Tomas Ran a Clean Store for Two Years. A 72-Hour Window Almost Closed It Anyway.
Tomas Ran a Clean Store for Two Years. A 72-Hour Window Almost Closed It Anyway.
Tomas Vera had never heard the phrase scam merchant monitoring the morning it nearly cost him his business. He sells refurbished camera gear online from a small warehouse outside Sacramento — buying lots from estate sales and shop closures, testing every body and lens, grading them, and shipping worldwide. The business is unglamorous and honest: a four-person operation that lives and dies on its reputation in a handful of photography forums. By the spring of 2026 he was doing a little over $90,000 a month in card volume, almost all of it card-not-present.
On a Thursday in April, a wholesaler in Europe placed a single large order — eleven lenses, one payment. Tomas’s processor declined it. Then declined the customer’s second attempt. Then a wave of smaller international orders he had been expecting from a forum promotion hit the same wall. By Friday afternoon his approval rate had fallen off a cliff, and his account was under review. Nobody at the processor would tell him why, only that “risk” was looking at it and he should hear back “soon.”
What Tomas had walked into was the leading edge of a new enforcement program — and the reason his clean two-year history almost did not save him.
Scam Merchant Monitoring Turns Warning Signs Into a Countdown
Starting July 24, 2026, Mastercard’s revised scam merchant monitoring standards require acquirers and payment facilitators to actively watch merchant behavior and open an investigation within 72 hours whenever certain risk signals appear. If that investigation confirms scam activity, the merchant is blocked from accepting Mastercard transactions immediately — no fine, no remediation period, no gradual wind-down.
That is a sharp departure from the programs merchants are used to. Chargeback-ratio programs work on thresholds you breach slowly and then get time to fix. Scam merchant monitoring works on signals that trip a clock. The point is speed: scam storefronts launch, harvest, and vanish in days, so the network compressed its response time to match. The trouble is that a legitimate business having one unusual week can look, to an automated signal, a great deal like a fast-moving fraud.
Fake online storefronts exploded alongside e-commerce. Mastercard’s goal is to catch and remove them before they reach more cardholders, using transaction data plus outside signals to keep a running read on merchant trust. The intent is sound. The collateral risk falls on real merchants whose data has a bad week.
What Actually Starts the 72-Hour Clock
The signals that open an investigation are specific, and understanding them is the difference between fearing the program and managing around it. The first applies to everyone: if your authorization approval rate drops by at least 50 percentage points over a 72-hour window — say from 95% down to 45% — or falls below 30% while you run at least 25 transactions, that is a trigger. Failures caused by BIN attacks or by the acquirer’s own system problems are excluded, but the merchant rarely controls how those get coded.
A second set of triggers targets new merchants specifically. If your business has six months or less of Mastercard acceptance history, a single early fraud pattern can start the clock: two different card issuers reporting a transaction under the “manipulation of cardholder” fraud code, two issuers filing documented chargebacks that reference scams, or a combined refund-and-chargeback rate above a set ceiling. The newer you are, the thinner the benefit of the doubt.
Tomas was not new, but his approval rate cratered in a single afternoon because a batch of high-value international orders got declined by issuers in quick succession. To a monitoring signal, “sudden approval collapse plus international card-not-present volume” reads as a possible scam. The system does not know he spent two years building a spotless book. It knows what this week’s data looks like.
Card-Not-Present Merchants Carry the Most Exposure
Scam merchant monitoring applies to card-not-present merchants globally, which means almost any business taking payments online, over the phone, or through a virtual terminal sits inside its scope. Subscription businesses, SaaS billing, and newly launched e-commerce stores are the most exposed, because their normal patterns — recurring declines, free-trial churn, rapid early growth — overlap with the signals the program watches for.
None of that means a legitimate business is likely to be terminated. Stable, well-run merchants generally keep stable approval rates, and the program is aimed at storefronts that are genuinely fraudulent. But “generally” is doing real work in that sentence, and the consequence of landing on the wrong side of a confirmed investigation is severe enough that it is worth a few hours of preparation now rather than a panicked Friday later.
- Sudden, unexplained swings in your authorization approval rate — track it month to month so you would notice a drop
- A creeping combined refund-and-chargeback rate, especially if you are under six months old on the network
- Spikes in international or unusually large orders that fall outside your normal pattern without warning your processor first
The Defense Is Boring, Documented, and Built Before You Need It
There is no secret to surviving the new rule. The protection is unglamorous: keep your approval rate stable, keep refunds and chargebacks low and documented, and keep your acquirer informed before your data does something that looks alarming out of context. When Tomas knew a large forum promotion was coming, the right move would have been a two-line email to his processor flagging the expected spike in international orders — context that turns an alarming signal into an explained one.
The deeper protection is having a processor relationship where a human will actually pick up when “risk” puts a hold on your account. In Tomas’s case, the review cleared after four days because the orders were ultimately legitimate and the issuers re-approved them — but he spent those four days unable to fund payroll against held settlements, with nobody returning his calls. A merchant whose processor treats them as a number gets the automated experience. A merchant with an advocate gets a phone call and a faster resolution.
Everything that protects you against scam merchant monitoring also lowers your processing cost and your fraud losses. Stable approval rates, clean dispute ratios, and a processor who knows your business are the same fundamentals that earn better rates and smoother underwriting. Preparing for the July 24 rule is not extra work — it is the work you should already be doing, with a deadline attached.
Frequently Asked Questions
The revised standards take full effect on July 24, 2026. From that date, acquirers and payment facilitators must open an investigation within 72 hours when defined risk signals appear, and block the merchant immediately if scam activity is confirmed.
Yes. The triggers are data signals, not judgments about intent. A sudden drop in your authorization approval rate or a short-term spike in chargebacks can start an investigation even for an honest merchant — which is why monitoring your own metrics and keeping your acquirer informed matters.
They face tighter scrutiny. Businesses with six months or less of Mastercard acceptance history can trip an investigation on a single early fraud pattern — such as two issuers reporting the same transaction as fraud — where an established merchant would not.
Keep Reading on Risk, Disputes, and Staying in Good Standing
Send Us Your Last Three Statements. We’ll Tell You Where Your Risk Signals Stand.
If most of your volume is online or over the phone — like Tomas’s was — the worst time to learn how scam merchant monitoring reads your account is the day a hold lands. Send Brookside three recent statements and we’ll map your approval-rate stability, your dispute ratios, and whether your current processor would actually advocate for you in a 72-hour review. The read takes us about twenty minutes. Learn more about payment processing consumer protections from the CFPB.
Get Your Risk-Signal ReadNo obligation • No pressure • Response within one business day