The Green Sheet Online Edition
November 24, 2025 • 25:11:02
Merchant monitoring efficiencies - Rules are not the answer
For decades, acquirers and processors have relied on static rule-based systems to manage merchant risk. But the world has changed and so, too, must our tools. Most parameters are set either at the merchant level or the portfolio level. These are static rules and updates are manual. For example: If a transaction is over $5,000 and the merchant was acquired less than six months ago, provide an alert.
The limits of rule-based monitoring
As processors scale, they often develop custom rule-based systems tailored to their risk profile. Doing so allows for a solution better tailored to their own portfolio and risk tolerance. Updates are easier and reporting is superior.
Because the system designers fear missing fraudulent activity, these home-grown rule-based platforms typically over identify alerts. After all, a designer reasons, it is better to over identify and allow a human to intervene than under identify and risk missing the fraud entirely. Lost in that thought track however is how over-identifying leads to extra work, which requires extra staff.
Over identification of alerts along with substantial manual work to weed out false positives was the norm. Now, however, with the application of AI, we can have continual refinement to lessen false positives and properly identify anomalies to minimize losses.
If it were easy, everybody would be doing it
Processors have a heavy burden. They must adhere to their acquirer bank requirements and the card networks' requirements. Visa lays out requirements within its Visa Acceptance Risk Standards (VARS) the three risk domains: business, operational, and legal and regulatory. All acquirers, and by proxy, their third-parties must comply with this document.
Business risk is based on the processor's risk profile and policy framework. For example, how aggressive or risk averse is the processor? Are team members well trained, and do their procedures comply with their policies? Operational risk, including financial risk, is what monitoring is most directly mitigating. Legal and regulatory risk is critical, but similar to business risk, is intertwined with how the processor does business.
Onboarding standards
Within VARS is an onboarding requirement. Acquirers must have an onboarding standard that enables risk-based due diligence. The document details the specific mandatory controls, which most acquirers and processors are fulfilling, but the process is complex. It is not mathematically complex, but it is procedurally intricate and multi-dimensional. Specifically, a merchant must be assessed for:
- Creditworthiness
- Fidelity with the stated business activity
- Compliance with Rules, laws and policy
- Merchant and vendor PCI compliance
- Prior processing history
- KYC/KYB
- Fraud
Leaving this up to individuals requires extensively trained people or a platform that not only provides for a recommended credit decision, but also a documented history for the decision.
Retrospection in action
While not required for monitoring, the underwriting data may be utilized in refining the monitoring parameters. Optimally, the MCC, guarantor's credit, prior processing history, online reviews, automated site inspection details and other data points are provisioned within the monitoring decisions. Having this data allows for a more fully baked monitoring system. It's not practical for an individual to always consider these points, but an AI model can.
VARS also has a monitoring requirement. Acquirers and processors must monitor transaction and merchant activity to detect threats, unusual or suspicious activities/transactions and use exception reporting to act upon deviations. This is a broad and far-reaching requirement. And while a rule-based system can incorporate data points from the application, leveraging AI is far superior for anomaly detection and fraud scoring. The reason rule-based monitoring systems persist is they are far easier to set up and are fully transparent. The rules check for specific and known anomalies. But they are costly to maintain, requiring far more manual reviews, and they will not adapt. AI-based monitoring can incorporate thousands of additional data points. Yes, an AI system is data dependent, but it can be trained with existing portfolio history and then can be used to test whether it would have provided appropriate alerts.
The AI model is also far more scalable and will minimize the overload of false alerts.
AI can work after hours, weekends and holidays. It can interface with a processor's CRM to provide merchant notices and set queues based on the merchant type, sales team or some other indicator. Demand from regulators, card networks and acquirers is growing. Developing a continual risk-based underwriting and monitoring solution is a strategic advantage.
For example, Coris, an AI risk platform, uses AI models to evaluate merchants and transactions, learning typical patterns like refund spikes, large-ticket activity and balance changes to surface anomalies automatically. One platform using this approach reduced manual reviews by 89 percent and redirected analysts toward the cases that mattered most.
AI won't replace risk professionals, but it will amplify their expertise. In a context where speed, precision and compliance are paramount, AI is a necessity. By combining adaptive intelligence with procedural transparency, acquirers can meet growing regulatory expectations while increasing operational efficiency. 
As founder of Humboldt Merchant Services, co-founder of Eureka Payments, and a former executive for such payments innovators as WePay, a division of JPMorgan Chase, Ken Musante has experience in all aspects of successful ISO building. He currently provides consulting services and expert witness testimony as founder of Napa Payments and Consulting, www.napapaymentsandconsulting.com. Contact him at kenm@napapaymentsandconsulting.com, 707-601-7656 or www.linkedin.com/in/ken-musante-us.
Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.
