Mastercard MMP (Merchant Monitoring Program)

What MMP actually requires

MMP is the operational half of the Mastercard compliance stack. BRAM defines what content is prohibited; MMP defines how acquirers must find it, investigate it, remediate it, and report on it. An acquirer can have a perfect BRAM policy on paper and still fail MMP if they are not running the monitoring cadence and reporting evidence the program requires.

The program applies to every Mastercard acquirer globally and covers every merchant they process, regardless of portfolio size or merchant segment. There is no minimum threshold below which monitoring is optional.

The operational clocks

MMP runs on two SLA clocks that have to be tracked on every investigation:

• Detection to escalation, 5 business days. From the moment a monitoring system flags a potential violation, the monitoring team (internal or MMSP) has 5 business days to confirm and escalate the finding to the acquirer's compliance team with a complete evidence package.
• Notification to remediation, 15 calendar days. From the moment the acquirer is notified, they have 15 calendar days to take action: remediate with the merchant (content removal), warn, suspend processing, or terminate. Evidence of the action and its outcome must be recorded.

Missing either clock is a compliance finding in itself. Acquirers that routinely miss the 15-day clock can face escalated audits, fines per missed case, and compliance probation. This is why investigation workflows need to track both clocks automatically and surface aging cases to analysts before they breach.

How MMP relates to BRAM

BRAM and MMP are often used interchangeably in casual conversation, but they are distinct:

• BRAM is the content rule set. It defines the 17 prohibited content families (unlicensed pharmaceuticals, illegal gambling, counterfeit goods, and so on) and the severity tiers that attach to each.
• MMP is the operational program that enforces BRAM. It specifies the monitoring cadence, the detection and escalation SLA, the remediation SLA, the evidence format, the reporting cadence, and the acquirer accountability model.

Every BRAM violation flows through an MMP process. You cannot be compliant with BRAM without running an MMP-compliant monitoring operation.

What a good MMP program looks like

In practice, running a compliant MMP program means being able to demonstrate, at any point, the following:

• Coverage. Every merchant in the portfolio is in scope, with a documented scan cadence and last-scanned timestamp for every URL.
• Classification. Every scan produces a classification against the BRAM families. Ambiguous content is escalated for deeper review rather than silently dropped.
• Investigation workflow. Every alert has an owner, an evidence package, and a dual-clock SLA timer. Closed cases have structured resolution codes.
• Evidence retention. Scan screenshots, classification output, analyst notes, and remediation correspondence are retained for the full retention period (at least 7 years) with integrity guarantees.
• Reports. Periodic submissions to Mastercard in the MMP reporting format, aligned to the reporting cadence.

Kenal AURA is built to operationalize all five of these. The platform runs continuous scans against the BRAM taxonomy, applies multilingual classification, routes confirmed findings into dual-clock investigation queues, retains evidence with integrity hashes, and packages everything into reports aligned to the MMP reporting format on demand.

MMP enforcement and penalties

Mastercard takes MMP non-compliance seriously. Penalties escalate with severity and recurrence: per-violation assessment fees, mandatory compliance audits at the acquirer's expense, required remediation plans with progress reporting, MATCH listing of terminated merchants, and in severe cases, suspension or revocation of acquiring privileges. For a mid-sized acquirer, a single bad audit cycle can be existential.

That is why most acquirers treat MMP as a build-or-buy decision. Building a compliant monitoring operation from scratch requires crawling infrastructure, multilingual classifiers, an evidence store with chain of custody, a case management system with dual SLA clocks, and a report generator aligned to Mastercard's format. Most prefer to contract an accredited MMSP or license a purpose-built platform and retain accountability for the decisions.