Visa and Mastercard: a case study in card scheme compliance
Understand what card scheme compliance means, and learn more about the two prominent examples of Mastercard's VRAM and Visa's VIRP frameworks.
Who makes the rules in card payments?
In the greater payment ecosystem, the role of payment card associations like Visa and Mastercard is pivotal. They enable issuing banks to provide payment cards to their customers and acquiring banks to allow their merchant clients to offer card payments in their shops.
If you want to be part of their networks, banks have to play by their rules. Otherwise, they risk fines and enforced compliance measures. Repeat offenders might even be kicked off the network entirely.
Knowing and applying the relevant card scheme rules is essential to be successful in the payments industry. While the rules are extensive (Mastercard's alone are well over 400 pages), the key tenet is that any transaction on their network must be legal both in the country of the buyer and of the seller.
To safeguard this, card schemes like Visa and Mastercard have instituted high-brand risk programs:
- Mastercard maintains the Business Risk Assessment and Mitigation program (BRAM).
- Visa has the Visa Integrity Risk Program (VIRP), formerly the Global Brand Protection Program (GBPP).
These programs exist to preserve the integrity of the card brands by preventing their association with illegal or brand-damaging activities. A number of business sectors are listed in these programs due to the inherent risk of the goods or services sold, such as gambling and pharmaceutical merchants.
Understanding Mastercard’s Business Risk Assessment and Mitigation (BRAM) program
Mastercard’s compliance framework is designed to manage high-risk merchants. Since its inception in 2005, BRAM has undergone several updates to address evolving challenges, including fraudulent activities, counterfeit merchandise, illegal gambling, and child exploitation. More recently, in 2023, updates were introduced targeting activities such as Ukraine crisis-related scams, untraceable firearms, and cashless ATMs.
Payment companies must keep up with these changes and include them in their merchant due diligence and risk management framework.
BRAM outlines various high-risk card acceptor or merchant category codes (MCCs) such as:
- 5967/7841: Non-face-to-face adult content and services
- 7801, 7802, 7995: Non-face-to-face gambling merchants
- 5912/5122: Non-face-to-face pharmaceutical merchants
- 6051: Cryptocurrency merchants
Under BRAM, acquirers must register and monitor these and other high-risk merchants closely, submitting monthly reports through the Merchant Monitoring Program (MMP) to ensure that Mastercard’s standards are met.
Failure to comply can result in reputational harm, significant fines, or even account termination for the acquirer.
Questions? Ask an expert
Our team is happy to help you with all things payment-related.
Visa Integrity Risk Program and merchant risk management
Visa introduced the Visa Integrity Risk Program (VIRP) in 2023, replacing its previous Global Brand Protection Program (GBPP). Similar to the BRAM program, the VIRP aims to mitigate financial and reputational risks by establishing due diligence guidelines for acquiring banks and payment service providers dealing with "High-Integrity Risk Merchants," replacing the former "High-Brand Risk Merchants" term.
The main innovation of VIRP is its tiered system for high-integrity risk merchants, with Tier 1 representing the highest risk. This refers to MCCs such as:
- 5967: Direct marketing – inbound teleservices
- 7995: Betting, casino gaming, and lottery ticket sales
- 5122/5912: Pharmaceutical merchants
Merchants operating in these high-risk categories must be registered within 60 days of notification, with Visa imposing additional controls based on the risk tier. These include data collection on sales volumes, transaction amounts, and dispute ratios.
Acquirers who fail to comply with VIRP risk facing significant fines or the termination of merchant accounts.
Breaking the rules: consequences for non-compliance
Merchants, like players in a game, must follow the rules set by card schemes. When they don’t, consequences follow quickly. Here’s a simplified breakdown of the process:
- Violation detection: Card schemes use advanced monitoring tools to catch activities like fraud, excessive chargebacks, or selling prohibited items.
- Investigation and notification: Once a breach is confirmed, the card scheme informs the merchant and acquiring bank of the violation.
- Opportunity to respond: Merchants, through their acquiring bank, can present their case to defend against the charges.
- Penalties: Depending on the severity, consequences can include fines, higher fees, or even termination of the account.
- Compliance measures: Merchants may need to implement new safeguards, such as improving security practices, to prevent further violations.
- Ongoing monitoring: Card schemes will closely watch the merchant’s activities, with the possibility of regaining privileges if compliance is maintained.
By enforcing these rules, card schemes ensure a fair, trustworthy payment system for all parties.
How Web Shield ensures card scheme compliance with ease
Navigating Mastercard and Visa compliance doesn’t have to be complicated. At Web Shield, we simplify risk management and card scheme requirements, letting you focus on growing your business.
Tailored merchant underwriting
Accelerate onboarding with customised Know Your Business checks, ensuring secure merchant integration.
Automated website and merchant monitoring
Stay ahead of potential issues with continuous monitoring that flags risks in your portfolio early.
Merchant Monitoring Service Provider
Principal members can register Web Shield as their Mastercard Merchant Monitoring Service Provider (MMSP) to get mitigation on non-compliance assessments.
Continue reading about payments card regulation
We keep you updated on card scheme rules, fraud trends, underwriting best practices, and Web Shield products.
Visa reVAMP Chargeback Monitoring Updates
Visa Integrity Risk Program: European Pricing Changes
Mastercard BRAM Program Updates: August & September 2023
Let us enable your card scheme compliance
Our merchant underwriting and monitoring solutions are built with Mastercard's BRAM program and Visa's VIRP in mind - so you can grow with your merchant portfolio with confidence.