Everything You Need To Know About The MATCH List & Terminated Merchant File
Chances are, you’re reading this article because you’ve just found out that you’ve been added to the Terminated Merchant File (TMF) or MATCH list. And now you’re scrambling to figure out what this “list” or “file” actually is, and what to do about it.
Sadly, you’re not the only merchant who’s been caught off guard. The truth is that most merchants won’t know that they are TMF’d or MATCH’d until they submit an application for a merchant account to a new processor and are declined. By then, it’s too late to avoid getting on the list, and the only thing you can do is to try to get off it.
We hope you’re reading this article before you’ve been placed on the MATCH list, but if not, we’ll do our best to explain what it is, how it might affect the way you run your business, and whether there’s anything you can do to get yourself off the list.
Table of Contents
What Is The MATCH List?
The MATCH list is essentially a blacklist for credit card processing. Businesses on the MATCH list have had merchant accounts terminated previously or otherwise been deemed a significant risk for payment processors. The MATCH list is the same as the Terminated Merchant File (TMF), an older, more generic term.
Origins Of The MATCH List
MATCH is a system created and managed by Mastercard. It is a database that houses information about businesses (and their owners) whose credit card processing privileges have been terminated for a set of very specific reasons. (We’ll discuss this list of detailed reasons in another section below.)
The MATCH list is used by acquiring banks to screen potential applicants (particularly to see if that applicant has been terminated in the past). They do this to assess and control the risk associated with credit card processing. In a nutshell, the MATCH file is like a “blacklist” that banks cross-check when they take on a new merchant so they can avoid being stuck with the bad apples.
In addition to Mastercard itself, acquiring banks have the ability to add/remove merchants to/from the MATCH database when they have justification to do so. In fact, only the acquiring bank who put you on the list has the power to remove you from the list. (Mastercard can remove merchants from the list too, but they generally won’t deal with merchants directly.)
The biggest problem with the MATCH list–for merchants anyway–is that, at least in the past, Mastercard did very little to verify the accuracy of the information reported by the acquiring banks. In fact, there used to be a warning in Section 11 of Mastercard’s Security Rules and Procedures that Mastercard did not verify the accuracy of the information acquiring banks placed on the MATCH list.
When we updated this article, we couldn’t find this language anymore, and we have heard that Mastercard has started to become a little more involved in verifying the information. However, since they haven’t publicly obligated themselves to check the accuracy of the MATCH list, it’s probably better to assume Mastercard still isn’t tightly policing the banks’ behavior.
As you can see, this means that the acquirers continue to have what is practically full discretion in deciding whom to add to the list. It’s a system without any checks and balances, which can be ripe for abuse, even if unintentional.
Why Do Merchants End Up On The MATCH List?
Generally, a merchant ends up on the MATCH list because their activities, for one reason or another, create a higher risk for the acquiring bank to do business with them. The specific reasons for being added to the MATCH database can vary. Having too many chargebacks, participating in fraudulent activity, or money laundering are all activities that can get you listed.
In the past, Mastercard made it really easy for acquiring banks to add merchants to the list, but, in recent years, they’ve become stricter with their guidelines. To land on the list, a merchant must have done something specifically forbidden. These bad acts are listed in a table in Mastercard’s Security Rules and Procedures (SRP), Section 11.5. Here’s a table summarizing the reasons, along with their MATCH numerical codes:
|01||Account Data Compromise: The Merchant unknowingly or unintentionally facilitated, by any means, the unauthorized disclosure or use of account information.|
|02||Common Point of Purchase (CPP): The Merchant knowingly caused or facilitated, by any means, the unauthorized disclosure or use of account information.|
|03||Laundering: The Merchant was engaged in laundering activity. Laundering means that a Merchant presented to its Acquirer Transaction records that were not valid Transactions for sales of goods or services between that Merchant and a bonafide Cardholder.|
|04||Excessive Chargebacks: With respect to a Merchant reported by a Mastercard Acquirer, the Merchant’s chargebacks in any single month exceeded 1% of its Mastercard sales Transactions in that month, and those chargebacks totaled USD 5,000 or more. With respect to a merchant reported by an American Express acquirer (ICA numbers 102 through 125), the merchant exceeded the chargeback thresholds of American Express, as determined by American Express.|
|05||Excessive Fraud: The Merchant effected fraudulent Transactions of any type (counterfeit or otherwise) meeting or exceeding the following minimum reporting Standard: the Merchant’s fraud-to-sales dollar volume ratio was 8% or greater in a calendar month, and the Merchant effected 10 or more fraudulent Transactions totaling USD 5,000 or more in that calendar month.|
|07||Fraud Conviction: There was a criminal fraud conviction of a principal owner or partner of the Merchant.|
|09||Bankruptcy/Liquidation/Insolvency: The Merchant was unable or is likely to become unable to discharge its financial obligations.|
|10||Violation of Standards: With respect to a Merchant reported by a Mastercard Acquirer, the Merchant was in violation of one or more Standards that describe procedures to be employed by the Merchant in Transactions in which Cards are used, including, by way of example and not limitation, the Standards for honoring all Cards, displaying the Marks, charges to Cardholders, minimum/maximum Transaction amount restrictions, and prohibited Transactions set forth in Chapter 5 of the Mastercard Rules manual. With respect to a merchant reported by an American Express acquirer (ICA numbers 102 through 125), the merchant was in violation of one or more American Express bylaws, rules, operating regulations, and policies that set forth procedures to be employed by the merchant in transactions in which American Express cards are used.|
|11||Merchant Collusion: The Merchant participated in fraudulent collusive activity.|
|12||PCI Data Security Standard Noncompliance: The Merchant failed to comply with Payment Card Industry (PCI) Data Security Standard requirements.|
|13||Illegal Transactions: The Merchant was engaged in illegal Transactions.|
|14||Identity Theft: The Acquirer has determined that the identity of the listed Merchant or its principal owner(s) was unlawfully assumed for the purpose of unlawfully entering into a Merchant Agreement.|
Note Code 06 is reserved for future use and Code 08 is for failing a Mastercard audit program, both of which are left off our table.
Will A Terminated Merchant Account Automatically Put you On The MATCH List?
According to Mastercard (SRP, Section 11.2.2), an acquiring bank is required to put a merchant on the MATCH list if the merchant’s account was terminated for any reason on the list, and they must do so within five days of termination. Since the obligation is between the acquiring bank and Mastercard, there’s not much you can do to stop the bank.
If your acquiring bank (through your processor) terminates its business relationship with you for other reasons, then you would/should not be put on the list.
Can You Get Off The MATCH List?
There are only three ways to get off the MATCH list:
- The incident that placed you on the list ages off after five years (SRP, Rule 11.2.6),
- You were added to the list by mistake (SRP, Rule 11.4), or
- You were added to the list because of PCI non-compliance but you have now become compliant (SRP, Rule 11.4)
These are the only reasons you can get off the MATCH list. Let’s look at these reasons in a little bit more detail.
According to Mastercard’s Security Rules and Procedures, Rule 11.2.6:
Merchant records remain on the MATCH list for five years. Each month, MATCH automatically purges any Merchant information that has been in the database for five years.
So, the five years rule is pretty automatic. All you have to do is wait and make sure you don’t get on the list for another reason (which won’t age off for another five years).
If you were added to the list by mistake, you must contact the acquiring bank who put you on the list (which usually means you’ll have to contact your previous processor to find out who your acquiring bank was, if you didn’t know already) and work through them to correct the mistake. Note that it must be a genuine mistake that they’ve made, and, unless you can show the mistake through solid evidence, you’ll probably have a hard time getting things changed.
You can do this yourself, of course, but often a high-risk processor can help you. Some of them are experienced in getting people off the MATCH list and, with that experience, probably can tell you right away your odds of getting off the list.
If a high-risk processor can’t help you, a lawyer might be able to. Be aware, though, that lawyers don’t have any special magic. For this article, we read several articles written by lawyers on their law firm websites, and it seems that, while they might be able to more forcefully argue for you if you were put on the MATCH list by mistake, they can’t get you off the list if you were listed for actually having violated the items on the MATCH list. Legal representation costs a lot of money, so don’t hire a lawyer because you’re angry that you’re on the list. Hire a lawyer only if it makes financial sense.
The third and last reason you can be taken off the MATCH list is if you were put on the list because you were not PCI compliant but have since become compliant. Typically, you’ll still have to work through the acquirer who put you on the list, but this is one instance where you can contact Mastercard directly if your former acquirer is unwilling to help.
To get off the list, the most important information you’ll need is a letter or certificate of validation from a Mastercard certified forensic examiner declaring that you are now PCI compliant. You’ll also need the following:
- Acquirer ID Number
- Merchant ID Number
- Merchant Name
- Merchant DBA Name (if any)
- Business Address (including country)
- Business Principal Owner Data (first and last name, country of residence)
The information is to be submitted to a specific Mastercard email (matchhelp at mastercard dot com, written out to avoid spam to Mastercard). Be sure to double-check Rule 11.4 of the SRP and follow it exactly before submitting, if you’re doing this yourself.
Can You Still Process Credit Cards If You’re On The TMF/MATCH List?
What if you’re not on the MATCH list by mistake and you can’t wait five years to age off the list? Can you still process credit cards if you’re on the MATCH list?
While acquirers are required to put you on the MATCH list if they terminate you for MATCH list reasons, they’re not required to refuse to take you as a merchant. The MATCH list is an indication of the level of risk of doing business with you, and some acquirers and processors have a higher tolerance for risk than others.
You must, however, pay a price–literally. If you’re able to find a processor to do business with you while you’re on the MATCH list, it generally means you’ll have to pay a higher processing fee. You’ll probably have to deal with all the standard risk mitigation practices used by the industry, which includes having a reserve account, a longer-term contract, and an early termination fee. In other words, you’ll probably need to work with a high-risk processor.
If a high-risk processor can’t place you, you might still have some alternatives to taking payments. They’re not credit or debit cards, so in one way or another, they’ll probably cause some inconvenience to your customers. Some alternatives include:
- Cash: Only recommended for some specific businesses, since most consumers these days not longer carry a lot of cash, or any cash at all.
- eChecks or ACH: These are separate methods traditionally suitable for businesses that continue to take check payments. They have rules different from credit card processing rules, and ACH might be suitable if you’re on the MATCH list solely because you have a high chargeback percentage.
- Person to Person (P2P) Wallet Apps: Most of the major mobile wallets like Apple Pay, Google Pay, Samsung Pay, Square’s Cash App, and Venmo can do P2P payments. Typically, you can send a payment request to the payor and have them pay via a single button. Because the money exchange is made between two account holders of the same service, there’s no need to go through an acquiring bank to set up the account, so there’s no reason for anyone to check your business against the MATCH list. Note this suggestion is limited to P2P payments. If you wish to take credit cards through, say, Apple Pay, you’ll still need a processor and your business will still be checked against the MATCH list before your account can be approved.
- Zelle: Zelle is a direct money transfer service between banks and it is more like debit cards than credit cards. A bank makes sure the payor has the money in the account before approving the Zelle transfer, so there’s no danger of insufficient funds. You can request payment through Zelle, so this is similar to invoicing by a business.
Your Best Options For MATCH List Credit Card Processing
As already mentioned above, depending on the reason you were placed on the MATCH list, a high-risk processor might be able to help you set up a credit card processing account. Sometimes, this means they can help you correct the mistaken reason as to why you were put on the list. Other times, this merely means that they know of backend processors who are willing to take your business (for a higher fee) despite the higher credit risk your business poses.
Go With A High-Risk Processor
One processor we know who can help some MATCH list merchants is Durango Merchant Services. It’s not an easy task for them, however. In order to be able to help you at all, you must satisfy the following conditions:
- You must not owe any money to the credit card processing company that placed you on the list,
- You must have a letter from the processing company stating that you do not owe any money to them, and
- The reason you were placed on the list must be Excessive Chargebacks (Code 04).
All three criteria must be met, or Durango can’t help you.
Another high-risk processor that might be able to help is eMerchantBroker (EMB). They specifically state on their website that they will work with MATCH list merchants. Be sure to check out our in-depth review of EMB.
As to other high-risk processors, most of them will work with merchants having a high chargeback rate, but they also do not specify if they’ll still work with you if you’re already on the MATCH list for high chargebacks. It might be worth your time to contact them and ask. After all, you don’t have anything to lose. We do know that Soar Payments specifically say they won’t work with MATCH list clients, so you can skip Soar when you make your inquiries.
Go With PayPal, But Proceed With Caution
Lastly, you might be able to fly under the radar a little bit with PayPal, if you’re on the MATCH list. What we suggest below takes advantage of PayPal’s business model, but there’s no guarantee that this will work for you, or work in the long term. Try this at your own risk, and understand that if you’re too blatant about it, they might shut you down.
As a general rule, third-party processors will sign you up for processing with just a simple check to confirm your identity. They don’t run credit checks, and they don’t sign you up directly with an acquiring bank so that you have a one-to-one relationship with the bank. This means that, as long as the bank doesn’t know who you are, they can’t check you against the MATCH list. However, even though third-party processors work differently, eventually, they’ll come along to check the soundness of your application. This is where you could run into trouble.
With Square, you are required to enter into a direct Commercial Entity Agreement with each of their acquiring banks, JP Morgan Chase and Wells Fargo. In Section 4(e) of each of these agreements, you’re notified that the acquiring bank has the right to terminate your processing privileges, even though the term “MATCH” is not specifically mentioned. In particular, Section 4(e) states:
(e) Seller or any person owning or controlling Seller’s business is listed in one or more databases of terminated or high risk Sellers maintained by the Card Brands
Note this section is couched in permissive terms–i.e. JP Morgan Chase or Wells Fargo may terminate. They don’t have to, but they might.
This is why we think that, if you’re on the MATCH list, you’re less likely to be able to process through Square for the long term.
PayPal works a little differently than Square. They sign up individuals as well as businesses, and as far as we can tell, they don’t check individuals. Once you’re upgraded to a business account, this is where things can get a little dicey. We checked several agreements, and, in at least in the PayPal Here Agreement and PayPal Website Payments Pro and Virtual Terminal Agreement, we found some vague language that could apply to MATCH merchants. Note that this language might be in other of PayPal’s agreements that we didn’t get a chance to look through.
If a merchant wishes to take mobile payments through PayPal, then the merchant must join the PayPal Here program. In the PayPal Here agreement, under Section (b) of Reserves and Other Protective Actions, there’s some loose wording that could let them check you against the MATCH list but not tell you and then terminate your account if they find something they don’t like. The section is:
Information. In order to determine the risk associated with your PayPal account and/or use of PayPal Here, PayPal may request at any time, and you agree to provide, any information about your business, operations or financial condition. We reserve the right to reassess your eligibility for any PayPal service if your business is materially different from the information you provided in your application.
As to the Website Payments Pro and Virtual Terminal Agreement (which you will need to enter into if you run an online business), there are several places where PayPal may check your business history and refuse to do business with you afterwards. First, almost the same language as the one quoted above appears in a section also entitled Reserves and Other Protective Actions. As well, under Section 15, Termination, PayPal has a right to terminate service for violation of any Card Company Rule or upon the request by an Acquiring Bank or any of the Card Companies. So, the language is again vague enough to catch termination based on MATCH list.
If you violate any of the MATCH prohibitions while processing through PayPal, you can still be placed on the MATCH list. Once you upgrade to a business account and start to take credit card payments, PayPal’s Commercial Entity Agreement automatically applies to you. Under the Association Rules section (section number varies depending on the agreement but typically Section 2), you must agree to not violate a list of prohibited acts, and that list tracks the MATCH codes list. The Commercial Entity Agreement is entered into between you and each of PayPal’s processors: JP Morgan Chase, HSBC, Wells Fargo, and WorldPay. Every one of these acquirers would have a right to place you on the MATCH list.
Lastly, whether you’re a business user or an individual user, you fall under the PayPal User Agreement. In the agreement, under the section on Restricted Activities and Holds, there is a bullet point that restricts service for those who violate card association or network rules. Again, while somewhat vague, this wording can certainly apply to the MATCH list and gives PayPal the right to terminate service to you. Once service is terminated, PayPal has the right to refuse to provide services to you in the future (see the Actions We May Take if You Engage in Any Restricted Activities section in the User Agreement).
In short, if you’re careful, you might be able to fly under the radar with PayPal for a little bit even if you’re on the MATCH list. But, once you’re upgraded to a business account, there’s a higher chance that you might lose the service. So, proceed with caution, if you decide to try PayPal. It might be able to help you process cards in an emergency, but likely this is not a long-term solution if your business starts to take off and you process a large amount every month.
Is Being A Merchant On The MATCH List The End Of The World?
No, it’s not the end of the world if you land on the MATCH list…but it’s pretty bad. There are many different reasons you could end up on the list. Depending on why you were put on the MATCH list, you might be able to get yourself off early, but in most cases, you’ll basically have to wait five years and age-off the list. For instance, if you land on the list due to a mistake by the acquiring bank, you can almost certainly get off the list right away. If excessive chargebacks are the reason, you might have to stay on the list, but you may still be able to get a merchant account to process credit cards through a high-risk processor. But if you were put on the list due to bankruptcy or illegal activity, you’re out of luck.
So the lesson in all of this is that it’s best to avoid getting on the MATCH list in the first place. Understand all the reasons you might be put on the list, and do your best to avoid them. Payment cards are increasingly becoming the primary way consumers pay for goods and services; not being able to take payments this way could mean the end of your business. So be careful!
Have you had experience with the MATCH list? We’re interested in hearing from you. Leave us a note below.