What are Merchant Category Codes?
A Merchant Category Code (MCC) is a four-digit number used to...
What is a High-Risk Payment Processor?
What is a high-risk payment processor?
Even though the payment process is mechanically consistent, the rules and regulations that govern who can do what are many and complex. The broader payments ecosystem, driven by the card networks (Visa, MasterCard, etc.), categorizes merchants by the types of business they engage in; some of those businesses are considered high risk. High-risk payment processors are payment service providers that specialize in helping high-risk merchants to transact business.
Because the other participants in the payment ecosystem (gateways, banks, card networks, and so forth) are justifiably concerned about the risk of contagion from high-risk businesses, they apply more stringent and expensive requirements. As a result, processors that specialize in serving high-risk merchants have higher operating costs, and therefore generally charge higher fees than those who serve lower-risk customers.
What makes a merchant ‘high risk’?
The payments ecosystem is highly sensitive to chargebacks: these are reversed and refunded charges initiated by cardholders who claim that they did not make the original charge. The most obvious example would be the holder of a card that is stolen and used by someone else; chargebacks are also common when consumers unwittingly sign up for subscription products that they thought were one-time purchases.
Beyond chargebacks, the ecosystem is also very concerned about unauthorized users getting inside the payments process, especially with regard to identity theft and money laundering. The primary goal of the PCI-DSS standard is to help merchants avoid becoming the target of data hackers: data breaches are damaging to the ecosystem at large, to the consumers whose data is leaked, and to the merchant that gets hacked. Meanwhile, money laundering - fairly easily-affected by simply having one entity ‘buy’ something from another without actually exchanging anything of value - is of concern to everyone, as it draws the attention and ire of law enforcement.
Is high-risk a blanket designation?
Until the end of April 2023, there was effectively only one high-risk designation, which covered a broad swath of businesses. After May 1, 2023, however, Visa has introduced a new program called the Visa Integrity Risk Program (VIRP), which now splits high-risk into three categories:
- “Tier 1” high integrity risk merchants have a higher risk of illegal activity occurring if the proper controls aren’t in place, and any potential illegal activity that occurs could cause significant harm to the health and safety of individuals. Tier 1 is the most regulated tier for these reasons.
- “Tier 2” high integrity risk merchants operate businesses where there is a higher risk of illegal activity occurring without the proper controls and that activity could cause financial or economic harm to individuals.
- “Tier 3” high integrity risk merchants operate businesses outside of Tiers 1 and 2, but have a higher risk for non-compliance with applicable regulations without appropriate controls.
The Merchant Category Codes (MCC) for these high-risk categories are as follows:
|
Merchant Category Code |
Description |
|---|---|
|
TIER 1 |
|
|
MCC 5967 |
Adult Content |
|
MCC 7273 |
Dating and Escort Services |
|
MCC 7995 |
Gambling |
|
MCC 5122, MCC 5912 |
Pharmacies |
|
TIER 2 |
|
|
MCC 6051, MCC 6012 |
Crypto Merchants (transactions required to use special condition code 7) |
|
MCC 4816 |
Cyberlockers and other remote digital file-sharing services |
|
MCC 5816 |
Games of skill (card-absent) |
|
TIER 3 |
|
|
MCC 6211 |
High-integrity Risk Financial Trading Platforms (card-absent) |
|
MCC 5966 |
Outbound Telemarketing (card-absent) |
|
MCC 5968 |
Subscription “negative option” merchants (card-absent) |
|
MCC 5993 |
Cross-border Tobacco Sales (card-absent) |
What are some reliable high-risk payment processors?
While payment service providers (PSPs) come and go, there are a number that specialize in high-risk services whose reputation have been built and sustained over time. These include:
- PaymentCloud is broadly considered a leader in the space, with a reputation for excellent customer service, and very few publicly-aired complaints. While they do not advertise their pricing (preferring to tailor it to their customers), price has not prevented them from establishing their position as a leader.
- Soar Payments is a solid option for US-based companies that are in a medium-risk business. They provide automated pricing quotes on their site, and don’t support merchants in the highest-risk businesses, relieving potential customers of concerns around reputational association.
- Durango offers services to businesses in the highest-risk categories, and is well-regarded for the processes that allow it, and its customers, to thrive in segments that the overall payment ecosystem is not hugely welcoming to.
There are, of course, many others, specializing in the various subsets of the high-risk marketplace. As previously noted, merchants setting up a business relationship with high-risk payment processors need to carefully examine the services offered, and the fees charged, as these can be higher than those of lower-risk providers.
Could I need a high-risk processor in a lower-risk business?
Sadly, there are plenty of merchants out there who are forced into using high-risk processors owing to challenges in their business, including excessive chargebacks, data breaches, and even lower credit ratings. The Mastercard Alert to Control High-risk Merchants (MATCH) program is of particular note, as being included on this list can limit a merchant’s ability to sign up with new processors. Stripe, for instance, notes that “Due to banking partner restrictions, Stripe generally cannot process for businesses listed on MATCH”.
There are quantitative reasons for being placed on MATCH:
|
CODE |
REASON |
DESCRIPTION |
|---|---|---|
|
#1 |
Account Data Compromise |
An occurrence that results, directly or indirectly, in the unauthorized access to or disclosure of account data. |
|
#2 |
Common Point of Purchase |
Account data is stolen at the merchant and then used for fraudulent purchases at other merchant locations. |
|
#3 |
Laundering |
The merchant was engaged in laundering activity. Laundering means that a Merchant presented to its Acquirer Transaction records that were not valid Transactions for sales of goods or services between that Merchant and a bona fide Cardholder. |
|
#7 |
Fraud Conviction |
There was a criminal fraud conviction of a principal owner or partner of the merchant. |
|
#8 |
Mastercard Questionable Merchant Audit Program |
The merchant was determined to be a Questionable Merchant as per the criteria set forth in the Mastercard Questionable Merchant Audit Program. |
|
#9 |
Bankruptcy / Liquidation / Insolvency |
The Merchant was unable or is likely to become unable to discharge its financial obligations. |
|
#10 |
Violation of Standards |
The merchant was in violation of one or more Standards that describe procedures to be employed by the Merchant in Transactions in which Cards are used, including, by way of example and not limitation, the Standards for honoring all Cards, displaying the Marks, charges to Cardholders, minimum/ maximum Transaction amount restrictions, and prohibited Transactions set forth in Chapter 5 of the Mastercard Rules manual. |
|
#11 |
Merchant Collusion |
The merchant participated in fraudulent collusive activity. |
|
#12 |
PCI DSS Non-Compliance |
The merchant failed to comply with Payment Card Industry Data Security Standard requirements. |
|
#13 |
Illegal Transactions |
The merchant was engaged in illegal transactions. |
|
#14 |
Identity Theft |
The Acquirer has reason to believe that the identity of the listed Merchant or its principal owner(s) was unlawfully assumed for the purpose of unlawfully entering into a Merchant Agreement. |
There are also a small number of qualitative MATCH listing reasons:
|
CODE |
REASON |
DESCRIPTION |
|---|---|---|
|
#4 |
Excessive Chargebacks |
With respect to a merchant reported by a Mastercard Acquirer, the number of Mastercard chargebacks in any single month exceeded 1% of the number of Mastercard sales transactions in that month, and those chargebacks totaled USD 5,000 or more. |
|
#5 |
Excessive Fraud |
The merchant effected fraudulent transactions of any type (counterfeit or otherwise) meeting or exceeding the following minimum reporting Standard: the merchant’s fraud-to-sales dollar volume ratio was 8% or greater in a calendar month, and the merchant effected 10 or more fraudulent transactions totaling $5,000 USD or more in that calendar month. |
How to avoid needing a high-risk payment processor
Obviously, any organization that is actively pursuing a business that is listed as high-risk is likely going to have to work with a high-risk payment provider. Others, though, can avoid being caught up in the MATCH process - or otherwise attracting the ire of the payments ecosystem writ large - by jealously guarding access to any and all consumer data. This will ensure that only legitimate transactions are completed (keeping chargeback numbers down), and protect all consumer data in-motion and at-rest (eliminating penalties for data leaks).
A great way to start is to engage a third-party tokenization provider such as Basis Theory, which can protect consumer data, and reduce data leak risks by removing the need for the merchant ever to process or store PII in plain text. In addition, working with a tokenization provider allows the merchant to automate their payment system and use intelligent decisioning to choose which PSP to direct transactions to, providing a system to control and limit chargebacks.
In the end, while high-risk payment processors provide a crucial set of services, avoiding being forced to use them is the strongest move a merchant can make.
