically occurs after five years, or through a successful appeal process initiated by the original reporting acquirer.
‍
In essence, the MATCH List is a risk-sharing tool that protects the acquiring ecosystem by alerting providers to merchants with a problematic history—ensuring that repeat violations are not overlooked across the payments network.

Ongoing Monitoring (Continuous Merchant Monitoring): Ongoing monitoring—also known as continuous merchant monitoring—is the practice of regularly reviewing a merchant’s activity, behavior, and business profile after onboarding. It ensures that merchants continue to comply with card network rules, legal requirements, and the acquirer’s internal risk policies throughout the entire lifecycle of the merchant account.
‍
Unlike onboarding, which offers a snapshot of the merchant at a single point in time, ongoing monitoring provides a dynamic, real-time view of risk. Merchants may evolve—adding new product lines, changing ownership, or experiencing shifts in transaction volume—and these changes can introduce new compliance obligations or increased risk exposure.

For example, a merchant that begins as a low-risk apparel seller might, over time, introduce regulated products like vaping devices or CBD without prior approval. Through continuous monitoring, these changes can be flagged for review, ensuring that corrective actions are taken before violations or fines occur.
‍
In essence, ongoing monitoring is about maintaining vigilance after onboarding, ensuring merchants remain compliant, aligned with their original business purpose, and appropriately classified in terms of risk. It’s a foundational element of any effective merchant risk management framework.

Periodic Review (KYC Refresh): A periodic review, often referred to as a KYC refresh, is a scheduled reassessment of a merchant’s profile, documents, and risk status. It is a core component of ongoing monitoring, helping acquirers and payment providers ensure that merchant data remains current and that no material changes have occurred that could impact the merchant’s risk classification.

For example, a merchant onboarded as a small clothing store may, after 18 months, begin processing high volumes of health supplements. A periodic review could uncover this business model shift, triggering a deeper compliance check or adjustment of risk controls.
‍
In summary, periodic reviews are structured checkpoints that complement real-time monitoring, ensuring the merchant’s risk profile remains aligned with regulatory requirements and the acquirer’s internal risk tolerance. They are essential for maintaining a clean, compliant merchant portfolio over time.

Risk Appetite: Risk appetite refers to the level and types of risk that a financial institution, acquirer, or payment provider is willing to accept in its merchant portfolio. It serves as a strategic boundary, guiding decisions on merchant onboarding, underwriting policies, and ongoing portfolio management.

Risk appetite is typically defined at the organizational level, shaped by factors like regulatory environment, leadership priorities, risk mitigation capabilities, and financial resilience. Risk managers regularly refer to it when reviewing exceptions, setting limits, or updating policy in response to emerging threats or market changes.
‍
In summary, risk appetite is the threshold of acceptable exposure, and an effective merchant risk program is calibrated to operate within those boundaries—balancing growth with long-term stability and compliance.

Reserve (Merchant Reserve Account): A reserve, or merchant reserve account, is a risk management tool used by acquirers and payment providers to protect against potential losses from chargebacks, fraud, or merchant insolvency. It involves setting aside a portion of the merchant’s funds as a financial buffer, ensuring there are resources available if future liabilities arise—especially after the original transactions have been settled.
‍
Reserves are most commonly required for high-risk merchants, new businesses with little processing history, or industries with long delivery windows and a higher likelihood of disputes.

From the merchant’s perspective, reserves can impact cash flow—but they also signal alignment with long-term risk controls. Merchants that maintain low dispute rates and operate transparently are more likely to regain full access to withheld funds.
‍
In summary, a reserve account is the acquirer’s financial safeguard, ensuring there are sufficient funds to handle downstream risks without absorbing the cost directly. It plays a central role in maintaining the stability and trustworthiness of the payments ecosystem.

Fraud and Compliance Alerts: Fraud and compliance alerts are real-time or near-real-time notifications triggered by unusual merchant behavior or risk indicators. These alerts are a core part of ongoing monitoring and help acquirers, PayFacs, and ISOs detect potential issues before they escalate into serious compliance breaches or financial losses.

In summary, fraud and compliance alerts serve as a dynamic early warning system for merchant risk. By surfacing abnormal patterns and external red flags quickly, they empower payment providers to take decisive action and prevent downstream losses.

Acquirer (Acquiring Bank): An acquirer, also known as an acquiring bank, is the financial institution or payment provider that enables merchants to accept card payments. The acquirer processes payment card transactions on the merchant’s behalf, settles funds into the merchant’s account, and assumes responsibility for the transaction until it is fully authorized and funded by the issuing bank.
‍
In essence, the acquirer acts as the merchant’s bank for card processing, facilitating the flow of funds between the merchant, the card networks, and the customer’s issuing bank. This role is central to the payments ecosystem—and also carries financial and compliance risk.

If a merchant commits fraud, processes prohibited content, or becomes insolvent, the acquirer is typically liable for related chargebacks or penalties. For this reason, acquirers play a gatekeeping role in the ecosystem and are expected to apply strong controls across onboarding, transaction monitoring, and content compliance.
‍
When a merchant opens a merchant account, it is usually provisioned by or through an acquirer. In some models, acquirers may work directly with merchants or through intermediaries such as PayFacs or ISOs, but the acquirer remains the regulated entity responsible to the card networks.
‍
In summary, an acquirer is the institution that gives merchants access to card acceptance, processes their payments, and assumes risk and accountability for the transactions flowing through their portfolio.

Issuer (Issuing Bank): An issuer, or issuing bank, is the financial institution that provides payment cards—such as credit or debit cards—to consumers or businesses. This is the cardholder’s bank, responsible for approving transactions, funding purchases, and managing the cardholder’s account.

Although the issuer is not the merchant’s bank, merchants interact indirectly with issuers through the payment flow and during the chargeback process.

Understanding issuer behavior is valuable for merchant risk management. For example, certain issuers may have a lower tolerance for disputes, stricter fraud filters, or higher chargeback tendencies under specific reason codes.
‍
In summary, the issuer is the cardholder’s bank, and while merchants don’t interact with issuers directly, the issuer plays a crucial role in approving payments, funding transactions, and initiating chargebacks—making it a key stakeholder in the payment ecosystem.

Payment Service Provider (PSP): A Payment Service Provider (PSP) is a company that enables merchants to accept a wide range of payment methods—including credit cards, debit cards, bank transfers, and digital wallets—without requiring the merchant to establish individual relationships with each payment scheme or financial institution.
‍
PSPs offer a unified technical platform that streamlines payment acceptance by integrating processing, merchant onboarding, and sometimes settlement into a single service layer. This makes PSPs particularly attractive for merchants seeking fast, scalable access to multiple payment options.

In many cases, a PSP acts as or partners with an acquirer on the backend. Some PSPs are licensed acquiring institutions, while others rely on third-party acquirers for settlement and risk assumption.

Risk Considerations:
PSPs often take on first-line risk screening during merchant onboarding and may define risk thresholds, business eligibility rules, or transaction monitoring protocols similar to those used by acquiring banks. Since PSPs are responsible for routing card transactions and managing merchant activity, they must maintain compliance with card network standards, especially in high-risk or regulated industries.

In summary, a Payment Service Provider acts as a gateway and intermediary between merchants and the broader payments ecosystem—facilitating fast, flexible access to payment acceptance while also bearing responsibility for onboarding, risk screening, and regulatory compliance.

Payment Processor: A payment processor is the entity responsible for handling the technical infrastructure of a card transaction. It facilitates the movement of payment data between the merchant, the acquirer, the card network, and the issuer by routing authorization requests, delivering responses, and managing the settlement of funds.
‍
While sometimes used interchangeably with terms like acquirer or PSP, the payment processor is typically focused on the back-end operations of payment flow—not financial risk ownership.

While the merchant’s relationship is typically with the PSP or acquirer, the processor is the "engine" behind the scenes that ensures transactions flow smoothly and securely.
‍
In summary, a payment processor is a core technology provider in the payments ecosystem, enabling the authorization, routing, and settlement of card transactions—without necessarily taking on financial liability for the transaction itself.

Independent Sales Organization (ISO): An Independent Sales Organization (ISO) is a third-party company authorized to resell merchant acquiring services on behalf of an acquirer or payment processor. ISOs serve as intermediaries, helping merchants sign up for payment processing solutions—often under their own brand—while the actual processing and settlement is handled by a backend acquiring bank.
‍
ISOs are not acquiring banks themselves, but they are often the first point of contact for merchants seeking to accept card payments. Many ISOs offer localized outreach, onboarding support, customer service, and relationship management, acting as an extension of the acquirer's sales and service operations.

ISOs are required to use specific disclosures and branding language (such as “Member Service Provider”) in alignment with card network requirements and must operate within clearly defined legal and operational frameworks.
‍
In summary, an Independent Sales Organization expands the reach of acquirers by sourcing and supporting merchant accounts—but also introduces risk that must be carefully monitored through strong oversight, training, and compliance controls.

Payment Facilitator (PayFac): A Payment Facilitator (PayFac) is a service provider that operates under a master merchant account with an acquiring bank and enables multiple sub-merchants to process transactions under that single account. Instead of each merchant establishing a direct relationship with an acquirer, the PayFac streamlines the process by handling onboarding, underwriting, compliance, and funding on behalf of the sub-merchants.
‍
In this model, the PayFac is the registered merchant of record with the acquirer and assumes financial responsibility for all payment activity conducted by the sub-merchants it supports.

In summary, a Payment Facilitator enables fast, scalable access to payment acceptance by acting as a mini-acquirer for a portfolio of sub-merchants. While it offers efficiency and flexibility, it also concentrates risk—requiring strong infrastructure for onboarding, fraud prevention, and compliance oversight.

Payment Aggregator: A Payment Aggregator is a service provider that enables multiple merchants to process payments under a single, master merchant account. The aggregator collects (or “aggregates”) transactions from sub-merchants and routes them through a centralized payment setup, simplifying access to card and digital payment acceptance—particularly for small or micro-merchants.
‍
The payment aggregator model is functionally equivalent to that of a Payment Facilitator (PayFac). In fact, in many markets, the terms are used interchangeably. The aggregator acts as the merchant of record with the acquiring bank and takes on responsibility for onboarding, underwriting, and monitoring its sub-merchants.

In some regions, the term "aggregator" was widely used before "PayFac" became standardized in card network rulebooks. For example, certain jurisdictions use "aggregator" to describe providers who offer merchant account–less onboarding—a hallmark of the PayFac model.

In summary, a Payment Aggregator is a synonym for a PayFac in most cases. It describes a model in which a central provider enables a broad base of merchants to process payments quickly and efficiently—while shouldering the operational and compliance responsibilities of that activity.

Merchant Account: A merchant account is a specialized type of account established between a business and an acquirer that enables the business to accept credit and debit card payments. It is not a traditional business bank account—rather, it functions as a clearing account where funds from card transactions are temporarily held before being settled to the merchant’s regular bank account.

Each merchant account is assigned a unique identifier known as a Merchant ID (MID). Businesses operating across multiple channels or brands may have multiple MIDs under the same acquiring relationship.

Merchant Account vs. Sub-Merchant Model:
‍
In a traditional model, the merchant has a direct relationship with the acquirer and is assigned their own merchant account. In contrast, under a Payment Facilitator (PayFac) model, sub-merchants do not have individual merchant accounts; instead, they transact under the PayFac’s master account and receive payouts from the PayFac.

In summary, the merchant account is the foundation of a business’s ability to accept card payments. It represents a formal, underwritten relationship with an acquirer, complete with monitoring obligations, compliance requirements, and financial responsibilities.

Gateway: A payment gateway is a technology service that transmits transaction data securely from a merchant to the payment processor or acquirer. In e-commerce and other card-not-present environments, the gateway acts as the digital counterpart to a physical point-of-sale terminal—facilitating the capture and encryption of payment details and forwarding them for authorization.

While some companies combine gateway, processing, and acquiring services, others offer standalone gateway solutions that must be integrated with a separate acquirer or PSP.

Merchants need a payment gateway to accept online payments—unless they build a direct integration with a processor’s API, which is typically more complex and less common among small or mid-sized businesses.
‍
In summary, a gateway is the secure bridge between a merchant’s payment front-end and the back-end transaction processing system, enabling real-time communication, encryption, and routing of payment data across the card network infrastructure.

PCI DSS (Payment Card Industry Data Security Standard): PCI DSS is a global set of security standards developed to ensure that all entities that store, process, or transmit cardholder data maintain a secure environment. Compliance with PCI DSS is mandatory for merchants, service providers, and payment intermediaries who handle payment card transactions.
‍
The goal of PCI DSS is to protect cardholder data and prevent data breaches that could lead to fraud, financial losses, and reputational harm across the payment ecosystem.

While PCI DSS focuses on data security rather than transactional fraud, it plays a critical role in the broader context of merchant risk management. It helps prevent large-scale card number theft that can fuel downstream fraud and disrupt trust in the payment system.
‍
In summary, PCI DSS is the cornerstone of payment data security. Ensuring merchants are compliant—at onboarding and throughout the life of the account—is essential for protecting cardholders, minimizing risk, and meeting regulatory obligations.