Skip to content

    High-Risk Payment Processing: The Rules of the Game

    High risk payment processing - rules of the game
    Picture of Basis Theory ·
    Payments

    This is blog post one of a five-part series on the ins and outs of high-risk merchants and high-risk payment processing.

    What are the Guidelines for Designating a Business as High Risk?

    While there are many guidelines in place that designate a business as high risk, there’s also a bit of an art and a science behind it.

    For the most part, the card networks (Visa, Mastercard) determine which companies are of higher risk. Each brand has its own set of rules that merchants must understand and follow when operating in “higher” risk businesses.

    Visa Integrity Risk Program (VIRP)

    Through April 30, 2023, the Visa Global Brand Protection Program (GBPP) was Visa’s compliance program addressing the reputational risk and potential brand damage for acquiring merchants in high-risk verticals. Beginning on May 1, 2023, the Visa Integrity Risk Program (VIRP) replaced this program.

    According to the Visa Integrity Risk Program Guide, “VIRP ensures that Acquirers, and their designated agents, maintain proper controls and oversight processes to deter illegal transactions from entering the Visa Payment System.”

    Three major changes distinguish VIRP from GBPP:

    1. High-risk merchants now fall under three tier levels
    2. Updated, modernized language for high-risk merchants
    3. Categories for Visa control assessments

    The Mastercard Business Risk Assessment and Mitigation (BRAM)

    BRAM differs from VIRP in that it focuses more on finding and addressing non-compliance with the Mastercard rules. When a merchant is found to be out of compliance with the standards, acquirers are required to add the merchant to the Mastercard Alert to Control High Risk Merchants (MATCH) database. 

    MATCH is essentially an informational exchange between acquiring banks that allows merchant acquirers to review enhanced information about a merchant’s risk prior to entering into an agreement with them. 

    A merchant is required to be added to MATCH within 5 days of any acquirer deciding to terminate a relationship with a merchant.

    Merchant acquirers are required to submit a MATCH inquiry prior to onboarding a merchant. 

    Should the merchant be found on the MATCH list, the acquirer must then decide if it would like to do business with the merchant but is not discouraged from doing so.

    Merchants can only be removed from the MATCH database for two reasons: the merchant was added in error, or the merchant was added for reason code 12 (PCI non-compliance) and has since become compliant. After 5 years, regardless of reason a merchant is automatically removed from the database and the MATCH program.

    Which Elements are Reviewed When Determining Risk Status?

    When regulatory bodies review data to determine if a business represents higher risk, several factors influence the decision. 

    Underwriting and MCCs

    A Merchant Category Code (MCC) is a four-digit number used to categorize merchants based on their business activities and products or services being sold.

    Subject to credit card association guidelines, MCCs are assigned to each merchant account by the acquiring bank when the merchant account is established. A single merchant may have multiple MCCs assigned that vary depending on the different products, services, or departments the company sells. Likewise, some companies may have their own dedicated MCC, like airlines, rental cars, and hotels.

    The credit card associations have also established rules and regulations defining the use of particular MCC categories for risk monitoring purposes. In some instances, merchants are required to pre-register their business if it operates in specific high-risk MCC categories. 

    Some of the higher-risk categories include:

    • Gambling
    • Adult Content
    • Pharmacies
    • And more

    Learn more about MCCs here.

    Risk Types 

    Merchant acquirers and PSPs use a combination of automated tools and manual reviews to assess various risk types that impact merchants.

    PSPs use a combination of automated tools and manual reviews to assess these risks. They may also request additional documentation or conduct on-site visits to verify information and assess the merchant's operations. By conducting thorough risk assessments, PSPs can protect themselves and their customers from financial losses, legal liabilities, and reputational damage.

    Merchant acquirers and PSPs will assess risk a bit differently by bucketing the risk into types, including:

    • Content / Business Risks - PSPs assess the nature of the merchant's products or services to identify potential legal, regulatory, or ethical concerns. They review the merchant's website, marketing materials, and customer reviews to ensure compliance with industry standards and to identify any potential red flags, such as misleading claims, false advertising, or inappropriate content.
    • Financial Risks - PSPs evaluate the merchant's financial stability and creditworthiness to assess their ability to fulfill financial obligations and manage chargebacks. They review the merchant's financial statements, credit history, and business model to determine their financial strength and risk of insolvency.
    • Reputational Risks - PSPs assess the merchant's reputation and public perception to identify any potential negative associations that could damage the PSP's reputation. They analyze online reviews, social media sentiment, and industry news to identify any negative publicity, customer complaints, or regulatory actions against the merchant.
    • Money Laundering Risks - PSPs implement anti-money laundering (AML) procedures to prevent criminals from using their platform to launder illicit funds. They verify the merchant's identity, beneficial ownership, and business activities to ensure compliance with AML regulations. They also monitor transaction patterns for suspicious activity, such as large cash transactions, unusual transaction volumes, or transactions from high-risk jurisdictions.
    • Transaction Laundering Risks - PSPs assess the merchant's risk of transaction laundering, where criminals use legitimate merchant accounts to process payments for illegal activities. They review the merchant's website, products, and transaction history to identify any discrepancies or inconsistencies that could indicate transaction laundering. They also monitor for unusual transaction patterns, such as spikes in transaction volume or transactions from unrelated industries.

    Business and Sales Model

    The merchants’ business and sales model can also designate whether a business operates as high or low risk. When operating in a model that is known to have higher risks for chargebacks, customer disputes, or fraud, PSPs and acquiring banks may be apprehensive to do business.

    Risk factors found in business models that may elevate a company’s risk include recurring billing, subscriptions, and free trials.

    A breakdown of the risk factors into which issues may arise include:

    Issue

    Risk Factors

    Details

    Increased Chargebacks

    Recurring billing

    Subscriptions

    Because these often involve automatic charges to customers’ cards, they can lead to unintentional or unauthorized charges

    Customer Disputes

    Subscriptions

    Free Trials

    If customers feel misled or did not receive expected value, they may dispute the charge. If they were not informed about automatic renewals, they may dispute.

    Fraud Potential

    Recurring Billing

    Free Trials

    Malicious actors may sign up for services using stolen credit card information or attempt to abuse the free trial system.

    Fraud Flags

    A final, more nebulous element is that of “fraud flags”. While this is not an official definition, this is somewhat of a catch-all for when a few factors - even some that may not inherently cause a business to be high-risk - combine to designate a business as higher risk. 

    This could be a mixture of fraud elements and the business vertical. 

    For example, let’s take the case of a cross-border tobacco organization that opened a Merchant Account under an MCC of 5993. This MCC falls into Tier 3 of the VIRP where there is a higher risk of non-compliance without appropriate controls, but doesn’t inevitably make processing more expensive or more challenging.

    However, after a year, this business begins to experience an increasing number of chargebacks, sitting at 0.85%. This is still below the Visa and Mastercard thresholds for risk, but is quite high.

    Then, the company experiences a small data breach due to a vulnerability that was never addressed. This leads to a PCI compliance audit, a Visa audit, and puts the organization on the MATCH list. At this point, the company would now be considered high-risk and will likely need to work with a payment processor that specializes in high-risk business to continue operating.

    Continue Reading

    In this five-part blog series, we cover in-depth details on high-risk merchants, including:

    Subscribe to the Blog

    Receive the latest updates straight to your inbox

    Build the Payments Stack fit for Your Business   Book a Meeting or Contact us to Learn More