Article
Mastercard EFM: The 3DS Exit and the ECP Trap for Casinos
Mastercard's Excessive Fraud Merchant program has an exit Visa never built: hold 3DS above the 10% line (50% in SCA markets) and EFM cannot flag you. What the thresholds mean for a gambling book, the unpublished fine schedules, and why the real risk sits in ECP at a floor of 100 chargebacks.
Editorial Team
VerifiediGaming Payment Solutions
A gambling merchant that authenticates more than a tenth of its Mastercard volume cannot be identified by the network's fraud program in unregulated markets; where SCA applies, the same door sits at 50% of volume. That is the fourth entry criterion of the program working as designed: captures a only when its 3DS share of clearing volume sits below the line and the three other criteria fire in the same month. J.P. Morgan's merchant FAQ spells the exit out: keep 3DS utilization above the line and the maintains compliance, whatever its fraud chargebacks are doing. Visa spent 2025 consolidating its legacy dispute and fraud programs into and did not carry an equivalent door; our VAMP breakdown for casino books covers that network. Mastercard built the door into the frame.
The problem sits in the other program. The one that actually catches gambling books is the , which counts every chargeback regardless of reason code, has no authentication clause, and identifies a merchant at one hundred chargebacks a month on a 1.5% ratio, a count floor fifteen times lower than 's 1,500 items. And every threshold and every fine in both programs comes with an asterisk: Mastercard publishes none of them itself.
The entry gate: four criteria, and all four must fire
is an AND gate. J.P. Morgan's program guide opens the criteria list with "all of the following conditions are met," and Stripe's documentation mirrors it: a has to breach every threshold in the same month to be identified. Break any single one and the program cannot see you.
| Criterion | Line | How it is measured |
|---|---|---|
| E-commerce transactions | 1,000 or more | Mastercard clearing transactions, prior calendar month, per MID |
| Fraud chargeback amount | USD 50,000 or more (Australia: 15,000) | First-presentment chargebacks under reason code 4837, processed in the current month |
| Fraud chargeback rate | 50 basis points or more (Australia: 20) | Count of current-month fraud chargebacks divided by prior-month e-commerce sales count, times 10,000 |
| 3DS / DSRP share | Below 10% unregulated, below 50% regulated | Share of monthly clearing volume authenticated via 3DS (including Data Only) or Digital Secure Remote Payments |
How a casino book scores against that table sits in the measurement fine print. The fraud rate is count against count, and the two counts come from different months: this month's fraud chargebacks over last month's sales, times 10,000. J.P. Morgan's own worked example runs 100 chargebacks over 10,000 sales to get 100 basis points. The reason-code universe is narrow: 4837, no cardholder authorization. Its sibling 4863, cardholder does not recognize, still appears on some acquirer pages, but Checkout.com's April 2026 material lists 4837 alone and Chargeback Gurus reports 4863 as discontinued, so for 2026 planning the numerator is 4837. And the dollar criterion is separate from the rate: a book can run 300 basis points of small-ticket fraud chargebacks and stay out of because the total never reaches $50,000.
The measurement unit is the individual . The public rules define the monitored merchant by the acquirer-assigned identifier in DE 42 of clearing messages, and J.P. Morgan confirms compliance is measured and billed at level. No public rule describes aggregation across a merchant's MIDs, which is why the multi-MID structuring conversation exists at Mastercard just as it does under VAMP's per-descriptor measurement. The boundary between legitimate segmentation and misrepresentation sits where we drew it in the piece, and Mastercard moves it nowhere.
Geography trims the scope further. Stripe lists as inapplicable in Germany, India and Switzerland; Checkout.com extends the exclusion to the whole monitoring family and adds Liechtenstein and a few micro-territories. The exclusion attaches to the merchant's own country: a book processing through a German entity sits outside the program whatever its licenses say, while a German-licensed brand processing through Malta stays inside it. As for what "regulated" means in the 3DS criterion, Braintree and Checkout.com both define it as markets with a legal strong-customer-authentication requirement, and no official country list is public. J.P. Morgan puts the United States and Canada on the 10% line and Europe on the 50% line, which produces the practical geography: an SCA-market book clears 50% on the regulatory baseline alone unless it leans hard on exemptions, so the fourth criterion rarely fires there. For a gambling operator, pressure concentrates in US, Canadian, LatAm and non-SCA Asian and Middle Eastern volume, which is to say the offshore side of the book.
The thresholds and fines live behind the Mastercard Connect login
Every write-up we checked for the Visa piece could at least point at an official fact sheet with thresholds in it. Mastercard offers nothing equivalent. A page-by-page check of the public Security Rules and Procedures across the February 2019, August 2024 and February 2026 editions turns up definitions, the ratio formula and, since the 2022 edition, not one numeric threshold: section 8.3 defers the numbers to the Data Integrity Monitoring Program manual and the Pricing and Billing Resource Center, both behind the Mastercard Connect login. The 2019 edition still carried an older fine formula, $25 per chargeback above 150 basis points; by the 2022 edition even that was gone from the public text. A blog that cites "Mastercard's Security Rules and Procedures" as the source for thresholds is citing a document that does not contain them.
What the numbers rest on instead is acquirer documentation that agrees with itself to the dollar: J.P. Morgan's guide and FAQ, Stripe, Braintree and Checkout.com publish the same schedules. That is the attribution level for everything in the table below. The same pages recycle a retired fine formula and a two-month entry myth alongside the misquoted source.
| Months in program | EFM | ECM | HECM |
|---|---|---|---|
| 1 | No assessment | No assessment | No assessment |
| 2 | $500 | $1,000 | $1,000 |
| 3 | $1,000 | $1,000 | $2,000 |
| 4 to 6 | $5,000 | $5,000 | $10,000 |
| 7 to 11 | $25,000 | $25,000 | $50,000 |
| 12 to 18 | $50,000 | $50,000 | $100,000 |
| 19+ | $100,000 | $100,000 | $200,000 |
Assessments are denominated in euros or dollars depending on region. On the side, and HECM, an issuer-recovery charge of $5 per chargeback beyond 300 stacks on top from month four; Stripe's worked example has a month-four merchant with 400 disputes paying $5,500. carries no issuer-recovery component. Sit in without fixing anything and J.P. Morgan's guide totals the first eighteen months at $491,500.
The month counter is the mechanism operators misread. It does not reset when you have one clean month. J.P. Morgan's example: identified in June (month one, no fee), compliant in July, identified again in August, and August bills as month two. The counter only clears after three consecutive compliant months close the audit, and for , compliance means breaking any one criterion: rate under 50 basis points, or amount under $50,000, or the 3DS share above its line. Extensions to remediation deadlines are granted case by case, and Checkout.com notes the downside: fail the extension and the waived assessments come back retroactively. Stripe adds one narrow mercy, a one-time suspension of an assessed fine per open case, on request.
ECP is the program a casino actually meets
The is older, blunter and closer to a gambling book's real exposure. It has two tiers: at 100 or more chargebacks in a month combined with a chargeback-to-transaction ratio of 1.5% or more, and High Excessive at 300 and 3%. Both legs must hit in the same month. The Chargeback-Monitored Merchant pre-tier that some guides still describe was retired in April 2020, per Braintree; a page presenting CMM as a live early-warning stage is six years stale.
The ratio definition is one of the few numbers with a public primary source, and it has a quirk. The current Security Rules and Procedures, section 8.3.1: basis points are the chargebacks received in a calendar month divided by the transactions of the preceding month, times 10,000. A chargeback belongs to the month it is raised, even when the sale it disputes settled the same month. Put a casino promo calendar against that fraction and it distorts in both directions: a March free-bet campaign that doubles deposit count halves April's measured ratio, and when the campaign ends, the denominator collapses in the very month the March cohort's chargebacks arrive in the numerator. The ratio spike lands about a month after the marketing spike, on the quieter volume.
100 chargebacks
The ECM identification floor, unchanged since April 2020
Visa's VAMP does not apply its Excessive line until a merchant produces 1,500 fraud-plus-dispute items in a month. Mastercard identifies at 100 chargebacks and a 1.5% ratio. A mid-size book that is invisible to VAMP's floor can be one bad NFL Sunday from a Mastercard letter, which makes ECP the Mastercard number to watch.
Two more properties make the casino-relevant program. It counts everything: J.P. Morgan's FAQ specifies first-presentment chargebacks regardless of reason code or transaction type, so the 4853 cardholder disputes that survive authentication count next to the 4837s. And it has no authentication clause. 3DS moves a player's I-never-authorized-this story off reason code 4837, but it does nothing against a dispute filed as a service complaint, and prices both the same. The exit door described above is cut into 's wall only.
The two programs interact by priority. A merchant qualifying for both is assessed under alone, per J.P. Morgan, but Stripe documents the part that stings: the month counter keeps ticking in the background, so a merchant that spends March and April in and clears it can surface in May already at month three. Checkout.com adds that once a merchant has been identified for twelve months, the higher of the two programs' assessments applies; we found that rule nowhere else public, so it stays at the level of one acquirer's guidance.
Three Mastercard rules point at 3DS, and Visa points the other way
The exit criterion is the first push: hold the authenticated share above 10% of clearing volume, or 50% where SCA applies, and identification is impossible by definition. The second push is mechanical. A fully authenticated transaction, indicator 212 in the clearing codes Checkout.com publishes, or a tokenized DSRP transaction at 242, carries the fraud liability shift, which Stripe describes as moving liability for fraudulent card payments off the merchant, so the dispute does not come back to your as a 4837. So authentication works both ends of the gate at once, lifting the exit share while it drains the numerator that the other two fraud criteria measure. The asterisk is Data Only: J.P. Morgan counts it toward the 3DS-utilization share, but it grants no liability shift, so a book leaning on Data Only climbs toward the exit while every fraudulent transaction still bills to its own column, and the friction savings arrive with the full fraud liability still attached.
The third push is gambling-specific and sits in the public rulebook. Pages 45 and 46 of the February 2026 Security Rules and Procedures: outside the EEA, Gibraltar and the UK, every non-face-to-face gambling transaction, defined as MCCs 7800, 7801, 7802, 7995 and 9406, must include the CVC 2 value in the authorization request unless it carries indicator 212 or 242, or a correctly linked credential-on-file trace back to a verified initial transaction. Inside the EEA, Gibraltar and the UK the same rule appears in an SCA-native form. The CVC 2 core of this requirement is at least as old as the February 2019 edition; the authentication alternatives are the current text. Checkout.com describes a monitoring wrapper around this same standard, effective June 30, 2025 for gambling MCCs in APAC, MENA and the US, with assessments for non-compliance; the date and the regional scope appear in no other public source we could find, so file that layer as acquirer guidance until Mastercard's own text confirms it.
Visa's architecture runs the other way, and for this vertical the contrast matters more than any threshold number this year. counts a against you whether or not the transaction was authenticated; the old carve-out for reason 10.5 was retired with the legacy programs. Visa then goes a step further with a fraud-monitoring variant for authenticated US traffic that survived the 2025 consolidation, at $75,000 and 0.9%, whose sanctions include stripping flagged merchants' transactions of their liability protection, per Checkout.com. One network treats authentication as the way out of monitoring; the other monitors the authenticated channel separately. If your dispute stack was built for Visa, it is calibrated to a network where 3DS buys probability, not absolution, and it will undervalue what 3DS buys on the Mastercard side.
None of this argues for challenging every deposit. In SCA markets the regulatory baseline does most of the work. In the 10% markets the gate is a tenth of volume, and the tenth picks itself: first-time depositors, unrecognized devices, sessions arriving through a VPN, cards whose issuing country disagrees with the login geography. Authenticate that slice and the returning-depositor majority never sees a prompt while the share clears the line. Challenge indiscriminately and you trade deposits for a metric, a trade the decline-recovery math rarely endorses.
The monthly pull per MID, and the clock that starts July 24
The Mastercard side of the monthly dispute review comes down to four numbers, pulled per and per acquirer, sitting next to the counters you already run:
- Authenticated share of clearing volume, 3DS plus DSRP including Data Only, against the 10% or 50% line for each market's regulatory status
- Reason code 4837 count and dollar amount: the count over last month's e-commerce sales count against 50 basis points, the amount against $50,000
- All-code chargeback count against the 100 floor, and the ratio against 1.5% of last month's transaction count, with the promo calendar's denominator effect marked on the chart
- Share of gambling-MCC authorizations carrying CVC 2, indicator 212 or 242, or a linked credential-on-file trace, because that verification standard comes out of the network rulebook and binds every acquirer
July 24, 2026: the scam flag goes on a 72-hour clock
From that date, Mastercard's Scam Merchant Monitoring Program requires acquirers to investigate a scam flag within 72 hours. The trigger set, per vendor recaps from Solidgate and Chargeflow: a refund-plus-chargeback rate above 5% over 30 days for merchants with under six months of history and 500-plus transactions, an approval rate that drops 50 points inside 72 hours or lands below 30%, and Fraud and Loss Database reports coded 56, manipulation of cardholder, from at least two issuers. The sanction is suspension of processing, with no fee schedule in between. No public Mastercard announcement text exists; treat the details as vendor-tier until your acquirer's bulletin confirms them.
Mastercard wrote a fraud program that a well-run gambling book can architect itself out of, because the exit criterion rewards a control the vertical needs anyway, and a chargeback program that nothing exits, because bet-regret is not an authentication problem. Visa took the headlines this spring because its threshold moved; Mastercard's have not moved since 2020, and for most gambling books the nearer tripwire belongs to the network nobody is writing about. A hundred chargebacks is a bad month, not a crisis quarter. Keep the authenticated share above the gate and read the ratio against last month's denominator before trusting it, and the network with the unpublished numbers turns out to be the more predictable of the two.
Sources (16)
- 01Mastercard: Security Rules and Procedures, Merchant Edition (Feb 3, 2026 PDF)
- 02J.P. Morgan: Mastercard Excessive Fraud Merchant FAQ (PDF)
- 03J.P. Morgan: Mastercard Excessive Fraud Program Guide (PDF)
- 04Stripe Docs: Fraud and dispute monitoring programs
- 05Stripe Docs: 3D Secure authentication and the liability shift
- 06Checkout.com Docs: Scheme monitoring programs (updated April 2026)
- 07Checkout.com Support: The Mastercard monitoring program for gaming and gambling merchants
- 08Braintree (PayPal): Excessive Fraud Merchant program
- 09Braintree (PayPal): Excessive Chargeback Program
- 10Mastercard: Security Rules and Procedures, February 2019 edition (archived)
- 11Mastercard: Security Rules and Procedures, August 2024 edition (archived)
- 12Thredd: Fraud reporting (SAFE to Fraud and Loss Database)
- 13Mastercard Developers: Fraud and Loss Database
- 14Chargeback Gurus: Mastercard dispute reason code 4863
- 15Solidgate: Mastercard Scam Merchant Monitoring Program
- 16Chargeflow: Mastercard Scam Merchant Monitoring Program 2026