This is blog post one of a five-part series on the ins and outs of high-risk merchants and...
High-Risk Payment Processors
A business will be classified as “high-risk” based on a combination of industry factors, financial health, transaction history, and exposure to fraud or chargebacks. In some instances, a merchant is required to pre-register if it operates in specific, high-risk MCC categories.
Specific MCC codes are assigned to high-risk industries that predominantly generate higher levels of cardholder disputes or represent higher financial or regulatory risk to banks. Other regulations may apply when a merchant operates in a card-not-present (CNP) environment—for example, with online sales compared to retail sales.
For those who are considered a high-risk merchant, despite the payment process remaining mechanically consistent, the rules and regulations that govern high-risk payment processing are complex. As a result, the service providers specializing in serving these businesses have higher operating costs and, therefore, generally charge higher fees for high-risk payment processing.
What are the guidelines for designating a business as high-risk?
Several factors influence decisions when regulatory bodies review data to determine if a business represents higher risk.
Risk Type
Merchant acquirers and payment service providers (PSPs) use a combination of automated tools and manual reviews to assess various risk types that impact merchants.
PSPs may also request additional documentation or conduct on-site visits to verify information and assess the merchant's operations. Through thorough risk assessments, PSPs can protect themselves and their customers from financial losses, legal liabilities, and reputational damage.
Merchant acquirers and PSPs will assess risk a bit differently by bucketing the risk into types, including:
- Content / Business Risks: PSPs assess the nature of the merchant's products or services to identify potential legal, regulatory, or ethical concerns. They review the merchant's website, marketing materials, and customer reviews to ensure compliance with industry standards and identify potential red flags, such as misleading claims, false advertising, or inappropriate content.
- Financial Risks: PSPs evaluate merchants' financial stability and creditworthiness to assess their ability to fulfill financial obligations and manage chargebacks. They review the merchants' financial statements, credit history, and business model to determine their financial strength and risk of insolvency.
- Reputational Risks: PSPs assess the merchant's reputation and public perception to identify any potential negative associations that could damage the PSP's reputation. They analyze online reviews, social media sentiment, and industry news to identify any negative publicity, customer complaints, or regulatory actions against the merchant.
- Money Laundering Risks: PSPs implement anti-money laundering (AML) procedures to prevent criminals from using their platform to launder illicit funds. They verify the merchant's identity, beneficial ownership, and business activities to ensure compliance with AML regulations. They also monitor transaction patterns for suspicious activity, such as large cash transactions, unusual transaction volumes, or transactions from high-risk jurisdictions.
- Transaction Laundering Risks: PSPs assess the merchant's risk of transaction laundering, where criminals use legitimate merchant accounts to process payments for illegal activities. They review the merchant's website, products, and transaction history to identify any discrepancies or inconsistencies that could indicate transaction laundering. They also monitor for unusual transaction patterns, such as spikes in transaction volume or transactions from unrelated industries.
Business and Sales Model
The merchants’ business and sales model can also designate whether a business operates at high or low risk. When operating in a high-risk industry with higher risks for chargebacks, customer disputes, or fraud, PSPs and acquiring banks may be apprehensive about doing business.
Recurring billing, subscriptions, and free trials are risk factors found in business models that may elevate a company’s risk.
A breakdown of the risk factors into which issues may arise include:
|
Issue |
Risk Factors |
Details |
|---|---|---|
|
Increased Chargebacks |
Recurring billing Subscriptions |
Because these often involve automatic charges to customers’ cards, they can lead to unintentional or unauthorized charges |
|
Customer Disputes |
Subscriptions Free Trials |
Customers who feel misled or do not receive the expected value may dispute the charge. If they were not informed about automatic renewals, they may dispute. |
|
Fraud Potential |
Recurring Billing Free Trials |
Malicious actors may sign up for services using stolen credit card information or attempt to abuse the free trial system. |
Visa and Mastercard Standards
The card networks (Visa, Mastercard) also determine which companies are of higher risk. Each brand has its own set of rules for high-risk industries.
Visa Integrity Risk Program (VIRP)
Through April 30, 2023, the Visa Global Brand Protection Program (GBPP) was Visa’s compliance program addressing the reputational risk and potential brand damage for acquiring merchants in high-risk industries and verticals.
Three major changes distinguish VIRP from GBPP:
- High-risk merchants fall under three tier levels.
- Updated, modernized language for high- risk merchants.
- Categories for Visa control assessments.
The Mastercard Business Risk Assessment and Mitigation (BRAM)
BRAM differs from VIRP in that it focuses more on finding and addressing non-compliance with the Mastercard rules. When a merchant is found to be out of compliance with the standards, acquirers are required to add the merchant to the Mastercard Alert to Control High Risk Merchants (MATCH) database.
Should a merchant be found on the MATCH list, any acquirer must decide if it would like to do business with the merchant—but is not discouraged from doing so.
A merchant can be removed from the MATCH list if the merchant was added in error or has since become compliant. After 5 years, regardless of reason, a merchant is automatically removed from the MATCH program, but could be re-added if found in non-compliance again.
Return to TopWho are some reliable high-risk payment processors?
While payment service providers (PSPs) come and go, there are a number that specialize in high-risk services whose reputations have been built and sustained over time. These include:
- PaymentCloud is broadly considered a leader in the space, with a reputation for excellent customer service and very few publicly aired complaints. While they do not advertise their pricing (preferring to tailor it to their customers), the price has not prevented them from establishing their leadership position.
- Soar Payments is an option for US-based companies in medium-risk businesses. They provide automated pricing quotes on their site and don’t support merchants in the highest-risk businesses, relieving potential customers of concerns about reputational association.
- Durango offers services to businesses in the highest-risk categories and is well-regarded for the processes that allow it and its customers to thrive in segments that the overall payment ecosystem is not hugely welcoming to.
Of course, many others specialize in the various subsets of the high-risk marketplace. As previously noted, merchants setting up a business relationship with high-risk payment processors need to carefully examine the services offered and the fees charged, as these can be higher than those of lower-risk providers.
What are high-risk merchant accounts?
A high-risk merchant account is a specialized bank account for businesses that have received a higher-risk designation due to elevated chargeback rates, regulatory scrutiny, or the nature of their business activities.
Without high-risk merchant accounts, many high-risk businesses would struggle to accept credit card payments and would be unable to operate effectively.
Key characteristics of a high-risk merchant account are:
- Higher processing fees due to the increased risk compared to standard merchant accounts.
- Rolling reserves to mitigate potential losses. This is a portion of the business’s income held in reserve for a set period of time to cover any potential disputes or chargebacks that occur.
- Extensive scrutiny when assessing documentation and the business’s financial stability and risk profile.
High-risk payment processors are specialized to handle these unique needs, such as recurring billing for subscription services or enhanced fraud protection.
Is High-Risk a blanket designation?
The answer used to be yes. Until the end of April 2023, there was effectively only one high-risk designation that covered a broad swath of businesses. After May 1, 2023, however, Visa introduced a new program called the Visa Integrity Risk Program (VIRP), which splits risks into three categories:
- “Tier 1” high integrity risk merchants have a higher risk of illegal activity occurring if the proper controls aren’t in place, and any potential illegal activity that occurs could cause significant harm to the health and safety of individuals. For these reasons, Tier 1 is the most regulated tier.
- “Tier 2” high integrity risk merchants operate businesses where there is a higher risk of illegal activity occurring without the proper controls, and that activity could cause financial or economic harm to individuals.
- “Tier 3” high integrity risk merchants operate businesses outside of Tiers 1 and 2, but are at a higher risk of non-compliance with applicable regulations without appropriate controls.
The Merchant Category Codes (MCC) for these high-risk categories are as follows:
Could I need a high-risk processor in a lower-risk business?
Sadly, plenty of merchants are forced into using high-risk online payment processors owing to challenges in their business, including excessive chargebacks, data breaches, and even lower credit ratings. The MATCH program is of particular note, as being included on this list can limit a merchant’s ability to sign up with new processors.
Stripe, for instance, notes that “Due to banking partner restrictions, Stripe generally cannot process for businesses listed on MATCH.”
There are other quantitative reasons for being placed on MATCH:
|
CODE |
REASON |
DESCRIPTION |
|---|---|---|
|
#1 |
Account Data Compromise |
An occurrence that results, directly or indirectly, in the unauthorized access to or disclosure of account data. |
|
#2 |
Common Point of Purchase |
Account data is stolen at the Merchant and then used for fraudulent purchases at other Merchant locations. |
|
#3 |
Laundering |
The Merchant was engaged in laundering activity. Laundering means that a Merchant presented to its Acquirer Transaction records that were not valid Transactions for sales of goods or services between that Merchant and a bona fide Cardholder. |
|
#7 |
Fraud Conviction |
There was a criminal fraud conviction of a principal owner or partner of the Merchant. |
|
#8 |
Mastercard Questionable Merchant Audit Program |
The Merchant was determined to be a Questionable Merchant as per the criteria set forth in the Mastercard Questionable Merchant Audit Program. |
|
#9 |
Bankruptcy/Liquidation/Insolvency |
The Merchant was unable or is likely to become unable to discharge its financial obligations. |
|
#10 |
Violation of Standards |
With respect to a Merchant reported by a Mastercard Acquirer, the Merchant was in violation of one or more Standards that describe procedures to be employed by the Merchant in Transactions in which Cards are used, including, by way of example and not limitation, the Standards for honoring all Cards, displaying the Marks, charges to Cardholders, minimum/ maximum Transaction amount restrictions, and prohibited Transactions set forth in Chapter 5 of the Mastercard Rules manual. |
|
#11 |
Merchant Collusion |
The Merchant participated in fraudulent collusive activity. |
|
#12 |
PCI DSS Non-Compliance |
The Merchant failed to comply with Payment Card Industry (PCI) Data Security Standard (DSS) requirements. |
|
#13 |
Illegal Transactions |
The Merchant was engaged in illegal Transactions. |
|
#14 |
Identity Theft |
The Acquirer has reason to believe that the identity of the listed Merchant or its principal owner(s) was unlawfully assumed for the purpose of unlawfully entering into a Merchant Agreement. |
There are also a small number of qualitative MATCH listing reasons:
|
CODE |
REASON |
DESCRIPTION |
|---|---|---|
|
#4 |
Excessive Chargebacks |
With respect to a Merchant reported by a Mastercard Acquirer, the number of Mastercard chargebacks in any single month exceeded 1% of the number of Mastercard sales Transactions in that month, and those chargebacks totaled USD 5,000 or more. |
|
#5 |
Excessive Fraud |
The Merchant effected fraudulent Transactions of any type (counterfeit or otherwise) meeting or exceeding the following minimum reporting Standard: the Merchant’s fraud-to-sales dollar volume ratio was 8% or greater in a calendar month, and the Merchant effected 10 or more fraudulent Transactions totaling USD 5,000 or more in that calendar month. |
How to Avoid Needing a High-Risk Payment Processor
Obviously, any organization actively pursuing business that is listed as high-risk is likely going to have to work with a high-risk payment provider. Others, though, can avoid being caught up in the MATCH process—or otherwise attracting the ire of the payments ecosystem writ large—by jealously guarding access to any and all consumer data. This will ensure that only legitimate transactions are completed (keeping chargeback numbers down) and protect all consumer data in motion and at rest (eliminating penalties for data leaks).
A great way to start is to engage a third-party tokenization provider such as Basis Theory, which can protect consumer data and reduce data leak risks by removing the need for the merchant ever to process or store PII in plain text. In addition, working with a tokenization provider allows the merchant to automate their payment system and use intelligent decisions to choose which PSP to direct transactions to, providing a system to control and limit chargebacks.
In the end, while high-risk payment processors provide a crucial set of services, avoiding being forced to use them is a merchant's strongest move. Consider a multi-gateway approach to reduce the risk.
