Visa and Mastercard: a case study in card scheme compliance

In the greater payment ecosystem, the role of payment card associations like Visa and Mastercard is pivotal. They enable issuing banks to provide payment cards to their customers and acquiring banks to allow their merchant clients to offer card payments in their shops.

If you want to be part of their networks, banks have to play by their rules. Otherwise, they risk fines and enforced compliance measures. Repeat offenders might even be kicked off the network entirely.

Knowing and applying the relevant card scheme rules is essential to be successful in the payments industry. While the rules are extensive (Mastercard's alone are well over 400 pages), the key tenet is that any transaction on their network must be legal both in the country of the buyer and of the seller.

To safeguard this, card schemes like Visa and Mastercard have instituted high-brand risk programs:

• Mastercard maintains the Business Risk Assessment and Mitigation program (BRAM).
• Visa has the Visa Integrity Risk Program (VIRP), formerly the Global Brand Protection Program (GBPP).

These programs exist to preserve the integrity of the card brands by preventing their association with illegal or brand-damaging activities. A number of business sectors are listed in these programs due to the inherent risk of the goods or services sold, such as gambling and pharmaceutical merchants.

Mastercard’s compliance framework is designed to manage high-risk merchants. Since its inception in 2005, BRAM has undergone several updates to address evolving challenges, including fraudulent activities, counterfeit merchandise, illegal gambling, and child exploitation. More recently, in 2023, updates were introduced targeting activities such as Ukraine crisis-related scams, untraceable firearms, and cashless ATMs.

Payment companies must keep up with these changes and include them in their merchant due diligence and risk management framework.

BRAM outlines various high-risk card acceptor or merchant category codes (MCCs) such as:

• 5967/7841: Non-face-to-face adult content and services
• 7801, 7802, 7995: Non-face-to-face gambling merchants
• 5912/5122: Non-face-to-face pharmaceutical merchants
• 6051: Cryptocurrency merchants

Under BRAM, acquirers must register and monitor these and other high-risk merchants closely, submitting monthly reports through the Merchant Monitoring Program (MMP) to ensure that Mastercard’s standards are met.

Failure to comply can result in reputational harm, significant fines, or even account termination for the acquirer.

Visa introduced the Visa Integrity Risk Program (VIRP) in 2023, replacing its previous Global Brand Protection Program (GBPP). Similar to the BRAM program, the VIRP aims to mitigate financial and reputational risks by establishing due diligence guidelines for acquiring banks and payment service providers dealing with "High-Integrity Risk Merchants," replacing the former "High-Brand Risk Merchants" term.

The main innovation of VIRP is its tiered system for high-integrity risk merchants, with Tier 1 representing the highest risk. This refers to MCCs such as:

• 5967: Direct marketing – inbound teleservices
• 7995: Betting, casino gaming, and lottery ticket sales
• 5122/5912: Pharmaceutical merchants

Merchants operating in these high-risk categories must be registered within 60 days of notification, with Visa imposing additional controls based on the risk tier. These include data collection on sales volumes, transaction amounts, and dispute ratios.

Acquirers who fail to comply with VIRP risk facing significant fines or the termination of merchant accounts.

Merchants, like players in a game, must follow the rules set by card schemes. When they don’t, consequences follow quickly. Here’s a simplified breakdown of the process:

• Violation detection: Card schemes use advanced monitoring tools to catch activities like fraud, excessive chargebacks, or selling prohibited items.
• Investigation and notification: Once a breach is confirmed, the card scheme informs the merchant and acquiring bank of the violation.
• Opportunity to respond: Merchants, through their acquiring bank, can present their case to defend against the charges.

• Penalties: Depending on the severity, consequences can include fines, higher fees, or even termination of the account.
• Compliance measures: Merchants may need to implement new safeguards, such as improving security practices, to prevent further violations.
• Ongoing monitoring: Card schemes will closely watch the merchant’s activities, with the possibility of regaining privileges if compliance is maintained.

By enforcing these rules, card schemes ensure a fair, trustworthy payment system for all parties.