Changes to Merchant Monitoring Program (MMP) – AN4175

Jul 5, 2023 | Knowledge

Changes to Merchant Monitoring Program (MMP) – AN4175

As a reminder to all merchants and customers of the Merchant Monitoring Program (MMP), Mastercard has applied the following changes:

  • Merchant Monitoring Service Providers (MMSP) are to be registered by Acquirers via My Company Manager;
  • Mastercard will no longer accept paper form;
  • all monthly monitoring reports must be submitted via email to mmp@mastercard.com;
  • incident report filings must include:
    • the date that the acquirer provided the merchant information to the MMSP
    •  confirmation that the merchant was persistently monitored
    • any alerts generated by the MMSP
    • dates of the alert to the acquirer and any response/action taken by the acquirer
    • the reasons for how and why the violation was not detected, and
    • the action steps that the MMSP will take to ensure that future identifications will be detected

MMP and MMSP Requirements

If an acquirer wishes to participate in the MMP, the acquirer must:

  1. Register MMSP with Mastercard via My Company Manager under all applicable ICA numbers and provide:
    • description of the MMSP’s services;
    • URL;
    • related marketing material describing the services
  2. Submit all merchant information, and any additional data to the MMSP, including:
    • merchant’s name;
    • all merchant URLs;
    • Doing-Business-As [DBA] name; and
    • address
  3. Ensure regular monthly and ongoing monitoring is being conducted by MMSP for identifications related to BRAM content, products, and services and/or monitors and detects merchant transaction laundering
  4. Ensure MMSP is identifying and reporting to the acquirer all identifications of BRAM violations and/or merchant transaction laundering
  5. Investigate and take action in response to any identification provided by the MMSP by ceasing any violating activity or event within 15 calendar days of the notification from the MMSP.
  6. Report the resolution of any identification to the MMSP within 15 calendar days of the original MMSP notification and before Mastercard identification and notification.
  7. Provide a monthly report of all merchants and URLs monitored to Mastercard, which must include all identifications and resolutions for any merchant monitored and submitted by either the MMSP. Data fields required include:
    • Acquirer name and ICA number
    • MMSP name
    • Report submitter contact name and email address
    • Merchant name
    • URL(s)
    • MCC
    • Violation type
    • Violation category
    • URL content detail
    • Date of report by MMSP to acquirer
    • Date acquirer resolved and reported back to MMSP
    • Investigation findings and final resolution status
  8. Provide an MMSP Incident Report if an MMSP monitored merchant and URL are identified by Mastercard but not identified by the MMSP. The report must include:
    • date the acquirer provided the merchant information to the MMSP,
    • confirmation that the merchant was persistently monitored,
    • any alerts generated by the MMSP,
    • dates of the alert to the acquirer and any response/action taken by the acquirer,
    • how and why the violation was not detected, and
    • how the MMSP will ensure that future identifications will be detected.
  9. Add merchants found to be violating BRAM and terminated by the acquirer to the MATCH™ system under Reason Code 13 (Illegal Transactions) 

Acquirers that register an MMSP may be able to mitigate or prevent a level of assessment if the acquirer performs all program and reporting requirements. If an acquirer fails to meet all of the requirements, Mastercard reserves the right to apply the related assessments.

 —

Acquirer Use of an MMSP

Acquirers can employ two or more service providers to conduct BRAM monitoring and merchant transaction laundering detection services. On the other hand, acquirers can also choose to use a single service provider to provide both BRAM monitoring and merchant transaction laundering detection services. If the acquirer chooses to participate in the MMP, the acquirer must register the MMSP and comply with all MMP and service provider requirements.

Fees will be incurred and collected by Mastercard via the Mastercard Consolidated Billing System (MCBS) in accordance with the initial and subsequent service provider fee structure from the acquirer that submitted the registration.

Acquirer or MMSP Monthly Report Submission Requirements

Mastercard requires the acquirer or MMSP to provide monthly reports as part of participation in the MMP.

  • All data fields must be complete and accurate
  • The format of the monthly report is a Microsoft Excel spreadsheet
  • Report must be sent and received by Mastercard before the 5th day of each month for the previous month’s monitoring
  • Reports are to be sent via email to mmp@mastercard.com
  • The maximum email attachment size is 20 MB
  • If report is not complete, Mastercard will reject the report. The acquirer or MMSP then must resubmit the report within two business days of the rejection.

It is the responsibility of the acquirer to ensure that the report is received by Mastercard by the required date. Failure to provide the monthly report on time may result in the loss of mitigation of an assessment in the event of a BRAM or merchant transaction laundering violation. 

If you have any further questions regarding this update, please send us a message.

Source: AN 4175 Updates for the Business Risk Assessment and Mitigation Program • 30 June 2020