Brand protection in payments is becoming a broader ecosystem challenge. For acquirers, payment facilitators, platforms, and other participants, merchant risk now creates exposure that extends beyond the merchant itself.
What has changed is not only the scale of online risk, but the way that risk moves across the payments chain. Merchant misconduct, concealment, and misrepresentation no longer stay contained at the merchant level. They can quickly create regulatory, financial, and reputational exposure for the organizations that enable or support that activity.
This changes the core question. It is no longer enough to ask whether a merchant looked acceptable at the point of onboarding. The real question is whether the organization can show it had the right controls, visibility, and oversight as merchant behavior changed over time.
Brand protection in payments is no longer limited to screening merchants at onboarding. Accountability is widening across the payments ecosystem at the same time that online merchants are becoming more sophisticated in how they conceal risk, understate their true activity, and work around traditional controls. For payment providers, acquirers, and platforms, that means merchant oversight must become continuous, contextual, and resilient to deception, especially in the context of Mastercard BRAM and Visa GBPP requirements.
Highlights:
- Merchant risk no longer stays with the merchant alone. It can create exposure for acquirers, payment facilitators, platforms, and others across the payments ecosystem.
- The real challenge is no longer obvious noncompliance. It is merchants making risky activity look credible, low risk, or compliant on the surface.
- Traditional checks are failing because they are static, point-in-time, and too easy to outmaneuver.
- BRAM and GBPP are not simple website review exercises. They require organizations to assess merchant behavior, identity, geography, and operating model in context.
- The strategic shift is from onboarding checks to ongoing oversight that can detect deception as merchant online behavior changes.
- AI has a growing role in merchant oversight because it can analyse website behavior, identity signals, disclosures, redirects, and risk indicators in context, helping teams detect hidden merchant risk that static checks may miss.
Why merchant accountability is widening across the payments ecosystem
This shift is being driven by more than scrutiny from card networks such as Visa and Mastercard alone. It is also being tested through legal scrutiny and public accountability. Visa says illegal activity is not tolerated on its network, that all participants in the payments ecosystem have a role to play in detecting and rooting it out, and that merchants in higher-risk categories may require enhanced safeguards and closer performance monitoring through their acquirers
At the same time, courts have shown a willingness to examine whether accountability can extend beyond the direct merchant in certain circumstances. In one Eleventh Circuit case, the court upheld joint and several liability against a payment processor after finding it had provided “substantial assistance” to a primary violator. In separate U.S. litigation involving Pornhub, a pre-trial decision allowed claims against Visa to proceed at an earlier stage, underscoring how payment actors can be drawn into scrutiny beyond the merchant itself.
That does not mean liability automatically extends across the ecosystem in every case. It does mean the risk model is changing. Exposure is increasingly being examined through a wider lens, one that looks not only at who committed the act, but also at who enabled, processed, monetized, or failed to challenge it.
Why hidden merchant risk is becoming harder to detect
The problem is not simply that some merchants are non-compliant. It is that the methods used to conceal risk are becoming more sophisticated, more adaptive, and more deliberately engineered to bypass traditional review processes.
Visa itself says tools are helping detect merchants who “fraudulently conceal the true nature of their businesses” to avoid compliance requirements, and that it has seen a fivefold increase in acquirer remediation and terminations for merchant noncompliance between 2020 and 2024.
Increasingly, modern merchant risk does not present as obvious non-compliance. It presents as a site that looks plausible, polished, and low risk on the surface, while the real activity sits somewhere deeper in the flow. In other words, the challenge is no longer just identifying prohibited categories. It is identifying merchants that are actively engineering their websites, journeys, and disclosures to look compliant while hiding something else.
This shift is not theoretical. As merchant activity becomes increasingly digital, risk is embedded in how these experiences are designed to appear legitimate while masking underlying behavior.
How risky merchants work around traditional compliance checks
The most effective concealment rarely looks like concealment at first glance. It looks familiar, credible, and low risk. That is what makes it effective.
Camouflage
Some online merchants disguise high-risk activity inside pages that look like ordinary ecommerce. A page may include pricing, discounts, ratings, and polished product layouts that suggest a normal retail experience, while the real offer is something very different. What looks like a standard product listing may actually be promoting gambling, restricted services, or another high-risk activity.
Redirects that change the real journey
The page being reviewed is not always the page the customer ultimately experiences. A site may look acceptable at first click, then redirect the user into a completely different environment. That second destination may sit on another domain, carry a different identity, or push the user toward off-platform sign-up, login, chat, or payment-adjacent flows. The visible landing page is only part of the story.
Different experiences for bots and humans
Some merchants are becoming more deliberate in how they avoid detection. They may present one experience to a scanner or automated check, and a different one to a real visitor. In practice, that can mean compliant-looking content for bots and much riskier content for people. This makes traditional checks far less reliable because the deception is built into the experience itself, not just the page content.
Borrowed trust
Some merchants take advantage of domains that appear legitimate because of their history, branding, or previous use. A site may look credible on the surface, not because the current business is trustworthy, but because it is inheriting trust from something older or unrelated. Legacy content, familiar branding, or a previously legitimate web presence can all make a risky site appear more credible than it really is.
Fragmented identity
The brand a user sees, the domain they land on, the legal entity behind the site, and the destination handling the next step may not line up at all. That makes it difficult to determine who the merchant really is, what business they are actually conducting, and who is ultimately taking the transaction. In some cases, there is no clear legal entity disclosed at all.
Missing information by design
Sometimes the clearest warning sign is not what is shown, but what is missing. No legal entity. No clear refund terms. No meaningful support path. No transparent explanation of what the customer is actually buying or signing up for. A site can look polished enough to pass a quick review while withholding the very information needed to make a genuine risk assessment.
This is what makes modern merchant deception so difficult to detect. The risk is rarely presented in a blunt or obvious way. It is disguised inside familiar formats, hidden across redirects, softened by borrowed trust, and obscured by fragmented or missing information. For compliance teams, the challenge is no longer just spotting what looks prohibited. It is recognizing when a site has been deliberately designed to look safer and more transparent than it really is.
Why legacy BRAM and GBPP controls are under pressure
Traditional compliance checks were not designed for this kind of environment. They are often static, surface-level, and point-in-time. They can confirm what a merchant wants a reviewer or scanner to see, but they struggle to determine whether that presentation is truthful, complete, and consistent across the wider customer journey. Increasingly, they are also falling for the very tactics merchants now use to avoid detection, from compliant-looking storefronts and redirect chains to fragmented identities and missing disclosures.
This becomes even more challenging in the context of Mastercard BRAM and Visa GBPP. Both frameworks are designed to protect the integrity of the payments ecosystem, but they are not simple box-ticking exercises and they are not identical. Each has its own requirements, priorities, and thresholds. In practice, that means a merchant may appear acceptable under one scheme but fail under another. A business model may be legal in one jurisdiction but problematic in another. A site may not fail because of a single visible page, but because the surrounding identity, behavior, geography, and operating model do not hold together under scrutiny.
That is where many existing tools and processes start to break down. Some focus too narrowly on page content. Others are built around fixed rules that cannot easily handle context, behavior, or jurisdictional nuance. Many were built to assess declared risk, not concealed behavior, which makes them more vulnerable to the tactics merchants now use to avoid detection. Manual review can still catch some of these issues, but it becomes harder to scale, harder to sustain, and easier to outmanoeuvre when merchants already understand how conventional checks work.
Even a strong onboarding review is still only a moment in time. Merchant behavior can change after approval. Sites can be repurposed. Flows can be redirected. A business can look one way at onboarding and very different weeks or months later.
That is the strategic shift now underway in payments. The real question is no longer whether the merchant passed an onboarding check once. It is whether the organization can still stand behind that decision as conditions change.
What modern merchant oversight needs to identify hidden risk
If static checks are no longer enough, the answer is not simply more manual review. It is a more effective way to assess merchant risk as it changes over time.
For payment providers managing BRAM and GBPP complexity, that means moving beyond surface-level reviews and point-in-time decisions. Oversight needs to be able to assess merchant behavior in context, identify when the visible story and the underlying reality do not match, and respond when risk shifts after initial approval.
That is the real change now underway. Merchant oversight must become more continuous, more contextual, and more resilient to deception.
How AI powered oversight tools can detect deception, not just declared risk
If the challenge is now hidden risk rather than declared risk, merchant oversight needs to become more intelligent, more adaptive, and more resilient to deception. This is where Artificial Intelligence (AI) can play a practical role.
AI powered oversight tools are being developed to assess more than what appears on the surface. As merchant deception becomes harder to detect and easier to scale, payment providers need a way to identify concealed activity, resolve ambiguity, and detect when a merchant’s stated business does not match what is actually happening across the customer journey.
Platforms such as MVSI’s OnBoard AIQ illustrate how technology is evolving to help payment providers, banks, and acquirers identify online merchants using deception to bypass Mastercard BRAM and Visa GBPP controls. Rather than treating compliance as a static website check, it combines AI-driven analysis with configurable compliance logic to detect hidden risk at scale.
The challenge is not simply identifying what a merchant claims to be. It is assessing what the merchant is actually doing across the full journey. In practice, this means assessing signals across prohibited activity, hidden activity, merchant identity, fulfilment transparency, refunds and support, age restricted controls, checkout and disclosure controls, infringement risk, and broader hidden risk. These models can also be configured so that questions, thresholds, prompts, and outputs reflect different rule interpretations, risk appetites, and internal workflows.
In practical terms, that means AI can surface the kinds of patterns traditional checks are most likely to miss: cloaking, redirects, disguised activity, identity inconsistency, off-domain flows, jurisdiction-sensitive risk, and business model mismatches that only become clear when behavior and context are analyzed together.
“Compliance teams are no longer dealing with straightforward websites or straightforward risk,” said Daniel Sheahan, CEO of MVSI. “They are dealing with merchants who know exactly how traditional checks work and how to get around them. That is what makes this such an urgent problem.”
For payment providers managing BRAM and GBPP complexity, that is the real shift. Compliance can no longer rely on surface-level snapshots of merchant websites. It needs to become more intelligent, more dynamic, and more resilient to manipulation.
In practice, this means assessing signals across prohibited activity, hidden activity, merchant identity, fulfilment transparency, refunds and support, age restricted controls, checkout and disclosure controls, infringement risk, and broader hidden risk.
As merchant deception becomes harder to detect and easier to scale, the challenge is no longer just approving merchants once. It is maintaining oversight over time and identifying when the visible story no longer matches the underlying reality.
For payment providers managing BRAM and GBPP obligations, this requires more than static review. It requires continuous, context-aware oversight that can assess merchant identity, behavior, disclosures, geography, and operating model together.
In payments, brand protection is no longer a downstream concern. It is becoming a core part of merchant risk management.