Brand Protection in Payments: Why Merchant Risk Is No Longer Just a Merchant Problem

Brand protection in payments is no longer just a merchant issue. It is becoming a wider risk management issue for acquirers, payment facilitators, platforms, and others across the payments ecosystem.

What has changed is not only the scale of online risk, but how that risk travels. Merchant misconduct, concealment, and misrepresentation no longer stay contained at the merchant level. They can quickly create regulatory, financial, and reputational exposure for the organizations that enable or support that activity.

That shifts the core question. It is no longer enough to ask whether a merchant appeared acceptable at onboarding. The real question is whether the organization can show it had the right controls, visibility, and oversight as merchant behavior changed over time.

‍

In brief

Brand protection in payments is no longer limited to screening merchants at onboarding. Accountability is widening across the payments ecosystem at the same time that online merchants are becoming more sophisticated in how they conceal risk, understate their true activity, and work around traditional controls. For payment providers, acquirers, and platforms, that means merchant oversight must become continuous, contextual, and resilient to deception, especially in the context of Mastercard BRAM and Visa GBPP requirements.

What this article highlights:

• Merchant risk no longer stays with the merchant alone. It can create exposure for acquirers, payment facilitators, platforms, and others across the payments ecosystem.
• The real challenge is no longer obvious noncompliance. It is merchants making risky activity look credible, low risk, or compliant on the surface.
• Traditional checks are failing because they are static, point-in-time, and too easy to outmaneuver.
• BRAM and GBPP are not simple website review exercises. They require organizations to assess merchant behavior, identity, geography, and operating model in context.
• The strategic shift is from onboarding checks to ongoing oversight that can detect deception as merchant online behavior changes.

‍

Why accountability is broadening across the payments ecosystem

This shift is being driven by more than scrutiny from card networks such as Visa and Mastercard alone. It is also being tested through legal scrutiny and public accountability. Visa says illegal activity is not tolerated on its network, that all participants in the payments ecosystem have a role to play in detecting and rooting it out, and that merchants in higher-risk categories may require enhanced safeguards and closer performance monitoring through their acquirers

At the same time, courts have shown a willingness to examine whether accountability can extend beyond the direct merchant in certain circumstances. In one Eleventh Circuit case, the court upheld joint and several liability against a payment processor after finding it had provided “substantial assistance” to a primary violator. In separate U.S. litigation involving Pornhub, a pre-trial decision allowed claims against Visa to proceed at an earlier stage, underscoring how payment actors can be drawn into scrutiny beyond the merchant itself.

That does not mean liability automatically extends across the ecosystem in every case. It does mean the risk model is changing. Exposure is increasingly being examined through a wider lens, one that looks not only at who committed the act, but also at who enabled, processed, monetized, or failed to challenge it.

‍

Why merchant deception is getting harder to detect

The problem is not simply that some merchants are non-compliant. It is that the methods used to conceal risk are becoming more sophisticated, more adaptive, and more deliberately engineered to bypass traditional review processes.

Visa itself says tools are helping detect merchants who “fraudulently conceal the true nature of their businesses” to avoid compliance requirements, and that it has seen a fivefold increase in acquirer remediation and terminations for merchant noncompliance between 2020 and 2024.

Increasingly, modern merchant risk does not present as obvious non-compliance. It presents as a site that looks plausible, polished, and low risk on the surface, while the real activity sits somewhere deeper in the flow. In other words, the challenge is no longer just identifying prohibited categories. It is identifying merchants that are actively engineering their websites, journeys, and disclosures to look compliant while hiding something else.

This shift is not theoretical. As merchant activity becomes increasingly digital, risk is embedded in how these experiences are designed to appear legitimate while masking underlying behavior.

‍

How merchants are engineering around traditional compliance checks

The most effective concealment rarely looks like concealment at first glance. It looks familiar, credible, and low risk. That is what makes it effective.

Camouflage

Some online merchants disguise high-risk activity inside pages that look like ordinary ecommerce. A page may include pricing, discounts, ratings, and polished product layouts that suggest a normal retail experience, while the real offer is something very different. What looks like a standard product listing may actually be promoting gambling, restricted services, or another high-risk activity.

‍

Redirects that change the real journey

The page being reviewed is not always the page the customer ultimately experiences. A site may look acceptable at first click, then redirect the user into a completely different environment. That second destination may sit on another domain, carry a different identity, or push the user toward off-platform sign-up, login, chat, or payment-adjacent flows. The visible landing page is only part of the story.

‍

Different experiences for bots and humans

Some merchants are becoming more deliberate in how they avoid detection. They may present one experience to a scanner or automated check, and a different one to a real visitor. In practice, that can mean compliant-looking content for bots and much riskier content for people. This makes traditional checks far less reliable because the deception is built into the experience itself, not just the page content.

‍

Borrowed trust

Some merchants take advantage of domains that appear legitimate because of their history, branding, or previous use. A site may look credible on the surface, not because the current business is trustworthy, but because it is inheriting trust from something older or unrelated. Legacy content, familiar branding, or a previously legitimate web presence can all make a risky site appear more credible than it really is.

‍

Fragmented identity

The brand a user sees, the domain they land on, the legal entity behind the site, and the destination handling the next step may not line up at all. That makes it difficult to determine who the merchant really is, what business they are actually conducting, and who is ultimately taking the transaction. In some cases, there is no clear legal entity disclosed at all.

‍

Missing information by design

Sometimes the clearest warning sign is not what is shown, but what is missing. No legal entity. No clear refund terms. No meaningful support path. No transparent explanation of what the customer is actually buying or signing up for. A site can look polished enough to pass a quick review while withholding the very information needed to make a genuine risk assessment.

‍

This is what makes modern merchant deception so difficult to detect. The risk is rarely presented in a blunt or obvious way. It is disguised inside familiar formats, hidden across redirects, softened by borrowed trust, and obscured by fragmented or missing information. For compliance teams, the challenge is no longer just spotting what looks prohibited. It is recognizing when a site has been deliberately designed to look safer and more transparent than it really is.

Why legacy approaches to Mastercard BRAM and Visa GBPP compliance are failing

Traditional compliance checks were not designed for this kind of environment. They are often static, surface-level, and point-in-time. They can confirm what a merchant wants a reviewer or scanner to see, but they struggle to determine whether that presentation is truthful, complete, and consistent across the wider customer journey. Increasingly, they are also falling for the very tactics merchants now use to avoid detection, from compliant-looking storefronts and redirect chains to fragmented identities and missing disclosures.

This becomes even more challenging in the context of Mastercard BRAM and Visa GBPP. Both frameworks are designed to protect the integrity of the payments ecosystem, but they are not simple box-ticking exercises and they are not identical. Each has its own requirements, priorities, and thresholds. In practice, that means a merchant may appear acceptable under one scheme but fail under another. A business model may be legal in one jurisdiction but problematic in another. A site may not fail because of a single visible page, but because the surrounding identity, behavior, geography, and operating model do not hold together under scrutiny.

That is where many existing tools and processes start to break down. Some focus too narrowly on page content. Others are built around fixed rules that cannot easily handle context, behavior, or jurisdictional nuance. Many were built to assess declared risk, not concealed behavior, which makes them more vulnerable to the tactics merchants now use to avoid detection. Manual review can still catch some of these issues, but it becomes harder to scale, harder to sustain, and easier to outmanoeuvre when merchants already understand how conventional checks work.

Even a strong onboarding review is still only a moment in time. Merchant behavior can change after approval. Sites can be repurposed. Flows can be redirected. A business can look one way at onboarding and very different weeks or months later.

That is the strategic shift now underway in payments. The real question is no longer whether the merchant passed an onboarding check once. It is whether the organization can still stand behind that decision as conditions change.

‍

What modern merchant oversight needs to detect hidden risk

If static checks are no longer enough, the answer is not simply more manual review. It is a more effective way to assess merchant risk as it changes over time.

For payment providers managing BRAM and GBPP complexity, that means moving beyond surface-level reviews and point-in-time decisions. Oversight needs to be able to assess merchant behavior in context, identify when the visible story and the underlying reality do not match, and respond when risk shifts after initial approval.

That is the real change now underway. Merchant oversight must become more continuous, more contextual, and more resilient to deception.

‍

How AIQ SiteScanner™ was built to detect deception, not just declared risk

If the challenge is now hidden risk rather than declared risk, merchant oversight needs to become more intelligent, more adaptive, and more resilient to deception.

AIQ SiteScanner™ was built to address exactly that challenge.

As merchant deception becomes harder to detect and easier to scale, payment providers need a way to assess more than what appears on the surface. They need to identify concealed activity, resolve ambiguity, and detect when a merchant’s stated business does not match what is actually happening across the customer journey.

AIQ SiteScanner™ is a capability within MVSI’s OnBoard AIQ™ platform, built specifically to help payment providers, banks, and acquirers detect online merchants using deception to bypass Mastercard BRAM and Visa GBPP rules and controls. Rather than treating compliance as a static website check, it combines AI-driven analysis with configurable compliance logic to detect hidden risk at scale.

The challenge is not simply identifying what a merchant claims to be. It is assessing what the merchant is actually doing across the full journey. AIQ SiteScanner™ was designed to evaluate signals across prohibited activity, hidden activity, merchant identity, fulfillment transparency, refunds and support, age-restricted controls, checkout and disclosure controls, infringement risk, and overall hidden risk. It was also built so that questions, thresholds, prompts, and outputs can be adapted to different rule interpretations, risk appetites, and internal workflows.

In practical terms, that means it can surface the kinds of patterns traditional checks are most likely to miss: cloaking, redirects, disguised activity, identity inconsistency, off-domain flows, jurisdiction-sensitive risk, and business model mismatches that only become clear when behavior and context are analyzed together.

“Compliance teams are no longer dealing with straightforward websites or straightforward risk,” said Daniel Sheahan, CEO of MVSI. “They are dealing with merchants who know exactly how traditional checks work and how to get around them. That is what makes this such an urgent problem. That is exactly why we built AIQ SiteScanner and, to our knowledge, why it is the first solution designed specifically for this challenge.”

For payment providers managing BRAM and GBPP complexity, that is the real shift. Compliance can no longer rely on surface-level snapshots of merchant websites. It needs to become more intelligent, more dynamic, and more resilient to manipulation.

AIQ SiteScanner™ was built for that environment, helping payment providers detect hidden risk, reduce manual effort, and respond faster as merchant behavior changes.

As merchant deception becomes harder to detect and easier to scale, the challenge is no longer just approving merchants once. It is maintaining oversight over time and identifying when the visible story no longer matches the underlying reality.

AIQ SiteScanner™ helps strengthen BRAM and GBPP oversight with a more continuous, context-aware approach to hidden merchant risk.

Request a demo to see how it works.