Mastercard announces additions to BRAM program

Web Shield Marketing
Created: Mar 21, 2022
Updated: Jun 18, 2024
5 min read
A person using their laptop while holding a payment card

In response to recent trends in illegal or brand-damaging activity, Mastercard has updated its Business Risk Assessment and Mitigation (BRAM) program. The changes around Ukraine crisis-related scams, gambling transactions, the sale of counterfeit goods on marketplaces, cashless ATMs and firearms sales were effective 15 March 2022.

Ukraine crisis-related scams

Criminals are master manipulators. They use fear, uncertainty, and doubt to trick people into revealing personal or financial details. In contrast, they also exploit our kindness and generosity for their own gain, as Mastercard warns in bulletin AN 6198 Updates for the Business Risk Assessment and Mitigation Program.

Mastercard is aware of charity scams that capitalise on the current situation in Ukraine. Acquirers with merchants accepting payments in support of people and organisations in Ukraine should perform enhanced due diligence. This is to verify that the merchant is a legitimate entity and that any funds received are directly benefiting the charitable causes described.

Additional scams may include refugees requesting support through individual donation pages, person-to-person (P2P) payments, or small merchant businesses. Resources for validating the legitimacy of a charity include:

Web Shield says…

As with most ecommerce acceptance risks, dubious business practices and outright fraud can be managed at merchant underwriting and setup stage with carefully devised policies and procedures, followed by ongoing monitoring. Web Shield’s investigative capabilities include identifying customer complaints or fraud warnings on merchants.

We have added new keywords to flag Ukrainian crisis-related scams. Our onboarding solution, InvestiGate, contains direct integrations to card scheme watch lists and the Better Business Bureau. We also operate a crowd-sourced warning list that is constantly growing, in addition to blacklists acquirers can create themselves.

Gambling transactions

Attempts to circumvent card scheme requirements in respect of merchant location, licensing and miscoding of gambling transactions continue.

Merchant location

Mastercard reminds acquirers that they must only acquire merchants within their ‘area of use’, namely within the jurisdictions permitted under their Mastercard licence. The entity signed must be the one conducting the business. The merchant must hold all the necessary licences and permits to conduct their business in the country and is subject to local consumer laws and courts.

When it comes to the merchant address, a post-office box, warehouse address having no business-related functions, physical address of a merchant’s law firm, vendor, agent or computer servers, or URL do not satisfy the requirement to conduct business within a country or ‘area of use’.

This may seem like common sense, however Mastercard has observed several instances where an acquirer has entered into a relationship with a payment agent or subsidiary of a legal entity, located outside of the acquirer’s ‘area of use’.

Web Shield says…

Web Shield offers several services to verify merchant location, including address validation, analysis of Google Street View imagery, offshore database checks, fraudulent address and connected entity matching. Our eLoc service (e-location) performs location verification on entire portfolios or on merchants with specific MCCs.

Miscoding gambling transactions and sharing cardholder details

Mastercard has become aware of a trend where merchants process a gambling transaction with an appropriate gambling-related card acceptor business code. Formerly known as a merchant category code or MCC for short, gambling MCCs include 7800, 7801, 7802, 7995, 9406.

When the transaction is declined by the issuer, the merchant switches to a non-gambling-related MCC and attempts a second authorisation. This may subsequently be approved by the issuer.

Mastercard has also noted that merchants may be sharing cardholder credentials with other merchants to process the second authorisation request. Clearly, this is against Mastercard rules and all good data security practice (PCI DSS).

Web Shield says…

If there’s something card schemes really don’t like, it’s miscoded gambling transactions. This circumvents issuer blocks, attempts by cardholders to self-exclude from gambling transactions, and in some instances even anti-money laundering controls. Web Shield solutions offer guidance on business classification and afford automatic MCC detection. We have an extensive range of tools to counteract transaction laundering and load balancing.

Legal and regulatory updates: Azerbaijan

Gambling in Azerbaijan, including sports betting and lotteries, is only permitted under licence from the Azerbaijani authorities.

Legal and regulatory updates: France

Any gambling merchant operating in France must be appropriately licensed by French authorities, namely the Autorité Nationale des Jeux (ANJ). This includes remote gambling targeting customers in France, irrespective of where the gambling operator is based.

Legal and regulatory updates: Singapore

Remote gambling in Singapore has been illegal since the 2015 Remote Gambling Act. Under the Act, the financial service regulator has instructed financial institutions to block gambling payments. Mastercard expects issuers and acquirers to comply with all applicable requirements around this payment blocking order.

Web Shield says…

Remote gambling is increasingly being licensed and regulated in the country of consumption, namely where the cardholder is based. Information regarding gambling bans in Azerbaijan, France and Singapore has been integrated into Web Shield systems.

The sale of counterfeit goods on marketplaces

Mastercard continues to see an increase in the sale of counterfeit goods on online marketplaces, particularly those with poor oversight and control of seller activity. Mastercard prohibits the sale of copyright-infringing products or counterfeit trademark products, as outlined in its anti-piracy policy. Violations of this policy are investigated under the BRAM program.

Web Shield says…

Counterfeit goods are illegal. They make illegitimate use of the brand owner’s trademarks and reputation. The goods for sale are often of inferior quality, and sometimes actually dangerous to the consumer. This creates an acceptance risk for acquirers, who must ensure that merchants selling branded goods or digital content hold the necessary licences, and that these licences are valid. Our content violation scan is constantly updated to catch IP infringements.

Cashless ATMs

Mastercard warns that point-of-sale devices are being incorrectly set up as ATMs and purchase transactions, sometimes for the sale of illegal goods, miscoded as cash disbursements. Acquirers must conduct due diligence to ensure transactions are coded correctly.

Web Shield says…

Web Shield solutions offer guidance on business classification and afford automatic MCC detection.

Untraceable firearms

Certain US states have laws restricting activity around firearms that lack a unique serial number or are undetectable by security screening devices. The US Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) is expected to provide additional guidance regarding frames, receivers, firearm parts kits, and privately made firearms, sometimes referred to as ‘ghost guns’. Acquirers are advised to ensure that their merchants comply with all applicable laws and regulations. And to keep a watching brief on this fast-evolving area.

Web Shield says…

Transactions must be legal in the country or state of both the buyer and seller. Web Shield has a well-maintained methodology to catch firearms sales that will also catch indicators for ghost guns.

Updates to MMSP monthly report submission requirements

Mastercard requires acquirers or merchant monitoring service providers (MMSPs) to provide monthly reports as part of their participation in the Merchant Monitoring Program (MMP). All data fields must be complete and accurate and be received by Mastercard by the fifth day of the month for the preceding month’s monitoring. Details of how reports must be formatted, the relevant data fields, file size and so on are included in bulletin AN 6198 Updates for the Business Risk Assessment and Mitigation Program.

Web Shield says…

Web Shield is already set up for the changes to MMSP monthly report submissions.

If you have any questions regarding any of the aspects of BRAM update and how it affects Web Shield’s solutions, feel free to reach out to you account manager or contact

Share this post

Let us guide you through the world of compliance

Card scheme compliance can be a daunting task. Our team of experts is here to help. Get expert advice and cutting-edge tools to improve your business.