Mastercard Scam Merchant Monitoring Program 2026: What Every Merchant Needs to Know Before July 24

Thu May 28 2026

On July 24, 2026, Mastercard's Scam Merchant Monitoring Program (SMMP) takes full effect. From that date, acquirers are required to investigate any merchant that triggers specific risk signals within 72 hours. If the investigation confirms scam activity, Mastercard and Maestro processing must be blocked immediately, without a warning period or a gradual wind-down.

The program is designed to remove fraudulent merchants from the network. But the criteria are broad enough, and automated enough, that legitimate merchants in high-risk verticals can be flagged based on how their data looks, not what they actually do.

If you accept Mastercard and you process card-not-present transactions, this program applies to you.

What Changed and Why It's Different from Existing Programs

Mastercard already runs chargeback monitoring programs. The Excessive Chargeback Program (ECP) monitors dispute ratios monthly and applies escalating fines when merchants exceed thresholds. The Excessive Fraud Merchant (EFM) program tracks fraud-to-sales ratios. Both are ratio-based: exceed a threshold, receive a warning, pay fines, and remediate over time.

SMMP is a different type of program entirely. It's not ratio-based monitoring but rather investigation-triggered enforcement. The distinction matters:

• ECP/EFM: Threshold exceeded → warning → fines → remediation window
• SMMP: Trigger signal detected → 72-hour mandatory investigation → immediate block if confirmed

Under the new standard, once thresholds are met, the investigation starts immediately. If the outcome is negative, processing can stop just as quickly. There is no gradual ramp down or extended warning period.

A merchant can be inside more than one program simultaneously. Being compliant with ECP doesn't mean you're safe from SMMP. The two programs run on different logic and different timelines.

Who This Applies To

The revised Standards explicitly extend responsibilities to payment facilitators and cover sponsored merchants, not only direct merchant relationships. This means if you process through a payment facilitator, including aggregators like Stripe, Square, or Shopify Payments, you are subject to the same monitoring requirements as direct merchant accounts.

All card-not-present merchants globally are in scope. Brick-and-mortar businesses processing card-present transactions are largely outside the program's focus, but any merchant doing meaningful online volume needs to understand these rules.

Any merchant with less than six months of Mastercard acceptance history enters a heightened monitoring period. During this window, merchants are subject to stricter thresholds for chargebacks and refunds. New merchants face the sharpest scrutiny — limited processing history means fewer data points, which makes pattern anomalies more visible and more likely to trigger investigation.

The Four Triggers That Start a 72-Hour Investigation

When at least one of these criteria is met, acquirers must begin investigating within 72 hours.

Trigger 1: Authorization approval rate drop

Your authorization approval rate decreases by at least 50 percentage points over a 72-hour period — for example, from 95% to 45% — or drops below 30%, during which you conduct at least 25 purchase transactions. BIN attacks and system-level issues at the acquirer are excluded, but the exclusion has to be documented. A processor outage or a sudden market expansion that tanks your approval rate in a new region can trigger this without any fraudulent activity on your part.

Trigger 2: Elevated refunds and chargebacks

If more than 5% of your purchase transactions result in refunds or chargebacks combined during any 30-day rolling period — with a minimum of 500 transactions — your acquirer must investigate you as a potential scam merchant. Note that this is a combined refund and chargeback rate, not just chargebacks. Merchants with liberal refund policies as a chargeback-prevention strategy may find that those refunds are now counting against the same threshold.

Trigger 3: Issuer-reported scam activity

An acquirer or payment facilitator must initiate an investigation if at least two issuers report a transaction as a scam through FLD reporting. This trigger operates independently of your own metrics. You can be well within all ratio thresholds and still face a 72-hour investigation because of how two issuing banks classified your transactions. Friendly fraud — where a cardholder makes a legitimate purchase and then reports it as a scam to their bank — can contribute to this trigger.

Trigger 4: Third-party monitoring alerts

Alerts from Mastercard's own monitoring systems or third-party compliance providers can independently trigger the investigation requirement. This is the least transparent trigger for merchants because the signal source is external and the criteria aren't fully published.

What Happens After the Investigation Starts

Once a trigger fires, the acquirer has 72 hours to complete the investigation and reach a determination. Three outcomes are possible:

• Cleared. The investigation finds no evidence of scam activity. Processing continues. The investigation is documented and the merchant's record reflects the outcome.
• Remediation required. The investigation finds patterns that raise concern but doesn't confirm a scam operation. The acquirer may impose conditions — enhanced monitoring, reserves, volume restrictions — while the merchant addresses the underlying issues.
• Immediate block. The investigation confirms scam activity. Acquirers must stop Mastercard and Maestro processing immediately if scam activity is confirmed. There is no appeal window built into the 72-hour process. The merchant loses Mastercard and Maestro acceptance across all their MIDs.

The speed is the defining feature of SMMP. Under the old framework, a merchant in trouble had weeks or months to respond. Under SMMP, the decision is made in three days. For any business where Mastercard processing represents a significant portion of volume, the operational impact of an immediate block is severe.

Why Legitimate Merchants Get Flagged

The SMMP criteria are calibrated to detect scam patterns. The problem is that several legitimate business models produce data patterns that look similar to those of scam operations.

• Subscription merchants

Subscription merchants face lower approval rates on recurring transactions. Customer disputes over recurring charges, failed cancellation attempts, or delivery issues can push you above the 5% threshold. A poorly designed cancellation flow, a billing descriptor that customers don't recognize, or a surge in failed recurring charges after a card portfolio refresh — any of these can push the refund/chargeback ratio above the trigger threshold.

• High-risk verticals.

Nutraceuticals, digital content, online coaching, and financial services generate disproportionate disputes relative to transaction volume. Not because of fraud but because of the product category, customer expectations, and the nature of the goods. These merchants operate structurally close to the trigger thresholds at baseline.

• Businesses expanding into new markets

Sudden changes in transaction patterns that trigger issuer fraud rules, and expansion to new high-risk markets without preparation, can cause sudden approval rate drops. A merchant launching in a new geography may see authorization rates fall sharply as issuers apply unfamiliar risk scoring, crossing the 50-point drop threshold without any actual fraud occurring.

• Merchants with multiple MIDs

Requests for multiple MIDs could indicate potential scam merchant activity. Mastercard recommends that an acquirer assign multiple acceptor IDs to a card-not-present merchant only when needed for a legitimate business reason. Merchants who segment traffic across MIDs for legitimate reasons (separating business lines, managing processing limits, complying with acquirer requirements) now need to ensure each MID's structure and purpose is clearly documented and defensible. Without that documentation, the MID pattern itself becomes a risk signal.

SMMP vs. VAMP: Running Simultaneously in 2026

SMMP is not the only new network compliance requirement merchants are navigating. Visa's Acquirer Monitoring Program (VAMP), enforced from October 2025, consolidates fraud and dispute monitoring into a single ratio with stricter thresholds. Both programs are active simultaneously, and a single transaction event can contribute to triggers in both.

The key distinction: Visa's VAMP combines fraud reports and disputes into one ratio. Mastercard's SMMP focuses on scam activity and acquirer investigation. The compliance mechanics differ, but the merchant preparation is similar.

A friendly fraud chargeback, where a cardholder disputes a legitimate transaction, contributes to your VAMP ratio as both a fraud report and a dispute. The same chargeback, if classified as scam-related by the issuing bank, can contribute to SMMP's issuer-reporting trigger. The evidence you need to defend yourself under both programs is the same: documented proof that the transaction was legitimate, the cardholder was present and authenticated, and the purchase was completed knowingly.

The result is one evidence standard across both networks. If the cardholder was present in the browser, navigated to checkout, authenticated, and completed the transaction from a recognized device, merchants need to preserve that proof.

How to Prepare: A Practical Checklist

Monitor your own metrics before Mastercard does

Track your refund-plus-chargeback ratio on a rolling 30-day basis, not monthly. Most internal dashboards are built around monthly reporting cycles. SMMP operates on rolling windows. A spike that looks manageable at month-end may have already triggered a 72-hour clock mid-month.

Know your authorization approval rate by geography and transaction type

A sudden drop in approval rate for a specific country or card type can cross the 50-point threshold without affecting your overall rate. Monitor at the segment level, not just the aggregate.

Audit your billing descriptors

The most preventable source of scam-related issuer reports is customer confusion. If your billing descriptor doesn't clearly identify your business, customers call their bank and report the charge as unrecognized. Unrecognized charges become scam reports. Make descriptors specific, consistent, and recognizable.

Build cancellation and refund flows that actually work

A cancellation flow that frustrates customers drives them to dispute resolution. A refund process that takes longer than expected drives chargebacks. Both count against your SMMP threshold. The friction you save by making these flows difficult costs more than the retention you think you're protecting.

• Document the legitimate business purpose for every MID

If you operate multiple MIDs, have a clear, written rationale for each one. What business line does it serve? What acquirer requirement does it satisfy? Which markets or products does it cover? This documentation becomes your first line of defense in an investigation.

• Preserve transaction-level evidence proactively

Device data, session context, authentication records, and checkout behavior should be captured and retained for every transaction — not assembled after a dispute is filed. Under the 72-hour investigation window, evidence that doesn't already exist when the investigation starts is evidence that won't be available.

• Communicate planned business changes to your acquirer in advance

A new market launch, a promotional campaign that will spike volume, a product change that may affect refund rates… tell your acquirer before it happens. An approval rate drop that the acquirer knows is coming from a planned launch is handled differently from one that appears without context.

How Paysight Helps Merchants Stay Below SMMP Triggers

The SMMP triggers are all measurable in real time. The merchants most at risk are those who find out they've crossed a threshold after the investigation has already started. The merchants who navigate this environment successfully are those who monitor the same signals their acquirer monitors, and act on them before a trigger fires.

Paysight is a payment orchestration platform. It connects your business to multiple acquiring relationships and manages how traffic flows between them. For SMMP compliance specifically, the relevant capabilities are:

Chargeback alerts give you the 24–72 hour window between a cardholder initiating a dispute and it becoming a formal chargeback. That window is enough time to issue a proactive refund, removing the transaction from the refund/chargeback count before it contributes to your SMMP threshold. At volume, systematic alert response is the most direct way to keep the combined ratio below 5%.

Subscription management addresses the structural source of most threshold breaches for recurring-revenue businesses. Smart retry logic reduces failed charges that turn into disputes. Clear billing descriptors reduce unrecognized charge reports that become issuer-reported scam signals. Dunning flows that resolve billing issues before customers reach their bank reduce both the refund rate and the chargeback rate simultaneously.

Payment orchestration across multiple MIDs maintains authorization approval rates by routing transactions to the acquirer best positioned to approve them. When one processor's approval rate drops — due to regional issuer friction, card type mismatch, or risk policy changes — traffic routes to the next. The aggregate approval rate stays stable. The 50-point drop trigger becomes harder to hit.

The goal is not to react to SMMP investigations. The goal is to operate in a way that makes investigations unlikely by keeping the metrics that trigger them below their thresholds before the 72-hour clock starts.

If you want to understand how your current metrics stack up against SMMP thresholds, talk to Paysight.

Talk to our team →

FAQ

What is Mastercard's Scam Merchant Monitoring Program (SMMP)? SMMP is a Mastercard compliance program that takes full effect on July 24, 2026. It requires acquirers and payment facilitators to investigate any merchant that triggers specific risk signals within 72 hours. If the investigation confirms scam activity, Mastercard and Maestro processing must be blocked immediately. Unlike Mastercard's existing chargeback monitoring programs, SMMP is investigation-triggered, not ratio-based — meaning the outcome can be immediate processing termination rather than fines and a remediation window.

How is SMMP different from Mastercard's Excessive Chargeback Program (ECP)? ECP monitors chargeback ratios monthly and applies escalating fines when merchants exceed thresholds. It has warning periods and remediation windows. SMMP operates on a 72-hour investigation clock. A merchant inside ECP has weeks to respond. A merchant that triggers SMMP has three days before a determination is made. The programs run simultaneously — a merchant can be subject to both at the same time.

What are the specific triggers for a 72-hour investigation? Four conditions can trigger a mandatory investigation: an authorization approval rate drop of 50+ percentage points in 72 hours (or a rate below 30%); a combined refund and chargeback rate above 5% in any 30-day rolling period (minimum 500 transactions); reports from at least two issuers classifying transactions as scam via FLD reporting; or alerts from Mastercard monitoring systems or third-party compliance providers. Any single trigger is sufficient.

Can a legitimate business be flagged under SMMP? Yes. The criteria are calibrated to detect scam patterns, but those patterns overlap with normal behavior in high-risk verticals. Subscription businesses with billing confusion, merchants expanding into new markets, and businesses with liberal refund policies can all trigger SMMP signals without any fraudulent activity. New merchants — those with less than six months of Mastercard acceptance history — face particularly strict scrutiny.

What does "combined refund and chargeback rate" mean? The 5% threshold combines both refunds and chargebacks as a percentage of total purchase transactions in a rolling 30-day window. This is different from a standalone chargeback ratio. A merchant using proactive refunds as a chargeback-prevention strategy needs to account for those refunds now counting against the same threshold.

Why does having multiple MIDs create risk under SMMP? Mastercard considers requests for multiple MIDs a potential indicator of scam activity. Merchants operating multiple MIDs for legitimate reasons — separating business lines, managing processing limits, geographic segmentation — need documented justification for each one. Without that documentation, the MID structure itself becomes a risk signal during an investigation.

How does SMMP interact with Visa's VAMP program? Both programs are active simultaneously in 2026. VAMP consolidates Visa's fraud and dispute monitoring into a single ratio. SMMP focuses on scam-specific investigation triggers. A single friendly fraud chargeback can contribute to both: to VAMP as a combined fraud/dispute signal, and to SMMP if the issuer classifies it as scam-related. The evidence standard is effectively the same across both networks — documented proof of legitimate transaction completion.

What happens if my acquirer confirms scam activity after the 72-hour investigation? Mastercard and Maestro processing is blocked immediately across all affected MIDs. There is no gradual phase-out. The merchant loses acceptance for both networks until the situation is resolved. The MATCH list implications depend on how the termination is classified.

How can merchants prepare before July 24, 2026? Monitor your rolling 30-day refund-plus-chargeback ratio, not just your monthly chargeback ratio. Track authorization approval rates at the segment level — by geography, card type, and transaction type. Audit billing descriptors for clarity. Document the business purpose for every MID you operate. Preserve transaction-level evidence proactively. Communicate planned business changes to your acquirer before they happen.

How does Paysight help with SMMP compliance?

Paysight is a payment orchestration platform that helps merchants stay below SMMP triggers through three mechanisms: chargeback alerts that give you the window to refund proactively before disputes count against your threshold; subscription management tools that reduce the billing confusion driving unrecognized charge reports; and multi-MID orchestration that maintains stable authorization approval rates by routing transactions to the best-positioned acquirer. The goal is to keep the metrics that trigger SMMP investigations below their thresholds before the 72-hour clock starts.