Mastercard's New Scam Merchant Rules: What Every eCommerce and SaaS Merchant Needs to Know Before July 2026

Mastercard has spent years relying on chargeback ratio programs like ECM and EFM to manage merchant risk. Those programs fine you when your numbers go above a threshold, give you time to fix things, and escalate if you don't. They're uncomfortable, but survivable.

The Scam Merchant Monitoring Program (SMMP) works differently. It isn't about thresholds you gradually breach. It's about signals that look like scam activity, and when those signals appear, the consequences are immediate. Acquirers have 72 hours to investigate, and if they confirm scam activity, Mastercard and Maestro processing stops right away. No warnings, no remediation window. Your ability to accept cards is just gone.

The full program takes effect July 24, 2026, but the onboarding requirements for new merchants have been active since January 2026. If you're a merchant in eCommerce, SaaS, or subscriptions, this affects you more than you might think.

Since January 2026, acquirers are also required to scan every new merchant's website before processing their first transaction. If a monitoring provider flags something during that scan, the acquirer has 15 days to investigate and remediate. That's a separate obligation from the 72-hour SMMP window, and it means new merchants are under scrutiny before they process a single payment.

This Is Not ECM. The Consequences Are Different.

Most merchants are familiar with Mastercard's existing monitoring programs. ECM (Excessive Chargeback Merchant) and EFM (Excessive Fraud Merchant) work on ratios. You get flagged, you get fined, you get time to improve. SMMP operates on a completely different logic.

Here's how they compare:

The key difference is that SMMP gives acquirers a compressed decision window. A merchant can be perfectly clean under ECM rules, dispute ratios within acceptable limits, and still get flagged under SMMP if the pattern of activity looks like a scam operation. These programs run in parallel, not in sequence. For a detailed comparison of how SMMP differs from ECM and EFM, see cside's breakdown.

This isn’t just a Mastercard story. Visa moved first with VAMP (Visa Acquirer Monitoring Program), which shifted accountability to acquirers for fraud and dispute performance across their merchant portfolios. Mastercard’s SMMP completes the picture on their network. Together, they represent a coordinated shift across both card networks: one evidence standard, one expectation, two deadlines. If you’re positioning your dispute management around VAMP and ECM, SMMP belongs in that same conversation. 

What Actually Triggers an Investigation

There are four trigger categories acquirers are required to act on:

A sudden drop in authorization rates. If your approval rate falls by 50 or more percentage points within a 72-hour window, or drops below 30% while you're processing at least 25 transactions, that triggers a review. A bad campaign, a routing issue, or an aggressive retry strategy can all produce this pattern. It doesn't have to mean fraud, but it looks like fraud from Mastercard's vantage point.

A GRIP letter from Mastercard. A Global Rules Investigation Program notification means Mastercard has already flagged your account for suspected fraudulent activity at the network level. By the time your acquirer receives one of these, the clock is already running.

New merchant scam signals. This is the one that hits legitimate businesses hardest. If you have less than six months of Mastercard processing history, you're in a heightened monitoring window. Two different issuers filing fraud type 56 reports against you, chargebacks from multiple issuers with documentation mentioning scams or manipulation, or a combined refund and chargeback rate above 5% in any rolling 30-day period can all trigger an investigation. Fraud type 56 is Mastercard’s classification for first-party misuse, more commonly known as friendly fraud, where the cardholder made the purchase but disputes it anyway. Two issuers filing this against the same merchant is a strong signal of a pattern, not a one-off. 

An alert from a Merchant Monitoring Service Provider (MMSP). Mastercard works with approved third-party providers that scan merchant behavior patterns. An alert from one of these providers can put you into the investigation path. Austreme's summary of the June 2025 MMP updates covers how MMSP requirements have evolved.

Why Subscription and SaaS Merchants Are Particularly Exposed

The 5% combined threshold is brand new. It doesn't matter if your chargeback ratio is fine under ECM rules. What matters is whether your refunds plus chargebacks, combined, exceed 5% in any 30-day window with 500+ transactions. For subscription merchants, SaaS companies, and new CNP businesses, refund rates are naturally higher. Trial cancellations, forgotten renewals, billing descriptor confusion, and customer service escalations all push this number up before a single dispute is filed.

If refunds and disputes are counted together, early prevention becomes even more important than recovery. That's a meaningful shift for how merchants should think about their dispute strategy under SMMP.

New merchants are in the highest-risk category. Scam operations often onboard, process quickly, accumulate disputes, and disappear. Mastercard knows this pattern, which is why the rules are strictest for merchants under six months of processing history. A legitimate new subscription or SaaS business goes through the same scrutiny.

The 72-hour investigation window means acquirers need clean evidence fast. If an investigation opens, your acquirer will be pulling transaction records, refund behavior, chargeback documentation, website content, and billing descriptors. The merchants who get cleared quickly are the ones who have organized, complete evidence ready before the question is ever asked.

What Merchants Should Do Before July 24

Track refunds and chargebacks together, not separately. Most dispute monitoring treats these as separate metrics. Under SMMP, they're combined. Start calculating your 30-day rolling combined rate now and set an internal alert well below 5% to give yourself reaction time.

Prioritize prevention over recovery for high-refund categories. Chargeflow Alerts deflects disputes before they file, which keeps the combined rate down. Chargeflow Prevent goes further by stopping friendly fraud at the source. For new merchants or anyone approaching the 5% threshold, prevention is more valuable than recovery right now.

Review your billing descriptors. Descriptor confusion is one of the most common reasons customers call their issuer instead of your support team. When they call their issuer, their language about the charge often becomes part of the dispute record, and under SMMP, that language matters. "Unexpected charge" and "don't recognize this" are very different from "scam" and "manipulation," but both can end up in a chargeback.

Brief your acquirer on your business model. If you're new to Mastercard processing, or if you're in a vertical with naturally elevated refund rates, proactively giving your acquirer context before a trigger fires puts you in a much better position than having to explain yourself during a 72-hour window. They cannot defend what they don't understand.

Get your documentation in order. Chargeflow builds detailed evidence packets for disputes. That same documentation is what your acquirer needs during an SMMP investigation. Complete records of cancellation logs, delivery confirmations, ToS acceptance, and support interactions aren't just for winning disputes anymore, they're your defense against processing termination.

The Bigger Picture

Mastercard is shifting accountability upstream. Acquirers and payment facilitators now carry formal obligations to act fast on scam signals, which means they have every incentive to offboard merchants who look risky before an investigation lands on their desk. For PayFac and platform merchants, this is particularly important: the SMMP obligations flow down to sub-merchants. If a sub-merchant on your platform triggers an investigation, your acquirer is on the hook, which means you are too. Platform operators running Stripe Connect, marketplace models, or any embedded payment structure now have a direct reason to monitor dispute and refund health across their entire portfolio, not just at the platform level. Cartis Payments has a sharp analysis of what this shift in acquirer liability actually means.

The merchants who will be fine are the ones who look clean before anyone asks. Low combined refund and chargeback rates, clear billing descriptors, organized evidence, and a business model their acquirer understands.

The merchants who will struggle are the ones who have been treating dispute management as an afterthought, assuming their chargeback ratio alone tells the full story. Under SMMP, it doesn't.

Acquirers won’t wait for an investigation to offboard a risky-looking merchant. Rather be the merchant no one needs to investigate. 

See how Chargeflow keeps you under the 5% threshold, automatically. →

Veelgestelde vragen

What is Mastercard's Scam Merchant Monitoring Program (SMMP)? SMMP is a Mastercard enforcement program that requires acquirers to investigate any merchant flagged for scam activity within 72 hours. If the investigation confirms scam activity, the merchant's Mastercard and Maestro processing is terminated immediately. It takes full effect July 24, 2026.

How is SMMP different from Mastercard's ECM program? ECM and EFM are ratio-based programs that result in fines and give merchants time to remediate. SMMP is an investigation-based program triggered by scam signals. The consequence of a confirmed investigation is immediate processing termination, not a fine.

What is the 5% threshold under SMMP? For merchants with less than six months of Mastercard processing history and at least 500 transactions in a 30-day period, a combined refund and chargeback rate above 5% can trigger an SMMP investigation. This is separate from ECM thresholds and counts refunds and disputes together.

Which merchants are most at risk? New card-not-present merchants under six months of Mastercard history face the strictest scrutiny. Subscription, SaaS, iGaming, travel, and digital goods merchants also carry elevated exposure because their business models naturally produce higher refund and dispute rates.

How does Chargeflow help with SMMP compliance? Chargeflow Alerts deflects disputes before they file, keeping the combined refund and chargeback rate down. Chargeflow Prevent stops friendly fraud at the source. Chargeflow's automated evidence documentation also gives merchants and their acquirers the clean, organized records needed to respond quickly if an investigation opens.

Further Reading

G2 Risk Solutions: Mastercard MMP Requirements 2026, operational guidance on what acquirers and merchants need to have in place.

LegitScript: The Next 6 Months Will Redefine Merchant Risk Management, broader context on how SMMP fits into the wider shift in merchant risk standards heading into late 2026.