Skip to main content

Introduction

Merchant monitoring is critical for acquirers, sub-acquirers, and payment processors. gu1 enables you to detect merchant fraud, chargeback patterns, phishing, and suspicious behavior in real-time.

Use Cases

Chargeback Prevention

Detect merchants with high chargeback rates before they escalate

Merchant Fraud

Identify fraud schemes perpetrated by merchants

Phishing Detection

Detect phishing sites impersonating legitimate merchants

Compliance Monitoring

Monitor compliance with acquirer terms and conditions

Detectable Patterns

1. Chargeback Rate Monitoring

Continuous monitoring of chargeback rate per merchant. Indicators:
  • Chargeback rate > 1% (VISA/Mastercard threshold)
  • Sudden increase in disputes
  • Chargeback patterns by product type
Example Rule: 
{
  "name": "High Chargeback Rate Alert",
  "category": "merchant_risk",
  "priority": 900,
  "enabled": true,
  "evaluationMode": "async",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "AND",
    "conditions": [
      {
        "field": "metadata.merchantChargebackRate30d",
        "operator": "GREATER_THAN",
        "value": 0.01
      },
      {
        "field": "metadata.merchantTransactionCount30d",
        "operator": "GREATER_THAN",
        "value": 100
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "high",
        "type": "high_chargeback_rate",
        "message": "Merchant {{destinationEntityId}} has chargeback rate of {{metadata.merchantChargebackRate30d}}%"
      }
    },
    {
      "type": "create_investigation",
      "config": {
        "priority": "high",
        "assignToTeam": "merchant_compliance",
        "requiresReview": true
      }
    }
  ]
}

2. Transaction Velocity - Merchant Side

Detects unusual transaction spikes that may indicate fraud. 
{
  "name": "Merchant Transaction Spike",
  "category": "merchant_risk",
  "priority": 850,
  "enabled": true,
  "evaluationMode": "async",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "AND",
    "conditions": [
      {
        "field": "metadata.merchantTransactionsLast1h",
        "operator": "GREATER_THAN",
        "value": "{{metadata.merchantAvgTransactionsPerHour * 5}}"
      },
      {
        "field": "metadata.merchantAverageTicket",
        "operator": "LESS_THAN",
        "value": "{{amount * 0.3}}"
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "medium",
        "type": "merchant_velocity_spike",
        "message": "Merchant transaction velocity 5x higher than average"
      }
    }
  ]
}

3. Card Testing Through Merchant

Detects when a merchant is being used to test stolen cards. 
{
  "name": "Card Testing via Merchant",
  "category": "fraud",
  "priority": 950,
  "enabled": true,
  "evaluationMode": "sync",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "AND",
    "conditions": [
      {
        "field": "metadata.merchantFailedTransactionsLast1h",
        "operator": "GREATER_THAN",
        "value": 20
      },
      {
        "field": "metadata.merchantUniqueCardsLast1h",
        "operator": "GREATER_THAN",
        "value": 15
      },
      {
        "field": "amount",
        "operator": "LESS_THAN",
        "value": 10
      },
      {
        "field": "metadata.merchantFailureRate1h",
        "operator": "GREATER_THAN",
        "value": 0.7
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "critical",
        "type": "card_testing_merchant",
        "message": "Merchant {{destinationEntityId}} under card testing attack"
      }
    },
    {
      "type": "set_decision",
      "config": {
        "decision": "HOLD",
        "reason": "Merchant experiencing card testing attack"
      }
    }
  ]
}

4. Merchant Descriptor Mismatch

Detects when transaction descriptor doesn’t match registered merchant (possible phishing). 
{
  "name": "Descriptor Mismatch - Phishing",
  "category": "fraud",
  "priority": 900,
  "enabled": true,
  "evaluationMode": "sync",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "AND",
    "conditions": [
      {
        "field": "metadata.descriptorSimilarity",
        "operator": "LESS_THAN",
        "value": 0.5
      },
      {
        "field": "metadata.merchantVerified",
        "operator": "EQUALS",
        "value": true
      },
      {
        "field": "metadata.descriptorReported",
        "operator": "EQUALS",
        "value": true
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "critical",
        "type": "descriptor_mismatch",
        "message": "Transaction descriptor '{{metadata.transactionDescriptor}}' does not match merchant name '{{destinationEntityName}}'"
      }
    },
    {
      "type": "set_decision",
      "config": {
        "decision": "REJECT",
        "reason": "Possible phishing - descriptor mismatch"
      }
    }
  ]
}

5. Sudden Business Model Change

Detects abrupt changes in merchant transaction patterns. 
{
  "name": "Merchant Business Model Change",
  "category": "merchant_risk",
  "priority": 800,
  "enabled": true,
  "evaluationMode": "async",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "AND",
    "conditions": [
      {
        "field": "mccCode",
        "operator": "NOT_IN",
        "value": "{{metadata.merchantHistoricalMccCodes}}"
      },
      {
        "field": "metadata.merchantAgeInDays",
        "operator": "GREATER_THAN",
        "value": 90
      },
      {
        "field": "amount",
        "operator": "GREATER_THAN",
        "value": "{{metadata.merchantAvgTicket * 3}}"
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "medium",
        "type": "business_model_change",
        "message": "Merchant using new MCC code {{mccCode}}, typical codes: {{metadata.merchantHistoricalMccCodes}}"
      }
    }
  ]
}

6. Cross-Border Merchant Fraud

Detects merchants processing many suspicious international transactions. 
{
  "name": "Cross-Border Merchant Risk",
  "category": "merchant_risk",
  "priority": 850,
  "enabled": true,
  "evaluationMode": "async",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "AND",
    "conditions": [
      {
        "field": "metadata.merchantCountry",
        "operator": "NOT_EQUALS",
        "value": "{{metadata.cardIssuingCountry}}"
      },
      {
        "field": "metadata.merchantCrossBorderRate30d",
        "operator": "GREATER_THAN",
        "value": 0.8
      },
      {
        "field": "metadata.merchantChargebackRate30d",
        "operator": "GREATER_THAN",
        "value": 0.005
      },
      {
        "field": "metadata.merchantIsHighRisk",
        "operator": "EQUALS",
        "value": true
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "high",
        "type": "cross_border_merchant_risk",
        "message": "High-risk merchant with 80%+ cross-border transactions and elevated chargebacks"
      }
    }
  ]
}

7. Refund Abuse Pattern

Detects merchants with abnormal refund patterns that may indicate fraud. 
{
  "name": "Merchant Refund Abuse",
  "category": "merchant_risk",
  "priority": 800,
  "enabled": true,
  "evaluationMode": "async",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "AND",
    "conditions": [
      {
        "field": "type",
        "operator": "EQUALS",
        "value": "REFUND"
      },
      {
        "field": "metadata.merchantRefundRate30d",
        "operator": "GREATER_THAN",
        "value": 0.15
      },
      {
        "field": "metadata.merchantRefundAmount30d",
        "operator": "GREATER_THAN",
        "value": "{{metadata.merchantSalesAmount30d * 0.1}}"
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "medium",
        "type": "refund_abuse",
        "message": "Merchant refund rate {{metadata.merchantRefundRate30d}}% exceeds 15% threshold"
      }
    }
  ]
}

Monitoring Workflow

Key Metrics by Merchant

Transaction Metrics

{
  "merchantMetrics": {
    "transactionVolume": {
      "last24h": 1250,
      "last7d": 8500,
      "last30d": 35000
    },
    "transactionAmount": {
      "last24h": 125000.00,
      "last7d": 850000.00,
      "last30d": 3500000.00
    },
    "averageTicket": {
      "current": 100.00,
      "last30d": 95.50,
      "change": "+4.7%"
    },
    "transactionVelocity": {
      "perHour": 52,
      "perDay": 1250,
      "trend": "increasing"
    }
  }
}

Risk Metrics

{
  "riskMetrics": {
    "chargebackRate": {
      "last30d": 0.008,
      "last90d": 0.006,
      "threshold": 0.01
    },
    "refundRate": {
      "last30d": 0.05,
      "industry_average": 0.08
    },
    "failureRate": {
      "last24h": 0.03,
      "last7d": 0.02,
      "normal_range": "0.01-0.05"
    },
    "crossBorderRate": {
      "last30d": 0.45,
      "countries": 15
    }
  }
}

Fraud Metrics

{
  "fraudMetrics": {
    "cardTestingAttempts": {
      "last24h": 0,
      "last7d": 2,
      "blocked": 2
    },
    "suspiciousPatterns": {
      "velocitySpikes": 1,
      "descriptorMismatches": 0,
      "unusualGeoPatterns": 3
    },
    "riskScore": {
      "current": 45,
      "trend": "stable",
      "lastUpdated": "2024-10-28T14:00:00Z"
    }
  }
}

Configuration by Acquirer Type

For Large Acquirers

{
  "merchantMonitoring": {
    "tier": "enterprise_acquirer",
    "rules": {
      "chargebackThreshold": 0.009,
      "reviewInterval": "daily",
      "alertSeverity": "medium",
      "autoBlockEnabled": false
    },
    "monitoring": {
      "cardTestingProtection": true,
      "velocityMonitoring": true,
      "crossBorderAnalysis": true,
      "mccCodeEnforcement": true
    },
    "teams": {
      "merchantCompliance": ["team_compliance_001"],
      "fraudPrevention": ["team_fraud_002"]
    }
  }
}

For Sub-Acquirers / ISOs

{
  "merchantMonitoring": {
    "tier": "sub_acquirer",
    "rules": {
      "chargebackThreshold": 0.01,
      "reviewInterval": "weekly",
      "alertSeverity": "high",
      "autoBlockEnabled": true,
      "autoBlockThreshold": 0.02
    },
    "monitoring": {
      "cardTestingProtection": true,
      "velocityMonitoring": true,
      "crossBorderAnalysis": false,
      "mccCodeEnforcement": false
    },
    "limits": {
      "maxTransactionVolume30d": 500000,
      "maxAverageTicket": 1000,
      "maxCrossBorderRate": 0.3
    }
  }
}

For Payment Facilitators

{
  "merchantMonitoring": {
    "tier": "payment_facilitator",
    "rules": {
      "chargebackThreshold": 0.008,
      "reviewInterval": "real_time",
      "alertSeverity": "critical",
      "autoBlockEnabled": true,
      "requiresManualReview": true
    },
    "monitoring": {
      "cardTestingProtection": true,
      "velocityMonitoring": true,
      "crossBorderAnalysis": true,
      "mccCodeEnforcement": true,
      "descriptorMonitoring": true,
      "phishingDetection": true
    },
    "onboarding": {
      "enhancedDueDiligence": true,
      "initialMonitoringPeriod": 90,
      "restrictedMccCodes": ["5967", "7995", "6211"]
    }
  }
}

Phishing Detection

Phishing Indicators

  1. Descriptor Mismatch: Bank statement name doesn’t match registered merchant
  2. URL Similarity: Domain very similar to legitimate merchant (e.g., amaz0n.com)
  3. Sudden Spikes: New merchant with abnormally high volume
  4. High Dispute Rate: Immediate chargebacks after transaction
  5. Geo Anomalies: Merchant registered in different country than website

Comprehensive Anti-Phishing Rule

{
  "name": "Comprehensive Phishing Detection",
  "category": "fraud",
  "priority": 950,
  "enabled": true,
  "evaluationMode": "sync",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "OR",
    "conditions": [
      {
        "operator": "AND",
        "conditions": [
          {
            "field": "metadata.merchantDomainSimilarity",
            "operator": "GREATER_THAN",
            "value": 0.8
          },
          {
            "field": "metadata.merchantDomainAge",
            "operator": "LESS_THAN",
            "value": 30
          }
        ]
      },
      {
        "operator": "AND",
        "conditions": [
          {
            "field": "metadata.descriptorReportCount",
            "operator": "GREATER_THAN",
            "value": 5
          },
          {
            "field": "metadata.merchantAgeInDays",
            "operator": "LESS_THAN",
            "value": 60
          }
        ]
      },
      {
        "operator": "AND",
        "conditions": [
          {
            "field": "metadata.merchantChargebackRate7d",
            "operator": "GREATER_THAN",
            "value": 0.5
          },
          {
            "field": "metadata.merchantTransactionCount7d",
            "operator": "GREATER_THAN",
            "value": 20
          }
        ]
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "critical",
        "type": "suspected_phishing",
        "message": "Merchant {{destinationEntityId}} shows multiple phishing indicators"
      }
    },
    {
      "type": "set_decision",
      "config": {
        "decision": "HOLD",
        "reason": "Suspected phishing site - requires manual review"
      }
    },
    {
      "type": "create_investigation",
      "config": {
        "priority": "critical",
        "assignToTeam": "fraud_prevention",
        "requiresImmediateAction": true
      }
    }
  ]
}

Best Practices

✅ Recommendations

  1. Rigorous Onboarding
    • Verify merchant identity before activation
    • Set conservative initial limits
    • Intensive monitoring period (30-90 days)
  2. Continuous Monitoring
    • Review daily metrics for high-risk merchants
    • Set automatic alerts for abrupt changes
    • Maintain historical behavior patterns
  3. Clear Communication
    • Notify merchants about limits and rules
    • Provide feedback when suspicious patterns detected
    • Document all actions taken
  4. Appropriate Escalation
    • Define clear thresholds for each severity level
    • Establish SLAs by alert type
    • Involve legal/compliance in critical cases
  5. Risk-Business Balance
    • Don’t block legitimate merchants without investigation
    • Allow gradual growth for good merchants
    • Adjust rules based on false positives

❌ Common Mistakes

  1. Aggressive Auto-Blocking
    • Don’t block without manual review in doubtful cases
    • Legitimate merchants may have seasonal spikes
  2. Ignoring Context
    • Black Friday, Cyber Monday have different patterns
    • B2B merchants naturally have higher tickets
  3. Static Thresholds
    • Adjust thresholds by industry and size
    • What’s normal for large merchant is suspicious for small one
  4. Lack of Documentation
    • Document all blocking decisions
    • Regulators may request due diligence evidence

Monitoring Program KPIs

{
  "programKPIs": {
    "merchantPortfolio": {
      "totalActiveMerchants": 1250,
      "highRiskMerchants": 45,
      "underReview": 12,
      "suspended": 8
    },
    "fraudPrevention": {
      "fraudAttemptsPrevented30d": 127,
      "estimatedLossesPrevented": 245000.00,
      "falsePositiveRate": 0.08,
      "timeToDetection": "4.2 hours"
    },
    "compliance": {
      "chargebackRatePortfolio": 0.007,
      "merchantsAboveThreshold": 3,
      "merchantsTerminated30d": 2,
      "avgInvestigationTime": "18 hours"
    },
    "efficiency": {
      "alertsGenerated30d": 450,
      "alertsReviewed": 445,
      "truePositives": 89,
      "falsePositives": 356,
      "precision": 0.20
    }
  }
}

Integration with Intelligence Dashboard

All merchant alerts automatically consolidate into Intelligence Dashboard:
  • Cases per Merchant: One case per merchant under investigation
  • Grouped Alerts: All merchant alerts in one place
  • Event Timeline: Complete behavior history
  • Documented Decisions: Record of actions taken
  • Collaboration: Teams can work together on complex cases

Next Steps

Overview

Monitoring system overview

Fraud Detection

Protect against fraud in real-time

AML Monitoring

Regulatory compliance and laundering detection

API Reference

Complete endpoint documentation