The Mastercard MATCH List: What is it?
Credit card processors (ISOs) and acquiring banks have to control fraud somehow, right? One of the ways they do this is through the MATCH list.
The MATCH List is a detailed list of businesses that have had one or more merchant accounts terminated by their processor or acquiring bank. It’s an industry wide list that is intended to serve as a way to alert all credit card processors and member banks of merchants that pose a “higher risk” to them.
The existence of this list makes it practically impossible for a merchant to hide an account that’s been closed due to fraud, or any of the other reasons in the list of conditions below.
Mastercard was the first to address fraud in the credit card processing industry, by creating the MATCH List. To this day, this list is just one way Mastercard helps ISOs and acquiring banks perform more effective underwriting.
There are 12 different reasons your business might be put on the MATCH List, and they’re listed below. Any acquiring banks working with Mastercard are mandated to check the list before taking any new merchant on. If the merchant is found on the MATCH List, they’ll be rejected by 99.9% of merchant account providers when applying for a new merchant account.
Merchants on this list often have a difficult time finding options to process payments. This is because being on this list means credit card processors consider you to be particularly “high risk.”
Specifically, it indicates that another provider has closed an account for you for a reason (below) that the industry at large has agreed is too high risk.
There are very few processors that will work with MATCHed merchants, but they’re out there.
Easy Pay Direct is one of the few credit card processors that works with MATCHed merchants (depending on why they were put on the MATCH list in the first place, of course).
The TMF List
TMF is an acronym for “Terminated Merchant File,” which is what the MATCH List used to be known as.
Some time ago, Mastercard rebranded the TMF list into the more benign-sounding “MATCH List.”
The Member Alert To Control High-risk merchants List tells credit card processors and member banks about high-risk merchants, at least as they are defined by Mastercard.
Using the MATCH List, credit card processors and member banks seek to avoid working with merchants that cause them undue risk. Sadly, merchants often get put on this list frivolously. To recap, the MATCH List is the same thing as the TMF.
What is not the same is the GNF, which we’ll talk about later.
Getting on the MATCH List
Simply put, the MATCH List is one list that you don’t want to be on.
But anyone that’s committed fraud in the last five years is likely to be on it. Any merchant added to the list in a rolling 60-month period will pop up as a “MATCHed Merchant” when applying for a new merchant account.
They’ll drop off after five long years. Other than that, though, it’s difficult to get off the list once you’re on it. We’ll talk about how to get off the list later on in this article.
Fraud is one of the core reasons the industry puts businesses on the list. But fraud is not the only way to get on it. You can be put on the list for sharing account data, for example. Or for getting too many chargebacks. Or for not being compliant with the Data Security Standards of the Payment Card Industry (PCI-DSS).
While the reasons one could be put on the list are somewhat broad, the list is intended to be reserved for reasons that are indicative of deliberate fraud or persistent behavior that leads to chargebacks or data compromise.
Occasionally, Mastercard will place merchants on the list directly. Typically, though, it’s the credit card processor (ISO) or acquiring bank that adds the merchant. Mastercard’s rules state that if a merchant account was closed for any reason that’s on the list below, the acquiring bank has five days to put them on the MATCH List. This obligation exists between Mastercard and the member bank, so there’s not a lot a merchant can do to halt the bank’s actions.
However, if your processor (ISO) or member bank discontinues its business relationship with your or some other merchant for any other reason not on the list of reasons below, then that merchant should not be placed on the list.
Sometimes a merchant can be placed on the list for reasons outside of their control. Specifically, codes, 01, 02 and 14 indicate situations of an account breach or a case of identity theft. In these cases, the merchant might be the victim of some 3rd party bad actor.
Mastercard does have very clear rules about how a merchant gets placed on the MATCH List. However, placement on the list is nearly always triggered by the processor (ISO) and member bank. Mastercard provides nearly no oversight over who gets on the list at any given time.
Unfortunately, merchants are typically not notified when they get put on the MATCH List.
Typically they only find out they are on the list when they apply for a new account and subsequently get rejected.
All possible MATCH List list conditions are detailed below.
MATCH Codes & Meanings
There are 14 possible MATCH codes, each of which has a specific meaning that indicates why the merchant was put on the list.
Here are the codes, explained:
|01||Account Data Compromise||Data stolen from card-present merchant & used with others|
|02||Common Point of Purchase||Data stolen from card-present merchant & used with others|
|03||Laundering||Merchant processed transactions not involving a genuine cardholder|
|04||Excessive Chargebacks||Merchant has processed too many chargebacks|
|05||Excessive Fraud||Merchant has too many instances of fraud|
|06||Unused||— — —|
|07||Fraud Conviction||Merchant principal convicted of criminal fraud|
|08||Mastercard Questionable Merchant Audit Program||Merchant labeled “Questionable,” as per Mastercard guidelines|
|09||Bankruptcy, Liquidation, Insolvency||Merchant unable to satisfy their financial obligations|
|10||Violation of Standards||Merchant in violation of at least one card network regulation|
|11||Merchant Collusion||Merchant found to be fraudulently colluding|
|12||PCI-DSS Non-compliance||Merchant not compliant with PCI-DSS standards|
|13||Illegal Transactions||Merchant found processing illegal transactions|
|14||Identity Theft||Merchant or business owner identity in question|
How to Get Off the MATCH List
Once a merchant has been put on the MATCH List, it’s difficult for them to get off of it. There’s only one sure way to get off the MATCH List, and that’s to wait. Anyone on the list will be dropped off the MATCH list five years from when they were put on it, as the list goes back just 60 months.
That said, it is possible to be removed before that time passes.
If a merchant contacts their processor or member bank, preferably with support from an attorney, the bank can then contact Mastercard on the merchant’s behalf if they feel compelled to do so. Unfortunately, when a credit card processor puts a business on the MATCH list, there is rarely an incentive to take them off the MATCH list.
The most successful approach we’ve seen is to have an attorney represent you in the effort to get off the MATCH list.
Easy Pay Direct can help with this, so if you should find yourself on the list, please contact us.
Sometimes merchants are placed on the list in error. If that happens, the processor/member bank can contact Mastercard to report this. If the processor agrees that the merchant was put on the list in error, they can have the merchant taken off the list.
Lastly, if a merchant was added for Reason Code 12 (PCI-DSS Non Compliance), they can petition to be taken off the list once they are again in compliance with data security standards.
It’s worth noting that it’s fairly unusual for a provider to put a merchant on the MATCH list for a PCI compliance issue, unless it results in a large-scale data breach or causes a significant loss for the provider.
Avoiding the MATCH List
Usually, staying clear of the MATCH List means adhering to the general principles of quality business. As a merchant, there are things which are under your control, such as maintaining good passwords to keep yourself safe from identity theft and fraud.
You can also ensure that you remain compliant with all standards and regulations of Mastercard and PCI-DSS.
As a merchant, It is also important to reduce the number of chargebacks processed to stay off the MATCH list. The core concern of a credit card processor is losing money. “Excessive chargebacks” is one of main reasons even the “high risk credit card processors” might put someone on the MATCH list.
Credit card processors that are comfortable with risk generally allow for up to a 1% chargeback ratio (1% of your transactions) before they would even consider closing your account for chargebacks.
Your chargeback ratio generally needs to spike to 2-3% or more before you run the risk of being added to the MATCH list. It’s worth noting that these are general guidelines. The industry you’re in, business size, and marketing model all play a big role in the “allowable” chargeback ratios.
Reputable credit card processors generally don’t add you to the MATCH list for this reason unless you have excessive chargebacks and make no effort to or are unable to reduce them over time.
The GNF List
Some folks confuse the MATCH list with its less-widely-known cousin, the GNF list. The idea is the same, but it’s not the same thing.
GNF stands for “Group Negative File.” It was created by First Data (which was purchased by Fiserv in 2020), a credit card processing company that’s not nearly as large as Mastercard or Visa. They use the GNF to keep track of entities that they don’t want to do business with.
However, it is worth noting that several ISOs (credit card processors) will rent the GNF list and use it as an element of their underwriting decisions.
As such, being on the GNF list is not necessarily an indication that fraud has actually taken place.
You can be placed on the GNF list for many reasons — yet the most common reason for being on the GNF is that you’ve had a Fiserv (previously known as First Data) account closed. Either that, or Fiserv will put you on there if they decide they don’t like your business for some reason.
Finding one account on the GNF list doesn’t mean your other Fiserv accounts will be closed too.
It simply means that First Data doesn’t like your business. They may disclose that reason to you, but then again they might not. It is, after all, an internal list.
Fiserv’s Commentary on When the GNF Matters:
The credit card processing industry is big, and the relationships between different parts of it can be confusing.
At various times, Fiserv can be:
- A Front End Processor (where you’ll see Fiserv on your statements).
- A Back End Processor (where there will be a different brand on your statements).
- A Secure Channel Vendor (where they “rent” their secure channel similar to the way mobile companies lease cell towers).
- An Equipment Vendor (which is not applicable to this article).
The GNF only matters in the first two scenarios above — only if Fiserv is either the front-end or the back-end processor.
A Few More Details…
Wells Fargo is Fiserv’s “Acquiring Bank.”
Also known as a “Member” or “Sponsor” bank, the acquiring bank reports directly to Visa and Mastercard. As such, their first concern is with adherence to Visa/MC’s rules and regulations. They police them for their processors.
When Fiserv is the back end processor, Wells Fargo holds the risk on the merchant account. As such, they make the final approval or denial of the merchant accounts.
And they use Fiserv’s GNF list to guide them — but they do not control the GNF themselves.
On its own, Wells Fargo is purely a banking institution. Most of their operation has little, if anything to do with Fiserv.