Documentation Index Fetch the complete documentation index at: https://docs.gu1.ai/llms.txt
Use this file to discover all available pages before exploring further.
Introduction Merchant monitoring is critical for acquirers, sub-acquirers, and payment processors. gu1 enables you to detect merchant fraud, chargeback patterns, phishing, and suspicious behavior in real-time.
Use Cases
Chargeback Prevention Detect merchants with high chargeback rates before they escalate
Merchant Fraud Identify fraud schemes perpetrated by merchants
Phishing Detection Detect phishing sites impersonating legitimate merchants
Compliance Monitoring Monitor compliance with acquirer terms and conditions
Detectable Patterns 1. Chargeback Rate Monitoring Continuous monitoring of chargeback rate per merchant.
Indicators:
Chargeback rate > 1% (VISA/Mastercard threshold)
Sudden increase in disputes
Chargeback patterns by product type
Example Rule: { "name" : "High Chargeback Rate Alert" , "category" : "merchant_risk" , "priority" : 900 , "enabled" : true , "evaluationMode" : "async" , "targetEntityTypes" : [ "transaction" ], "conditions" : { "operator" : "AND" , "conditions" : [ { "field" : "metadata.merchantChargebackRate30d" , "operator" : "GREATER_THAN" , "value" : 0.01 }, { "field" : "metadata.merchantTransactionCount30d" , "operator" : "GREATER_THAN" , "value" : 100 } ] }, "actions" : [ { "type" : "generate_alert" , "config" : { "severity" : "high" , "type" : "high_chargeback_rate" , "message" : "Merchant {{destinationEntityId}} has chargeback rate of {{metadata.merchantChargebackRate30d}}%" } }, { "type" : "create_investigation" , "config" : { "priority" : "high" , "assignToTeam" : "merchant_compliance" , "requiresReview" : true } } ] }
2. Transaction Velocity - Merchant Side Detects unusual transaction spikes that may indicate fraud.
{ "name" : "Merchant Transaction Spike" , "category" : "merchant_risk" , "priority" : 850 , "enabled" : true , "evaluationMode" : "async" , "targetEntityTypes" : [ "transaction" ], "conditions" : { "operator" : "AND" , "conditions" : [ { "field" : "metadata.merchantTransactionsLast1h" , "operator" : "GREATER_THAN" , "value" : "{{metadata.merchantAvgTransactionsPerHour * 5}}" }, { "field" : "metadata.merchantAverageTicket" , "operator" : "LESS_THAN" , "value" : "{{amount * 0.3}}" } ] }, "actions" : [ { "type" : "generate_alert" , "config" : { "severity" : "medium" , "type" : "merchant_velocity_spike" , "message" : "Merchant transaction velocity 5x higher than average" } } ] }
3. Card Testing Through Merchant Detects when a merchant is being used to test stolen cards.
{ "name" : "Card Testing via Merchant" , "category" : "fraud" , "priority" : 950 , "enabled" : true , "evaluationMode" : "sync" , "targetEntityTypes" : [ "transaction" ], "conditions" : { "operator" : "AND" , "conditions" : [ { "field" : "metadata.merchantFailedTransactionsLast1h" , "operator" : "GREATER_THAN" , "value" : 20 }, { "field" : "metadata.merchantUniqueCardsLast1h" , "operator" : "GREATER_THAN" , "value" : 15 }, { "field" : "amount" , "operator" : "LESS_THAN" , "value" : 10 }, { "field" : "metadata.merchantFailureRate1h" , "operator" : "GREATER_THAN" , "value" : 0.7 } ] }, "actions" : [ { "type" : "generate_alert" , "config" : { "severity" : "critical" , "type" : "card_testing_merchant" , "message" : "Merchant {{destinationEntityId}} under card testing attack" } }, { "type" : "set_decision" , "config" : { "decision" : "HOLD" , "reason" : "Merchant experiencing card testing attack" } } ] }
4. Merchant Descriptor Mismatch Detects when transaction descriptor doesn’t match registered merchant (possible phishing).
{ "name" : "Descriptor Mismatch - Phishing" , "category" : "fraud" , "priority" : 900 , "enabled" : true , "evaluationMode" : "sync" , "targetEntityTypes" : [ "transaction" ], "conditions" : { "operator" : "AND" , "conditions" : [ { "field" : "metadata.descriptorSimilarity" , "operator" : "LESS_THAN" , "value" : 0.5 }, { "field" : "metadata.merchantVerified" , "operator" : "EQUALS" , "value" : true }, { "field" : "metadata.descriptorReported" , "operator" : "EQUALS" , "value" : true } ] }, "actions" : [ { "type" : "generate_alert" , "config" : { "severity" : "critical" , "type" : "descriptor_mismatch" , "message" : "Transaction descriptor '{{metadata.transactionDescriptor}}' does not match merchant name '{{destinationEntityName}}'" } }, { "type" : "set_decision" , "config" : { "decision" : "REJECT" , "reason" : "Possible phishing - descriptor mismatch" } } ] }
5. Sudden Business Model Change Detects abrupt changes in merchant transaction patterns.
{ "name" : "Merchant Business Model Change" , "category" : "merchant_risk" , "priority" : 800 , "enabled" : true , "evaluationMode" : "async" , "targetEntityTypes" : [ "transaction" ], "conditions" : { "operator" : "AND" , "conditions" : [ { "field" : "mccCode" , "operator" : "NOT_IN" , "value" : "{{metadata.merchantHistoricalMccCodes}}" }, { "field" : "metadata.merchantAgeInDays" , "operator" : "GREATER_THAN" , "value" : 90 }, { "field" : "amount" , "operator" : "GREATER_THAN" , "value" : "{{metadata.merchantAvgTicket * 3}}" } ] }, "actions" : [ { "type" : "generate_alert" , "config" : { "severity" : "medium" , "type" : "business_model_change" , "message" : "Merchant using new MCC code {{mccCode}}, typical codes: {{metadata.merchantHistoricalMccCodes}}" } } ] }
6. Cross-Border Merchant Fraud Detects merchants processing many suspicious international transactions.
{ "name" : "Cross-Border Merchant Risk" , "category" : "merchant_risk" , "priority" : 850 , "enabled" : true , "evaluationMode" : "async" , "targetEntityTypes" : [ "transaction" ], "conditions" : { "operator" : "AND" , "conditions" : [ { "field" : "metadata.merchantCountry" , "operator" : "NOT_EQUALS" , "value" : "{{metadata.cardIssuingCountry}}" }, { "field" : "metadata.merchantCrossBorderRate30d" , "operator" : "GREATER_THAN" , "value" : 0.8 }, { "field" : "metadata.merchantChargebackRate30d" , "operator" : "GREATER_THAN" , "value" : 0.005 }, { "field" : "metadata.merchantIsHighRisk" , "operator" : "EQUALS" , "value" : true } ] }, "actions" : [ { "type" : "generate_alert" , "config" : { "severity" : "high" , "type" : "cross_border_merchant_risk" , "message" : "High-risk merchant with 80%+ cross-border transactions and elevated chargebacks" } } ] }
7. Refund Abuse Pattern Detects merchants with abnormal refund patterns that may indicate fraud.
{ "name" : "Merchant Refund Abuse" , "category" : "merchant_risk" , "priority" : 800 , "enabled" : true , "evaluationMode" : "async" , "targetEntityTypes" : [ "transaction" ], "conditions" : { "operator" : "AND" , "conditions" : [ { "field" : "type" , "operator" : "EQUALS" , "value" : "REFUND" }, { "field" : "metadata.merchantRefundRate30d" , "operator" : "GREATER_THAN" , "value" : 0.15 }, { "field" : "metadata.merchantRefundAmount30d" , "operator" : "GREATER_THAN" , "value" : "{{metadata.merchantSalesAmount30d * 0.1}}" } ] }, "actions" : [ { "type" : "generate_alert" , "config" : { "severity" : "medium" , "type" : "refund_abuse" , "message" : "Merchant refund rate {{metadata.merchantRefundRate30d}}% exceeds 15% threshold" } } ] }
Monitoring Workflow Key Metrics by Merchant Transaction Metrics { "merchantMetrics" : { "transactionVolume" : { "last24h" : 1250 , "last7d" : 8500 , "last30d" : 35000 }, "transactionAmount" : { "last24h" : 125000.00 , "last7d" : 850000.00 , "last30d" : 3500000.00 }, "averageTicket" : { "current" : 100.00 , "last30d" : 95.50 , "change" : "+4.7%" }, "transactionVelocity" : { "perHour" : 52 , "perDay" : 1250 , "trend" : "increasing" } } }
Risk Metrics { "riskMetrics" : { "chargebackRate" : { "last30d" : 0.008 , "last90d" : 0.006 , "threshold" : 0.01 }, "refundRate" : { "last30d" : 0.05 , "industry_average" : 0.08 }, "failureRate" : { "last24h" : 0.03 , "last7d" : 0.02 , "normal_range" : "0.01-0.05" }, "crossBorderRate" : { "last30d" : 0.45 , "countries" : 15 } } }
Fraud Metrics { "fraudMetrics" : { "cardTestingAttempts" : { "last24h" : 0 , "last7d" : 2 , "blocked" : 2 }, "suspiciousPatterns" : { "velocitySpikes" : 1 , "descriptorMismatches" : 0 , "unusualGeoPatterns" : 3 }, "riskScore" : { "current" : 45 , "trend" : "stable" , "lastUpdated" : "2024-10-28T14:00:00Z" } } }
Configuration by Acquirer Type For Large Acquirers { "merchantMonitoring" : { "tier" : "enterprise_acquirer" , "rules" : { "chargebackThreshold" : 0.009 , "reviewInterval" : "daily" , "alertSeverity" : "medium" , "autoBlockEnabled" : false }, "monitoring" : { "cardTestingProtection" : true , "velocityMonitoring" : true , "crossBorderAnalysis" : true , "mccCodeEnforcement" : true }, "teams" : { "merchantCompliance" : [ "team_compliance_001" ], "fraudPrevention" : [ "team_fraud_002" ] } } }
For Sub-Acquirers / ISOs { "merchantMonitoring" : { "tier" : "sub_acquirer" , "rules" : { "chargebackThreshold" : 0.01 , "reviewInterval" : "weekly" , "alertSeverity" : "high" , "autoBlockEnabled" : true , "autoBlockThreshold" : 0.02 }, "monitoring" : { "cardTestingProtection" : true , "velocityMonitoring" : true , "crossBorderAnalysis" : false , "mccCodeEnforcement" : false }, "limits" : { "maxTransactionVolume30d" : 500000 , "maxAverageTicket" : 1000 , "maxCrossBorderRate" : 0.3 } } }
For Payment Facilitators { "merchantMonitoring" : { "tier" : "payment_facilitator" , "rules" : { "chargebackThreshold" : 0.008 , "reviewInterval" : "real_time" , "alertSeverity" : "critical" , "autoBlockEnabled" : true , "requiresManualReview" : true }, "monitoring" : { "cardTestingProtection" : true , "velocityMonitoring" : true , "crossBorderAnalysis" : true , "mccCodeEnforcement" : true , "descriptorMonitoring" : true , "phishingDetection" : true }, "onboarding" : { "enhancedDueDiligence" : true , "initialMonitoringPeriod" : 90 , "restrictedMccCodes" : [ "5967" , "7995" , "6211" ] } } }
Phishing Detection Phishing Indicators
Descriptor Mismatch : Bank statement name doesn’t match registered merchantURL Similarity : Domain very similar to legitimate merchant (e.g., amaz0n.com)Sudden Spikes : New merchant with abnormally high volumeHigh Dispute Rate : Immediate chargebacks after transactionGeo Anomalies : Merchant registered in different country than website
Comprehensive Anti-Phishing Rule { "name" : "Comprehensive Phishing Detection" , "category" : "fraud" , "priority" : 950 , "enabled" : true , "evaluationMode" : "sync" , "targetEntityTypes" : [ "transaction" ], "conditions" : { "operator" : "OR" , "conditions" : [ { "operator" : "AND" , "conditions" : [ { "field" : "metadata.merchantDomainSimilarity" , "operator" : "GREATER_THAN" , "value" : 0.8 }, { "field" : "metadata.merchantDomainAge" , "operator" : "LESS_THAN" , "value" : 30 } ] }, { "operator" : "AND" , "conditions" : [ { "field" : "metadata.descriptorReportCount" , "operator" : "GREATER_THAN" , "value" : 5 }, { "field" : "metadata.merchantAgeInDays" , "operator" : "LESS_THAN" , "value" : 60 } ] }, { "operator" : "AND" , "conditions" : [ { "field" : "metadata.merchantChargebackRate7d" , "operator" : "GREATER_THAN" , "value" : 0.5 }, { "field" : "metadata.merchantTransactionCount7d" , "operator" : "GREATER_THAN" , "value" : 20 } ] } ] }, "actions" : [ { "type" : "generate_alert" , "config" : { "severity" : "critical" , "type" : "suspected_phishing" , "message" : "Merchant {{destinationEntityId}} shows multiple phishing indicators" } }, { "type" : "set_decision" , "config" : { "decision" : "HOLD" , "reason" : "Suspected phishing site - requires manual review" } }, { "type" : "create_investigation" , "config" : { "priority" : "critical" , "assignToTeam" : "fraud_prevention" , "requiresImmediateAction" : true } } ] }
Best Practices ✅ Recommendations
Rigorous Onboarding
Verify merchant identity before activation
Set conservative initial limits
Intensive monitoring period (30-90 days)
Continuous Monitoring
Review daily metrics for high-risk merchants
Set automatic alerts for abrupt changes
Maintain historical behavior patterns
Clear Communication
Notify merchants about limits and rules
Provide feedback when suspicious patterns detected
Document all actions taken
Appropriate Escalation
Define clear thresholds for each severity level
Establish SLAs by alert type
Involve legal/compliance in critical cases
Risk-Business Balance
Don’t block legitimate merchants without investigation
Allow gradual growth for good merchants
Adjust rules based on false positives
❌ Common Mistakes
Aggressive Auto-Blocking
Don’t block without manual review in doubtful cases
Legitimate merchants may have seasonal spikes
Ignoring Context
Black Friday, Cyber Monday have different patterns
B2B merchants naturally have higher tickets
Static Thresholds
Adjust thresholds by industry and size
What’s normal for large merchant is suspicious for small one
Lack of Documentation
Document all blocking decisions
Regulators may request due diligence evidence
Monitoring Program KPIs { "programKPIs" : { "merchantPortfolio" : { "totalActiveMerchants" : 1250 , "highRiskMerchants" : 45 , "underReview" : 12 , "suspended" : 8 }, "fraudPrevention" : { "fraudAttemptsPrevented30d" : 127 , "estimatedLossesPrevented" : 245000.00 , "falsePositiveRate" : 0.08 , "timeToDetection" : "4.2 hours" }, "compliance" : { "chargebackRatePortfolio" : 0.007 , "merchantsAboveThreshold" : 3 , "merchantsTerminated30d" : 2 , "avgInvestigationTime" : "18 hours" }, "efficiency" : { "alertsGenerated30d" : 450 , "alertsReviewed" : 445 , "truePositives" : 89 , "falsePositives" : 356 , "precision" : 0.20 } } }
Integration with Intelligence Dashboard All merchant alerts automatically consolidate into Intelligence Dashboard:
Cases per Merchant : One case per merchant under investigationGrouped Alerts : All merchant alerts in one placeEvent Timeline : Complete behavior historyDocumented Decisions : Record of actions takenCollaboration : Teams can work together on complex cases
Next Steps
Overview Monitoring system overview
Fraud Detection Protect against fraud in real-time
AML Monitoring Regulatory compliance and laundering detection
API Reference Complete endpoint documentation
