You followed every law. Filed every tax return. Got the business license. Built the product. And one morning you wake up to find your payment gateway frozen, your funds on hold, and an email from your acquirer telling you you have been placed on the MATCH list.
No trial. No appeal. Just done.
This is the reality for hundreds of merchants every year, not because they broke any law, but because they violated a private rule set by Visa or Mastercard. Two companies that most business owners treat like utilities (like water or electricity) but that are, in fact, private corporations with their own rulebooks, their own courts, and the power to exile you from their network permanently.
If you want to keep processing payments, especially in a high-risk vertical, you need to understand these rules before they find you.
The biggest rule violation nobody talks about: Transaction Laundering
Let's start with the one that ends careers fastest.
Transaction laundering, also called cloaking or the front store strategy, is when you use a payment gateway approved for one website to secretly process payments for a different website.
The typical playbook looks like this: you apply for a gateway through a low-risk website (perhaps a generic e-commerce store), get approved, and then quietly route payments from your high-risk business through that merchant account. Easy money, right?
Wrong.
Visa and Mastercard have monitoring systems specifically designed to detect this. Mismatched transaction patterns, unusual product descriptors, IP discrepancies — they catch it. And when they do, you don't just lose your gateway. You get placed on the MATCH list (Member Alert to Control High-Risk Merchants), also called the TMF (Terminated Merchant File), the industry-wide blacklist that follows you for five years and effectively bars you from opening new merchant accounts anywhere in the networks.
Add severe financial fines on top, and you can see why this is the nuclear option of card scheme violations.
The rule of thumb: one business, one gateway, one merchant account. Every time.
The "small" violations that create big problems
Not every violation is dramatic. Some are embarrassingly simple, and still costly.
Misusing the Visa and Mastercard logos
If you have the Visa or Mastercard logo in the footer of your website (and most merchants do), you are operating under brand usage guidelines set by those networks. These guidelines dictate exact size ratios, color specifications, placement rules, and context requirements.
Non-compliance won't trigger an immediate ban. But it can cause your acquiring bank to place your settlement funds on hold until the issue is resolved. For a merchant moving meaningful volume, having days or weeks of revenue in limbo is not a minor inconvenience, it's a cash flow crisis.
Always reference the official Visa brand guidelines and Mastercard brand standards before publishing anything with their logos.
The Honor All Cards rule
If you accept Visa, you accept all Visa cards. If you accept Mastercard, you accept all Mastercards.
That sounds reasonable until you realize that premium cards, Visa Signature, Visa Infinite, Mastercard World Elite, carry significantly higher interchange rates. A merchant who only wants to accept basic debit cards cannot selectively opt out of premium products. The network contract doesn't allow it.
This is a cost many high-volume merchants never accounted for when they first set up processing.
Not sure if your current setup is putting you at risk?
Most merchants only find out about compliance gaps when it's too late. At IREOWO, we review your merchant structure before the networks do. It only takes a few minutes to get started.
Start processing payments the right way → You pay nothing unless approved.If you operate an adult content platform, read this carefully
The rules for adult content merchants are the strictest in any non-financial vertical. Mastercard, in particular, dramatically tightened its standards following the 2020 actions against Pornhub and subsequent 2022 enforcement waves against related platforms.
Here is what Mastercard now requires for every adult content merchant, regardless of size:
Documented consent and age verification
Merchants must obtain and retain documented, written consent from every individual who appears in content, including live-streamed material and AI-generated content. This applies to performers, models, and anyone visible on screen. Simultaneously, merchants must verify both the age and identity of all content creators and uploaders.
This is not a "best practices" suggestion. It is a contractual requirement. Failure to maintain these records is grounds for immediate termination of payment services.
Pre-screening and real-time monitoring
All content must be reviewed before publication to confirm it is legal and meets Mastercard's content standards. For live streams, real-time monitoring systems must be in place during transmission. There is no grace period for content that goes live and is flagged afterward.
Rapid takedown procedures
Adult platforms must maintain a formal complaint-handling system and be capable of removing non-consensual or non-compliant content within seven business days of a complaint being filed.
Absolute content prohibitions
There is zero tolerance, meaning no exceptions, no context, no framing, for content involving child sexual abuse material (CSAM), non-consensual sexual acts, or any other illegal sexual content.
Monthly acquirer reporting
Acquiring banks that service adult merchants must submit monthly reports detailing flagged content, complaint volumes, and resolution outcomes. This creates a paper trail that regulators and card networks can audit at any time.
The practical implication: adult merchants are treated as a distinct risk category, subject to ongoing mandatory oversight. Operating in this space without a compliance infrastructure is not just risky, it is existentially threatening to your business.
Is your high-risk business one audit away from losing everything?
At IREOWO, we specialize in payment compliance and merchant account structuring for high-risk industries. We know the rules because we live them every day.
Protect your business before the networks do it for you → You pay nothing unless approved.The rules that go beyond adult content
Card network rules reach into industries you might never expect. Here are the ones that surprise merchants most:
Gaming and content censorship
Visa and Mastercard have applied pressure to digital platforms, including Steam and itch.io, demanding the removal of games containing adult content or extreme violence, even when those games are entirely legal in the jurisdictions where they're sold.
This is not law. No government mandated these takedowns. It is the card networks exercising their private power as intermediaries. Merchants and platforms that depend on these networks for revenue can find themselves forced to self-censor or lose payment access.
You can review Mastercard's current merchant rules directly in the Mastercard Rules document.
Financial censorship of content creators
Similar pressure has been applied to platforms like Patreon, where card networks have reportedly influenced content moderation decisions by threatening to withdraw payment services from creators whose content, though legal, falls outside their subjective standards.
The pattern is consistent: whoever controls the payment rails controls what content is economically viable.
The surcharging prohibition
For years, card network rules prohibited merchants from charging customers a fee specifically for paying with a card, even though accepting those cards costs the merchant money in interchange fees.
In Europe, PSD2 (the Second Payment Services Directive) has now made this prohibition law for consumer cards, removing the merchant's ability to pass those costs on. In other regions, this remains a network contractual rule that forces merchants to absorb transaction costs rather than pass them transparently to customers.
For high-margin businesses this is manageable. For thin-margin operators in competitive sectors, it is a permanent tax on every sale.
Automatic geographic blocks
Despite being global networks, Visa and Mastercard fraud detection algorithms routinely block legitimate cross-border transactions, flagging purchases made in a country different from the cardholder's home country as suspicious.
If your business model involves international customers, you are inherently fighting an automated system that treats geographic diversity as a fraud signal.
Staying current with card scheme rules is practically a full-time job. If you need expert guidance on structuring your payments infrastructure without triggering network violations, register with IREOWO and let our specialists protect your operations.
You pay nothing unless approved.
Why do Visa and Mastercard have these rules at all?
This is the question every frustrated merchant eventually asks: I'm the customer, why do they get to dictate my entire business model?
The answer starts with a fundamental truth about payment infrastructure.
They are private companies, not public utilities
Governments issue cash. Everything else is private.
Visa, Mastercard, American Express, Bizum, Blik, Bancontact, iDEAL, Klarna. Every non-cash payment method in the world is operated by a private entity under its own terms. When you use their rails, you are using a private service, and you are agreeing, whether you read the contracts or not, to their private rules.
You can disagree with the rules. Many of them are legitimately controversial. But the framework is not negotiable: these networks set standards, and merchants who want access must comply.
The cost of no rules: the Fresno Drop
In 1958, Bank of America, the founder of what would become Visa, conducted an experiment that became known as the "Fresno Drop." They mailed 60,000 unsolicited, active credit cards to residents of Fresno, California.
The result was catastrophic. Fraud exploded. Defaults surged. The bank nearly collapsed.
The lesson etched into payment network DNA ever since: without strict, rigorously enforced rules, the entire payment system becomes unusable. Every chargeback rule, every merchant category restriction, every fraud monitoring protocol traces its lineage back to the chaos of Fresno.
High-risk merchants pay the collective price
The networks have dramatically reduced fraud rates, but not to zero. According to the Merchant Risk Council's Global Payments and Fraud Report, fraud remains a multi-billion dollar problem across the ecosystem.
High-risk merchants, by definition, operate in categories with elevated fraud exposure. That means stricter scrutiny, tighter approval parameters, and in some cases, algorithmically suppressed approval rates tied to your MCC (Merchant Category Code).
If your MCC historically shows elevated fraud, Visa and Mastercard may quietly start reducing your approval rates. You don't get a warning letter. You just start losing sales, and the decline reason reads "do not honor."
The tools to mitigate this, platforms like Kount, Riskified, and Signifyd, can substantially reduce fraud exposure, but none eliminate it. If you're not prepared to accept that reality, online business is a dangerous place to be.
Want to learn more about how high-risk merchant accounts are structured? Read our guide on high-risk payment processing at IREOWO
The bottom line
Visa and Mastercard built their rules to protect an ecosystem that processes trillions of dollars every year. They have every incentive, and the power, to enforce those rules without asking your permission.
If you want to operate in their networks, especially in a high-risk category, the choice is simple: get compliant, get help, or get out.
There is no shortcut that doesn't eventually lead to the MATCH list.
Start processing payments for your high-risk business, the right way
At IREOWO, we've helped high-risk merchants across adult content, gaming, nutraceuticals, crypto, travel, and more structure their payment operations to stay compliant, stay profitable, and stay in business.
Get your merchant account set up with IREOWO → You pay nothing unless approved.Sources and further reading:
Curious Things You're Probably Wondering
In most cases, no. The standard MATCH listing lasts five years. The only exceptions are if the listing was placed in error, and proving that requires going through a formal dispute process with the acquiring bank that reported you. It's time-consuming, expensive, and rarely successful unless the error is clear-cut. The practical answer: don't end up there in the first place.
More than most merchants realize. They see your MCC, your merchant descriptor, your chargeback patterns, your refund velocity, and, through acquiring bank monitoring, often the nature of disputed transactions. They also use behavioral analytics to model what "normal" looks like for each merchant category. Unusual patterns get flagged regardless of what your descriptor says.
Not necessarily. Approval rates depend more on fraud rates, chargeback ratios, and card scheme standing than on the category of processor you use. A well-structured high-risk merchant with low fraud metrics can achieve approval rates comparable to low-risk merchants. The processor matters, but your operational behavior matters more.
A chargeback is a reversal initiated by the cardholder through their bank, and it can happen for legitimate reasons (defective product, non-delivery) or for "friendly fraud" (buyer remorse). A fraud dispute specifically signals that the cardholder didn't authorize the transaction. Card networks track both separately, and fraud dispute rates are weighted more heavily in risk assessments. Too many fraud disputes and your account gets reviewed, or closed.
Yes. Card networks can place a merchant on monitoring programs or restrict processing without the merchant being notified in advance. Your acquirer or gateway will typically receive the communication, but you may only find out when your approval rates drop or transactions start declining. This is one of the strongest arguments for maintaining proactive compliance monitoring rather than waiting for problems to surface.
Only by not using their networks, which means no Visa, no Mastercard, no co-branded cards of any kind. Some businesses have explored alternative payment rails (bank transfers, crypto, local payment methods like SEPA in Europe or ACH in the US) to reduce dependency on the card networks. This is viable in some markets but rarely practical as a complete replacement for card acceptance, since consumer preference for card payments remains dominant globally.
