Mastercard Potential Scam Merchant Monitoring 2026
Jun 19, 2026
5 min read
Effective July 24, 2026, Mastercard will require acquirers to investigate any merchant meeting one or more newly defined risk criteria — and they have 72 hours to do it. If the investigation confirms scam activity, the acquirer must block that merchant from submitting Mastercard and Maestro transactions altogether. The requirement is global, with Jordan as the only exception.
What Triggers an Investigation
Meeting any single one of the following criteria is enough to start the clock.
1. Authorization Approval Rate Drop
Over any 72-hour period in which the merchant processes at least 25 purchase transactions, if the authorization approval rate falls by 50 or more percentage points — or drops below 30% outright — the acquirer must act. A decline from 90% to 38%, for example, would qualify. BIN attacks and technical failures on the acquirer’s side are excluded from this calculation.
2. GRIP Letter from Mastercard
If the acquirer receives a Global Rules Investigation Program letter linking the merchant to suspected scam activity, the 72-hour investigation window opens immediately.
3. Criteria for Merchants With Six Months of Acceptance History or Less
Newer merchants face a tighter set of triggers. An investigation is required if:
- Two different issuers each report at least one transaction from that merchant using Fraud Type 56 (Manipulation of Cardholder) via the Fraud and Loss Database; or
- At least two issuers file chargebacks with documentation that specifically references scam activity or cardholder manipulation; or
- More than 5% of the merchant’s purchase transactions are subject to refunds, chargebacks, or both within a rolling 30-day window — but only where the merchant processed at least 500 transactions during that period.
4. MMSP Alert
An alert from a Mastercard-recognized Merchant Monitoring Service Provider identifying the merchant as a potential scam operator is independently sufficient to trigger the requirement.
Understanding the Thresholds
Authorization Rate Thresholds
What these thresholds are really targeting is card testing — the practice of running large volumes of stolen card numbers through a checkout to find ones that work. The pattern it creates looks exactly like a sudden authorization collapse, which is why the criteria are framed the way they are.
Merchants without existing protections against this should prioritize:
- Capping payment attempts per session (five per hour is a reasonable benchmark)
- Adding CAPTCHA to payment pages
- Enabling 3DS authentication wherever the payment flow supports it
The 5% Refund and Chargeback Threshold
On paper, 5% sounds strict. But most merchants are already managing to a 1% chargeback ceiling under standard monitoring rules — so the combined 5% threshold is actually well above where most legitimate businesses operate day to day. That said, merchants running elevated dispute rates should be addressing the root causes, not benchmarking against the new ceiling.
High dispute volumes tend to come from a predictable set of issues. Traffic quality is often the biggest lever — certain affiliate partners, GEOs, or acquisition channels generate disputes at a disproportionate rate, and cutting exposure to those sources tends to move the needle quickly. Billing confusion is another common driver. Customers who didn’t fully understand what they agreed to file disputes; customers who did, generally don’t. That means subscription terms, renewal dates, and cancellation options need to be visible before the transaction, not buried in documentation most people never read.
What also matters, and gets overlooked: pre-dispute communication. A customer reaching out before filing a chargeback is a resolution opportunity. Offering a credit, discount, or service adjustment at that stage converts a meaningful share of potential disputes into closed interactions.
On the tooling side: Consumer Clarity can deflect disputes before they become chargebacks or refunds, and Chargeback Alert services remain relevant for any merchant trying to stay ahead of the 5% threshold rather than react to it.
Fraud Type 56 (Manipulation of Cardholder)
This one is worth understanding separately from standard chargebacks. Fraud Type 56 is not a chargeback reason code — it is a fraud reporting classification that issuers use when they believe the cardholder was deceived or socially engineered into making the payment voluntarily. The distinction matters because common reason codes like 4837 (No Cardholder Authorization) or 4863 (Cardholder Does Not Recognize) do not trigger the scam investigation process. Fraud Type 56 does.
The merchant profiles most likely to accumulate these reports share recognizable traits: income or investment claims that don’t hold up, sales interactions that push for payment under pressure, customer support that is hard to reach, and billing terms that read differently from what the customer was told during the sale.
What Merchants Should Do Now
- Audit authorization approval rates and put card testing protections in place — rate limits, CAPTCHA, and 3DS are the baseline
- Pull combined refund and chargeback data for the past 90 days and identify which traffic sources or customer segments are driving the most disputes
- Review all billing disclosures: subscription terms, renewal schedules, and cancellation processes should be clearly stated before checkout, not only in the terms of service
- Check marketing materials for accuracy — any claim that could reasonably be characterized as exaggerated or misleading is a Fraud Type 56 exposure
- Verify that customer support is reachable through multiple channels and that response times are reasonable
- Activate Merchanto Chargeback Alerts and Consumer Clarity if they are not already running
- If processing through a payment facilitator, confirm they are monitoring for the new criteria on the acquirer side
Summary
What these rules amount to, practically, is a higher baseline for what compliant merchant activity looks like. Businesses with clean authorization metrics, straightforward billing practices, and functioning customer support will not be materially affected. Those with elevated dispute rates or marketing practices that push into gray areas should treat the period before July 24 as a window to get ahead of the requirements rather than respond to them after the fact.
Related articles
Ready to get started? Let's get your money back!
Contact our team, and we’ll be happy to assist you!