Book Demo
KenalKenal AURA
Sign In
Glossary

MMSP (Merchant Monitoring Service Provider)

A Merchant Monitoring Service Provider (MMSP) is a third-party vendor accredited by Mastercard to perform ongoing merchant website monitoring on behalf of an acquirer. The acquirer remains accountable; the MMSP delivers the operational capability.

Definition

A Merchant Monitoring Service Provider (MMSP) is a third-party vendor accredited by Mastercard to perform ongoing merchant website monitoring on behalf of an acquirer. The acquirer remains accountable; the MMSP delivers the operational capability.

What an MMSP actually does

An MMSP is the operational hands behind an acquirer's compliance program. Mastercard permits acquirers to delegate the monitoring work to an accredited third party so that they don't have to build and run a crawler, a classifier, a review queue, and a reporting pipeline themselves. But Mastercard does not permit delegation of accountability. The acquirer still owns the decisions.

In practice, an MMSP provides:

  • Continuous crawling of every merchant website in the acquirer's portfolio.
  • Content classification against BRAM content categories.
  • Drift detection against a baseline merchant profile.
  • Alert queues that route confirmed findings to analyst review.
  • Evidence packages with integrity hashes and timestamps.
  • Reports aligned to the Mastercard MMP format and cadence.
  • SLA tracking for the 5-business-day detection-to-escalation clock.

Building in-house versus contracting a provider

Building the infrastructure an MMSP runs is expensive and specialized. Multilingual crawlers, classifier pipelines, evidence storage with chain of custody, and MMP-aligned reporting tooling are not off-the-shelf capabilities. Acquirers typically choose one of three paths: build the capability internally, contract an accredited MMSP, or license purpose-built tooling and run the operation themselves. The right answer depends on portfolio size, risk distribution, and in-house engineering capacity.

The commercial model varies. Some MMSPs charge per merchant per month, some charge for scan volume, some offer bundled plans with fixed monthly fees. The right model depends on portfolio size, risk distribution, and the cadence of re-scans.

The division of responsibility

The split between acquirer and MMSP is worth being explicit about because it is often misunderstood in commercial conversations:

  • MMSP delivers: detection, classification, alerting, evidence capture, reporting, and technical SLA tracking.
  • Acquirer retains: the decision to terminate a merchant, the relationship with the merchant, the liability to Mastercard, the audit response, and the MATCH listing authority.

This is why investigation workflows must have a clear analyst owner: someone at the acquirer who makes the call and signs off on each resolution. The MMSP surfaces the problem; the acquirer decides what to do about it.

MMSP accreditation

Mastercard maintains a list of accredited MMSPs. Acquirers that choose to contract an MMSP for the monitoring operation should verify accreditation before signing. Acquirers that choose to run the monitoring in-house, including with purpose-built tooling, retain the same accountability they would under any arrangement: the program must meet MMP requirements on cadence, coverage, SLAs, and reporting, and the acquirer answers for it to Mastercard either way.

Related

Mastercard MMP

The monitoring program MMSPs are accredited to support.

Read more

BRAM Compliance

The rule set that defines what MMSPs look for.

Read more

Compliance Reporting

How Kenal AURA packages evidence for acquirer and scheme reporting.

Read more

Frequently asked questions

Can acquirers run monitoring in-house instead of using an MMSP?
Yes. Mastercard lets acquirers run merchant monitoring in-house, contract an accredited MMSP, or license purpose-built tooling to run the operation themselves. The decision depends on portfolio size, language coverage needs, and operational capacity. What Mastercard requires is that the monitoring actually happens on the required cadence, with evidence, and within the SLAs.
How does Kenal AURA fit into this?
Kenal AURA is purpose-built tooling for merchant monitoring: continuous crawling, classification against BRAM, severity queues, investigation workflows, and reports aligned to the MMP reporting format. Acquirers use it to run their own monitoring operation. An accredited monitoring provider can also use it to power the operational layer of its own program.
Where does the 5-day SLA come from?
Mastercard's MMP requires the MMSP to escalate confirmed violations to the acquirer within 5 business days of detection. The acquirer then has 15 calendar days from notification to remediate. Kenal AURA tracks both clocks as dual SLA timers on each investigation.
Does using an MMSP transfer liability?
No. The acquirer remains fully accountable to Mastercard for merchant compliance. The MMSP delivers the capability and the evidence, but the decisions (and the ultimate liability) stay with the acquirer.

See how Kenal AURA handles this in production

Kenal AURA is the merchant lifecycle risk operations platform for acquirers, PSPs, and fintechs across Malaysia and ASEAN.

Book DemoView Capabilities