Mastercard Scam Merchant Monitoring 2026: What Merchants Must Know Before July
Quick answer: Mastercard Scam Merchant Monitoring is a new enforcement pressure point for card-not-present merchants in 2026. Industry explainers report that from 24 July 2026, acquirers must investigate flagged merchants within 72 hours and stop Mastercard and Maestro processing immediately if scam activity is confirmed. For merchants, the practical work is clear: monitor the trigger signals, keep refund and chargeback rates under control, and collect transaction evidence before a review starts.
Mastercard's Scam Merchant Monitoring Program (SMMP) changes the risk profile for online merchants. This is not just another chargeback ratio program. It is aimed at scam activity, which means the trigger can come from issuer reports, chargeback documentation, Mastercard intelligence, or a monitoring provider alert.
For Heads of Payments, Risk, and Fraud, the deadline matters. A merchant that looks clean under a traditional chargeback threshold can still face a fast investigation if the activity pattern looks like a scam operation. The acquirer owns the formal obligation, but the merchant owns the evidence gap.
This guide explains what SMMP is, how it differs from ECM, HECM, and EFM, what can start an investigation, and how browser-layer chargeback evidence helps merchants prepare before the 24 July 2026 enforcement date.
What is Mastercard Scam Merchant Monitoring?
Mastercard Scam Merchant Monitoring is part of the broader Mastercard merchant risk and monitoring environment. Mastercard's Security Rules and Procedures Merchant Edition describes Merchant Monitoring Program (MMP) participation, Merchant Monitoring Service Provider (MMSP) requirements, initial merchant scans for merchants onboarded from 1 January 2026, and persistent monitoring for merchant violations.
The scam-specific 2026 update is described by payment risk providers including Solidgate, Austreme, and G2 Risk Solutions. Their common read is that Mastercard's revised standards take effect on 24 July 2026 and require acquirers to investigate flagged merchants within 72 hours.
The merchant impact is direct. If scam activity is confirmed, the acquirer must stop Mastercard and Maestro processing for that merchant. For payment facilitators and PSPs, the responsibility flows down to sponsored merchants and sub-merchants.
The program applies most sharply to card-not-present merchants. New merchants are in the tightest window because scam operations often process quickly, accumulate disputes, and disappear before conventional monitoring catches up.
How SMMP differs from ECM, HECM, and EFM
Mastercard already has several monitoring tracks. SMMP adds a different failure mode.
| Program | Primary trigger | Typical focus | Merchant consequence |
|---|---|---|---|
| ECM | Excessive chargebacks | Dispute count and chargeback ratio | Monitoring, remediation pressure, and assessments |
| HECM | High excessive chargebacks | Higher dispute count and chargeback ratio | Stronger escalation and assessments |
| EFM | Excessive fraud | Fraud volume, fraud ratio, and fraud controls | Fraud program enrollment and assessments |
| SMMP | Suspected or confirmed scam activity | Scam indicators, issuer reports, monitoring alerts, and investigation results | Immediate processing termination if confirmed |
ECM and HECM are ratio programs. EFM is a fraud monitoring program. SMMP is an investigation program triggered by scam signals. A merchant can be inside more than one track at the same time.
That distinction matters operationally. A merchant can treat ECM as a threshold-management problem: reduce disputes, improve representment, and work back below the line. SMMP gives acquirers a compressed decision window. If the available evidence points toward scam activity, the outcome is not a fine to absorb. It can be loss of Mastercard and Maestro acceptance.
What triggers an SMMP investigation?
Industry explainers describe four practical trigger groups. Mastercard should remain the source of truth for final operating rules, but merchants should monitor all four before July.
Authorization-rate collapse
A sudden fall in approval rate can make a merchant look like a scam operation, especially when the drop is concentrated in a short period. Solidgate describes this as either a drop of 50 or more percentage points within 72 hours or a fall below a 30% approval rate, subject to minimum transaction volume and exclusions such as BIN attacks or processor outages.
Legitimate merchants can still trip this pattern. A bad campaign, a payment routing issue, aggressive retries, or a traffic-quality problem can all produce authorization behavior that looks abnormal from the network's view.
GRIP notification
A Global Rules Investigation Program notification links a merchant to suspected fraudulent activity based on Mastercard intelligence. A GRIP letter is not a normal merchant performance warning. It is a network-level signal that the acquirer must treat seriously.
Merchants should not wait for this kind of notice before organizing evidence. Once the notice arrives, the acquirer is already on the clock.
New merchant signals
New merchants under six months of Mastercard acceptance history face heightened scrutiny. The reported trigger set includes fraud type 56 reports from two different issuers, chargebacks from multiple issuers with documentation referencing scams or manipulation, and combined refund plus chargeback rates above a 5% threshold in a rolling period.
This is the most important category for legitimate high-growth merchants. A new subscription merchant, travel seller, or iGaming operator can generate dispute language that sounds worse than the actual customer journey. Descriptor confusion, trial-to-paid billing, and intangible delivery all increase that risk.
MMSP alerts
Mastercard's MMP framework allows acquirers to work with approved Merchant Monitoring Service Providers. The current Mastercard manual describes MMSP registration, initial scans, persistent monitoring, and reporting requirements. A monitoring provider alert can put the merchant into an investigation path if the activity looks like a scam or merchant violation.
What happens during the 72-hour investigation?
The 72-hour window is an acquirer obligation, not a merchant grace period. Once a trigger fires, the acquirer has to review the merchant quickly and decide whether the activity is legitimate, suspicious but remediable, or confirmed scam activity.
That review can include onboarding files, transaction records, refund behavior, chargeback documentation, issuer reports, website content, billing descriptors, and merchant communications. For PSPs and payment facilitators, it can also include sub-merchant records and transaction-laundering risk.
The merchant's evidence matters because acquirers often do not have the full cardholder context. A processor can see authorization results, disputes, refund volume, and some onboarding data. It usually cannot reconstruct what the cardholder saw in the browser, which device completed checkout, or whether the session path supports a legitimate purchase.
That is the gap merchants need to close before the investigation starts. Evidence captured after the fact is weaker than evidence captured at checkout.
Which merchants face the highest risk?
New card-not-present merchants under six months of Mastercard acceptance history are the highest-risk group because several reported SMMP triggers specifically target early merchant behavior.
Several verticals carry extra structural exposure:
- Subscription and SaaS: Trial-to-paid conversion, forgotten renewals, and descriptor confusion create disputes that customers may describe as unexpected
- iGaming and digital goods: High transaction velocity and intangible fulfilment make issuer-side scam language easier to assert
- Travel: High average order value and seasonal refund spikes can move combined refund and chargeback rates quickly
- E-commerce and retail: Return disputes, delayed shipping, and unclear fulfilment records can weaken the merchant's position during review
- Merchants with low descriptor recognition: Customers who do not recognize a charge often call the issuer first, and their language can become part of the dispute record
None of these characteristics prove scam activity. They increase the chance that ordinary merchant friction produces the same signals Mastercard and acquirers are watching.
How chargeback evidence reduces SMMP exposure
SMMP exposure is partly about the content and count of disputes. If multiple issuers submit chargebacks with scam or manipulation language, that record can become an investigation trigger. Every uncontested or poorly defended dispute makes the signal stronger.
Strong representment evidence helps in two ways.
First, it reduces accumulation. A chargeback that is successfully represented does not carry the same weight as an uncontested scam-referenced dispute. Merchants that fight weak claims with complete evidence keep the issuer record cleaner.
Second, it gives the acquirer something useful during the investigation. The acquirer needs to decide quickly whether the merchant is a scam operation or a legitimate business with a dispute problem. Server-side order records help, but they do not show the full checkout session.
cside's Chargeback Evidence captures browser-layer data at checkout: device identity, session continuity, real client IP context, and transaction-page activity. That evidence is useful because it shows the transaction in the environment where the customer actually completed it.
The same evidence strategy supports Visa disputes under Compelling Evidence 3.0, where device ID and IP are rate-limiting fields. For operational detail, see how to remove a TC40 from your VAMP ratio using CE 3.0 and device fingerprinting for Compelling Evidence chargebacks.
SMMP and VAMP create one evidence problem
Visa and Mastercard are approaching merchant risk from different angles in 2026. Visa's VAMP combines fraud reports and disputes into one ratio. Mastercard's SMMP focuses on scam activity and acquirer investigation.
The compliance mechanics differ, but the merchant preparation is similar. You need clean transaction records, consistent descriptors, fast dispute operations, and browser-layer evidence captured before a cardholder calls the issuer.
The VAMP 2026 merchant playbook explains how Visa's 1.5% merchant threshold changes the economics of disputes. SMMP adds a separate Mastercard risk: the documentary content of disputes can contribute to a scam-monitoring trigger, not just a chargeback ratio.
The result is one evidence standard across both networks. If the cardholder was present in the browser, navigated checkout, authenticated, and completed the transaction from a recognized device, merchants need to preserve that proof.
What to do before 24 July 2026
Merchants should treat the SMMP deadline as an evidence readiness date. Waiting until an acquirer asks questions leaves too little time.
- Audit refund and chargeback rates by rolling 30-day period. Pay special attention to any period approaching 5% combined refunds and chargebacks
- Review scam-language disputes. Segment chargebacks where issuer documentation mentions scam, manipulation, deception, or unexpected billing
- Check billing descriptor recognition. Align descriptors across processors, currencies, subscriptions, and one-time charges
- Pull authorization-rate trends. Look for sudden drops by BIN, issuer, market, campaign, gateway, and traffic source
- Instrument browser-layer evidence at checkout. Device ID, session continuity, and real client IP context cannot be reconstructed later
- Test representment packets now. Run recent disputes through the evidence workflow and measure what fields are missing
- Brief your acquirer. If you are new, high-growth, or in a high-dispute vertical, give the acquirer context before a trigger fires
Further reading on cside
- cside Chargeback Evidence product page
- VAMP 2026 Merchant Playbook
- Compelling Evidence 3.0 Requirements
- How to Remove a TC40 via CE 3.0
- Device Fingerprinting for Compelling Evidence Chargebacks
This article reflects cside's analysis of Mastercard Scam Merchant Monitoring and related merchant-risk programs as of 2026-05-05. Program rules, thresholds, deadlines, and acquirer obligations can change. Confirm operational decisions with Mastercard rules, your acquirer, and your payment processor.
About the author
Mike Kutlu is Head of GTM at cside, where he works with Heads of Payments, Risk, and Finance on instrumenting browser-layer chargeback evidence for dispute representment and network compliance. He writes about VAMP, friendly fraud, and the mechanics of payment-risk evidence for enterprise merchants.
