If you run a business that accepts credit card payments (so, every business), then you need to know about the MATCH list.
This database tracks merchants who’ve had their payment processing accounts shut down. Getting MATCHed can destroy your business overnight. You’ll struggle to find any bank willing to process your payments again.
The Member Alert to Control High-Risk Merchants (MATCH) list uses 14 specific reason codes to explain why merchants get blacklisted. Each code tells a different story of what went wrong. Let’s break down these codes with real-world examples so you can protect your business.
OPEN A MERCHANT ACCOUNT ON MATCH
Code 01: Account Data Compromise
This code hits you when hackers steal your customers’ credit card information. Even though you’re also a victim, you’re responsible for protecting customer data.
Real-world example: A restaurant’s payment system gets hacked. Criminals steal thousands of credit card numbers. Even though the restaurant didn’t intentionally leak the data, they failed to secure it properly. The bank adds them to the MATCH list.
What makes this scary? You might not even know you’ve been breached until banks start calling about fraudulent charges traced back to your business.
Code 02: Common Point of Purchase (CPP)
This happens when fraudsters steal card data from your business and use it elsewhere. Your store becomes the “common point” where multiple fraud victims shopped.
Real-world example: A gas station’s card reader gets compromised. Customers who bought gas there later find fraudulent charges at stores across the country. The gas station gets MATCHed because their location was the common thread connecting all the fraud.
Banks watch for patterns. If multiple fraud cases trace back to your business, you’re in trouble.
Code 03: Laundering
This code applies when you process payments for other businesses or fake transactions. Money laundering disguises illegal money as legitimate business income.
Real-world example: A merchant processes transactions for an online gambling site, claiming they’re selling “consulting services.” The bank discovers the real business model and adds them to MATCH for transaction laundering.
Some merchants don’t realize they’re laundering. They might help a friend process payments “temporarily” without understanding the legal implications.
OPEN A SECONDARY PAYMENT PROCESSING ACCOUNT
Code 04: Excessive Chargebacks
This is the most common reason merchants get MATCHed. You hit this threshold when your chargeback rate exceeds 1% of total transactions AND costs $5,000 or more in a single month.
Real-world example: An online clothing store gets hit with returns during holiday season. Customers can’t find the return policy easily, so they dispute charges instead. The store hits 1.2% chargebacks and $6,000 in chargeback costs in December. Their processor terminates them in January.
Both conditions must be met. You need the percentage AND the dollar amount to trigger Code 04.
Code 05: Excessive Fraud
This code targets merchants with abnormally high fraud rates compared to their sales volume. It signals weak fraud prevention or suspicious business practices.
Real-world example: An electronics store starts seeing lots of orders with mismatched billing and shipping addresses. They approve these risky transactions to boost sales. When fraud rates spike, their processor adds them to MATCH.
The key word here is “abnormal.” Banks compare your fraud rate to similar businesses in your industry.
Code 06: Reserved for Future Use
This code exists but isn’t currently assigned to any violations. Think of it as Mastercard’s placeholder for new violation types they might create.
Code 07: Fraud Conviction
If you or your business partners get convicted of fraud-related crimes, you’ll receive this code. This applies to legal convictions, not just accusations.
Real-world example: A business owner gets convicted of tax fraud in their personal life. Even though it’s unrelated to their payment processing, the conviction triggers a MATCH listing.
This code can affect your business even for personal legal troubles outside of payment processing.
Code 08: Mastercard Questionable Merchant Audit Program
Mastercard flags you as “questionable” after their internal review process. This involves violations of industry standards or risky practices.
Real-world example: Mastercard audits a supplement company and finds they’re making health claims without FDA approval. They’re not breaking payment processing rules directly, but their business practices pose regulatory risks.
This code gives Mastercard broad authority to blacklist merchants for business practices they consider risky.
KEEP YOUR RISK PROFILE IN CHECK
Code 09: Bankruptcy/Liquidation/Insolvency
Filing for bankruptcy or showing financial instability can land you here. Banks see bankruptcy as a signal that you can’t meet your obligations.
Real-world example: A small retailer files Chapter 11 bankruptcy to restructure debt. Their payment processor terminates the account immediately and adds them to MATCH, making the financial recovery even harder.
This creates a vicious cycle where financial troubles lead to payment processing problems, making recovery nearly impossible.
ALWAYS HAVE A BACKUP SOLUTION IN PLACE
Code 10: Violation of Standards
This broad category covers breaking Mastercard’s rules or your processor’s terms. It’s a catch-all for various contract violations.
Real-world example: A merchant agreement prohibits selling firearms accessories. The business starts selling holsters without updating their agreement. The processor discovers this during a routine review and terminates the account.
Always read your merchant agreement carefully. Seemingly minor violations can trigger this code.
PROCESSING TERMS THAT SUPPORT YOUR BUSINESS
Code 11: Merchant Collusion
This applies when you work with others to commit fraud. Collusion means coordinating with other merchants, processors, or criminals.
Real-world example: Two business owners create fake transactions between their companies to inflate sales figures and qualify for better loan terms. When banks discover the scheme, both get MATCHed.
This code can result from seemingly innocent business arrangements that cross legal lines.
MERCHANT ACCOUNTS THAT UNDERSTAND YOUR NEEDS
Code 12: PCI-DSS Noncompliance
Failing to meet Payment Card Industry Data Security Standards earns this code. PCI compliance protects customer payment data through specific security requirements.
Real-world example: A retail store stores customer credit card numbers in an unsecured spreadsheet for “customer service purposes.” During a compliance audit, they fail PCI requirements and get terminated.
Good news: This is the only MATCH code where you might get removed early. If you achieve PCI compliance after being listed, you can petition for removal.
STAY COMPLIANT WITH DIRECTPAYNET
Code 13: Illegal Transactions
Processing payments for illegal products or services triggers this code. What’s “illegal” varies by location and changes over time.
Real-world example: A payment processor in a state where marijuana is illegal discovers a merchant is selling cannabis products. Even though neighboring states allow it, the merchant gets MATCHed for illegal transactions.
Stay current on laws affecting your industry. Legal changes can make previously acceptable products illegal overnight.
OPEN AN ACCOUNT THAT BACKS YOUR BUSINESS
Code 14: Identity Theft
This code applies when you or your business principals use false identities to open merchant accounts. It covers both stolen identities and falsified applications.
Real-world example: Someone uses a stolen social security number and fake business documents to open a merchant account. When the bank discovers the deception during verification, they immediately MATCH the account.
This can also apply to legitimate business owners who provide inaccurate information on applications, even unintentionally.
Protecting Your Business
Understanding these codes helps you avoid the MATCH list, but prevention beats cure. Here’s what you can do:
Monitor your metrics closely. Track chargeback rates, fraud rates, and compliance status monthly. Set up alerts before you hit dangerous thresholds.
Invest in security systems. PCI compliance isn’t optional—it’s essential. Regular security audits can prevent data breaches that lead to Codes 01 and 02.
Read your agreements carefully. Know what you can and can’t sell. Understand your processor’s rules and follow them exactly.
Train your staff on fraud prevention. Teach them to spot suspicious transactions and verify customer information properly.
Getting MATCHed isn’t always about doing something wrong. Sometimes legitimate businesses get caught up through no fault of their own. But understanding these 14 codes gives you the knowledge to protect your business and avoid becoming another statistic on this dreaded list.
Once you’re on the MATCH list, you typically stay there for five years. That’s five years of struggling to find payment processing, paying higher fees, and explaining your situation to every potential processor. Prevention is always better than trying to recover from a MATCH listing.
Leave a Reply