Mastercard has introduced “Scam Merchant” Monitoring Requirements, with rollout starting in January 2026 and taking full effect on July 24, 2026. Mastercard is pushing the ecosystem to identify and remove bad actors faster. The objective is clear. The implications for acquirers are much bigger than they appear.
Here are the mechanics.
All newly onboarded merchants must undergo website content and transaction laundering scans before processing begins. Once live, acquirers and payment facilitators are required to continuously monitor merchant activity and investigate specific risk triggers within 72 hours of being flagged.
Those triggers include meaningful drops in authorization approval rates, issuer-reported scam activity, elevated chargebacks or refunds, especially for newer merchants, and alerts from Mastercard monitoring programs or third-party providers. The focus is on card-not-present environments and scam typologies like impersonation, investment, and purchase scams.
If an investigation confirms scam activity, the acquirer must immediately stop Mastercard and Maestro processing for that merchant.
On paper, this is a necessary evolution.
In reality, it is a significant liability and operational shift.
Acquirers are now accountable for identifying and acting on scam behavior quickly, often based on signals that are inherently reactive. Elevated chargebacks. Issuer complaints. Monitoring alerts. By the time these triggers fire, the fraud has already occurred and consumers have already been impacted.
A 72-hour SLA (service level agreement) may sound aggressive, but in a digital fraud environment where attacks scale in minutes, it is effectively post-event containment.
This creates real operational pressure.
Acquirers need the infrastructure to monitor merchant portfolios in near-real-time, investigate alerts quickly, document decisions, and take decisive action. That means more resources, tighter processes, better tooling, and a higher tolerance for difficult decisions that can impact merchant relationships.
At the same time, the data asymmetry remains.
Fraud detection is a shared responsibility. Processors see patterns on the merchant side. Issuers hold the longitudinal behavioral history of the cardholder. If a transaction is truly suspicious, issuers have the strongest signal to decline it before authorization. Acquirers, on the other hand, are being asked to act after patterns emerge, often without full visibility into the cardholder side of the equation.
Neither side has the complete story alone. Yet the operational burden is increasingly concentrated on one side of the network.
Mastercard is also investing in AI-driven monitoring and enhanced merchant intelligence to support this shift. That is a step in the right direction, but technology alone does not eliminate the core challenge. The system is still largely reactive.
The takeaway for eCommerce leaders is simple.
This is not just a network rule change. It is a structural shift in how fraud risk is managed and who is expected to act.
The burden is shifting.
And the real question is whether this is a step forward for fraud prevention, or a step sideways in how responsibility is distributed.
If you’re being asked to take on more responsibility, your infrastructure needs to keep up.
Happy to connect and walk through your current fraud and payment strategy, and identify opportunities for a more proactive approach.