Mastercard SMMP and What It Means for Merchants

Mastercard SMMP
Quick Take: Mastercard SMMP, short for the Scam Merchant Monitoring Program, becomes enforceable on July 24, 2026. Unlike the ratio-based monitoring programs merchants already know, SMMP is triggered by scam signals, and a confirmed investigation ends in immediate loss of Mastercard and Maestro processing. There has been plenty of alarmist coverage, but much of it misses a key detail: the most feared trigger, the 5% combined refund and chargeback rule, applies only to merchants with under six months of Mastercard history. We break down how Mastercard SMMP works, who is genuinely at risk, and how to prepare before enforcement begins.

A Different Kind of Monitoring Program

Most merchants are familiar with the usual pattern of card network monitoring programs. You cross a chargeback or fraud threshold, you get flagged, you pay fines, and you get a remediation window to bring your numbers back down. Uncomfortable, but survivable.

Mastercard SMMP works on entirely different logic.

The Scam Merchant Monitoring Program, introduced through a July 2025 update to Mastercard’s Security Rules and Procedures as part of a broader overhaul of the network’s merchant monitoring standards, becomes fully enforceable on July 24, 2026 and requires acquirers and payment facilitators to investigate any merchant flagged for potential scam activity within 72 hours. If the investigation confirms scam activity, Mastercard and Maestro processing is terminated immediately, and the merchant can be placed on the MATCH list, which makes finding a new acquirer extremely difficult. No fines. No warnings. No grace period.

The program applies to card-not-present merchants globally, including sponsored merchants operating under payment facilitators. And while full enforcement begins in July, the onboarding screening requirements for new merchants have already been active since January 2026, meaning acquirers now scan new merchant websites before the first transaction is ever processed.

How Mastercard SMMP Differs From ECP and EFM

Mastercard already runs the Excessive Chargeback Program (ECP) and the Excessive Fraud Merchant (EFM) program. Both are ratio-based. ECP counts chargebacks against transaction volume, EFM counts fraud reports, and both assess fines with time to remediate when thresholds are exceeded.

SMMP adds a third monitoring layer that runs alongside them, and it watches for signals rather than ratios. An issuer fraud report, chargeback documentation that mentions manipulation, intelligence from Mastercard itself, or an alert from an approved monitoring provider can each start the clock. That means a merchant can sit comfortably below every ECP and EFM threshold and still face an SMMP investigation if the pattern of activity resembles a scam operation.

This mirrors a broader shift across both major card networks. Visa moved first with VAMP, which consolidated dispute and fraud monitoring into a single ratio and pushed accountability onto acquirers. Mastercard SMMP extends that same philosophy of acquirer-level responsibility, with a specific focus on identifying and removing scam operations quickly.

What Can Trigger an SMMP Investigation

Mastercard defines several distinct trigger conditions. When any one of them fires, the acquirer must open an investigation within 72 hours.

A Sharp Drop in Authorization Approval Rates

If a merchant processes at least 25 transactions in a 72-hour period and the approval rate falls by 50 or more percentage points, or drops below 30% overall, an investigation is required. A collapse like this is often a leading indicator that issuing banks are flagging a merchant’s transactions as suspicious. Worth noting, though: a botched marketing campaign, a routing problem, or an aggressive retry strategy can produce the same pattern. It does not have to be fraud. It just looks like fraud from the network’s vantage point. Issues stemming from BIN attacks or acquirer-side system problems are excluded.

A GRIP Letter From Mastercard

GRIP stands for Global Rules Investigation Program. A GRIP letter means Mastercard’s own intelligence has already linked the merchant account to suspected scam activity at the network level. By the time an acquirer receives one, the investigation obligation is already in motion. These do not arrive without reason.

Scam Signals for New Merchants

This category applies only to merchants with six months or less of Mastercard acceptance history, and it is where the much-discussed 5% rule lives. For these newer accounts, three conditions can trigger a review. Two different issuers reporting transactions under fraud reason code 56, which is Mastercard’s classification for Manipulation of Cardholder. Chargebacks from two or more issuers with supporting documentation that references scams or manipulation. Or a combined refund and chargeback rate exceeding 5% of purchase transactions during any rolling 30-day period, provided the merchant processed at least 500 transactions in that window.

Alerts From Approved Monitoring Providers

Mastercard works with approved Merchant Monitoring Service Providers (MMSPs) that scan merchant behavior and digital signals. An alert from one of these providers identifying a potential scam merchant can independently require an investigation. This creates a channel for evidence from outside the transaction ledger entirely. Website content, marketing claims, and patterns in online complaints can all become signals.

Why the 5% Rule Is Less Alarming Than the Headlines Suggest

Much of the coverage circulating about Mastercard SMMP treats the 5% combined threshold as an existential threat to every online business. Here’s the thing. That threshold does not apply to established merchants at all.

Only merchant accounts with less than six months of Mastercard processing history are subject to it. If your account has been processing longer than that, this specific trigger simply is not relevant to your situation, though the other triggers still apply.

The six-month window exists for a reason. Scam operations follow a predictable pattern: spin up a merchant account, process heavy volume fast, accumulate complaints, and vanish before traditional chargeback ratios catch up. Mastercard designed SMMP to catch that pattern early, and legitimate merchants past their first six months are statistically far less likely to fit it.

The combined counting of refunds and chargebacks also has a specific purpose. Scam operators frequently issue partial refunds to stay under the chargeback radar while they keep processing. Measuring both together closes that evasion tactic. So a seasonal business with predictable post-holiday returns is not suddenly facing termination, and an established subscription business with normal churn is not either. The rule is aimed at a very specific behavioral fingerprint.

That said, legitimate new merchants do go through the same scrutiny. If you launched recently and operate in a vertical with naturally elevated refund activity, such as subscriptions, SaaS, digital goods, or travel, this threshold deserves your close attention.

What Happens During the 72-Hour Window

A flag is not a termination, a critical fact that seems to gets lost in most of the panic-driven coverage.

Once a trigger fires, the acquirer has 72 hours to investigate and report findings to Mastercard. If scam activity is confirmed, termination is immediate. If the merchant is cleared, processing continues, though ongoing monitoring remains in place.

The outcome depends heavily on context. An investigation will examine whether the merchant’s behavior matches its stated business model, whether complaints point to deception, whether transaction data reflects genuine demand, and whether the merchant can substantiate fulfillment, refund handling, and customer communication. An acquirer that understands your business model can explain a metric anomaly. An acquirer working from raw numbers alone cannot.

72 hours is not enough time to build a defense from scratch. The defense has to exist before the question is asked. Organized transaction records, fulfillment documentation, refund logs, and customer communication histories are what separate a quick clearance from a scramble.

What Mastercard SMMP Changes About Prevention and Recovery

There is one detail in this program that should reshape how every merchant thinks about their chargeback strategy, and it applies well beyond SMMP itself.

Winning a chargeback through representment does not reduce your count under SMMP, ECP, or EFM. Once a chargeback is filed, it is counted, regardless of who ultimately wins the case. You can assemble flawless compelling evidence, overturn the chargeback, and recover every dollar, and your monitoring exposure moves by exactly zero.

This does not mean representment stopped mattering. It means representment and compliance serve two different purposes. Representment protects your revenue. Prevention protects your standing with the card networks. You need both, and confusing one for the other is where merchants get into trouble.

Prevention, in this context, means stopping the dispute before it ever gets filed. Solutions that share transaction and fulfillment data with issuing banks at the point of inquiry, such as Verifi Order Insight and Ethoca Consumer Clarity, can resolve cardholder confusion before it becomes a dispute at all. And if the issuing bank accepts a transaction as legitimate at that stage, the case may never be classified as fraud or referenced as a scam in the first place, which is precisely the kind of signal SMMP watches for. Our DEFLECT solution integrates both of these data-sharing frameworks, working in the background to resolve inquiries before they escalate.

Alert-based workflows still play an important role too, but strategy matters more than ever. For new merchants subject to the combined 5% threshold, blanket refunding every dispute alert feeds the same metric it was meant to protect. The answer is not to abandon alerts. It is to run them with discipline: refund where it genuinely resolves the issue, escalate where evidence is strong, and keep your combined rate in view the whole time. Our RESOLVE solution consolidates dispute alerts from Verifi CDRN, Ethoca Alerts, and Visa RDR into a single workflow, which makes that kind of selective decision-making practical instead of chaotic.

And chargebacks that do slip through still represent recoverable revenue. Our RECOVER solution automates representment by assembling compelling evidence directly from your transaction stream. As a bonus, that same organized evidence trail is exactly what an acquirer needs on hand if an SMMP investigation ever opens. Documentation built for winning disputes doubles as documentation that proves legitimacy.

How to Prepare Before July 24

Preparation for Mastercard SMMP is less about buying products and more about knowing your numbers and controlling your signals. A few concrete steps go a long way:

  • Track your combined refund and chargeback rate as a single metric over a rolling 30-day window, and set internal alerts well below 5% to give yourself reaction time
  • Monitor your authorization approval rates for unusual swings, since a sharp drop is a trigger regardless of how long you have been processing
  • Review your billing descriptors, because unrecognized charges push customers to call their bank, and the language they use on that call can end up in the dispute record
  • Brief your acquirer on your business model, expected refund patterns, and seasonality before a trigger ever fires
  • Keep fulfillment, refund, and customer communication records organized well enough that a 72-hour investigation finds a complete story

The mindset shift is the biggest piece. Most merchants track refunds and chargebacks separately, and most monitoring focuses on disputes alone. Card networks are increasingly looking at the combined picture, and your internal reporting should too.

Get Ahead of SMMP With a Strategy That Works

If Mastercard SMMP has you rethinking how your business handles disputes, refunds, and chargebacks, that instinct is a good one. The merchants who will sail through this change are the ones whose combined rates stay low, whose data reaches issuing banks before confusion turns into disputes, and whose documentation is ready before anyone asks for it. If you would like help building that kind of layered approach, from point-of-inquiry data sharing through disciplined alert management and automated representment, contact us and our team of chargeback management experts will help you assess where you stand against the new triggers.

Why ChargebackHelp?

ChargebackHelp brings prevention, resolution, and recovery together into a single platform built for exactly this kind of shifting enforcement landscape. DEFLECT resolves cardholder confusion at the point of inquiry, RESOLVE consolidates every dispute alert into one disciplined workflow, and RECOVER automates representment while building the organized evidence trail that regulators, acquirers, and card networks increasingly expect. Instead of reacting to each new program announcement in isolation, you gain a coordinated framework that keeps your ratios within acceptable bounds, protects your revenue, and keeps your merchant account aligned with card network enforcement expectations as the rules evolve. We manage the complexity so you can focus on running your business.

FAQs: Mastercard SMMP and What It Means for Merchants

What is Mastercard SMMP?

SMMP stands for the Scam Merchant Monitoring Program, a Mastercard enforcement framework enforceable from July 24, 2026. It requires acquirers to investigate merchants flagged for potential scam activity within 72 hours, and confirmed scam activity results in immediate termination of Mastercard and Maestro processing. ChargebackHelp helps merchants monitor the metrics that matter under SMMP and build the prevention layers that keep accounts clear of its triggers.

Does the 5% combined refund and chargeback rule apply to all merchants?

No. That threshold applies only to merchants with less than six months of Mastercard processing history who conduct at least 500 transactions in a rolling 30-day period. Established merchants are exempt from that specific trigger, though other SMMP triggers such as authorization rate drops and GRIP letters still apply to everyone.

How is SMMP different from Mastercard’s ECP and EFM programs?

ECP and EFM are ratio-based programs that assess fines and give merchants time to remediate. SMMP is investigation-based and signal-driven, with immediate termination as the consequence of a confirmed finding. All three programs run concurrently, so clearing ECP and EFM thresholds does not exempt a merchant from SMMP scrutiny.

Does winning a representment case reduce my SMMP exposure?

No. Once a chargeback is filed, it counts toward SMMP, ECP, and EFM metrics regardless of the representment outcome. Representment still recovers revenue, but only prevention reduces compliance exposure. ChargebackHelp’s DEFLECT and RESOLVE solutions focus on stopping disputes before they are ever filed, while RECOVER handles the revenue side.

Can a legitimate business be flagged under SMMP?

Yes, particularly newer merchants and those in verticals with naturally elevated refund activity like subscriptions, SaaS, and digital goods. A flag triggers an investigation, not an automatic termination, and merchants with organized documentation and an acquirer who understands their business model are typically cleared. ChargebackHelp’s automated evidence capture keeps that documentation ready before it is ever requested.

What happens if an SMMP investigation confirms scam activity?

Mastercard and Maestro processing is terminated immediately, and the merchant can be placed on the MATCH list, which severely limits the ability to obtain a new merchant account with other acquirers. There is no fine structure, remediation window, or appeal ladder comparable to the ratio-based programs.

How should merchants prepare for SMMP before July 2026?

Track refunds and chargebacks as a combined metric, watch authorization rates for unusual swings, tighten billing descriptors, brief your acquirer on your business model, and keep transaction and fulfillment records organized. If you would like help putting these pieces in place, ChargebackHelp’s team can assess your current exposure and build a prevention-first strategy around your operation.

Similar Posts