Pillar Guide
The MATCH List for Gambling Merchants: What the Rulebook Actually Says
MATCH explainers across the internet copy a stale 14-code table. This guide works from Chapter 11 of Mastercard's February 2026 rulebook: 11 codes, exact thresholds, and five rights a terminated gambling merchant has that nobody selling removal services will mention.
Editorial Team
VerifiediGaming Payment Solutions
Nobody tells a gambling merchant they have been put on MATCH. No letter or email goes out, and nothing appears in a dashboard. The listing happens inside the acquirer's risk system within five calendar days of the decision to terminate, and the merchant usually discovers it weeks later, when the replacement application that looked routine comes back declined and the new acquirer will not say much about why. Stripe's own documentation is unusually blunt about this: if you are listed, you are likely to find out when you attempt to sign up for a new processor.
That discovery moment is where most operators start googling, and what they find is page after page of removal-service pitches built on a version of the rules that is years out of date. So this guide starts from the primary source instead. We read Chapter 11 of Mastercard's Security Rules and Procedures, Merchant Edition, in the current February 3, 2026 edition, the chapter that defines the system now formally called . It contradicts the SEO consensus on several load-bearing points, including one we ourselves had wrong, and it contains a short list of merchant rights that almost nothing in the search results mentions, presumably because they are free to exercise.
What this is based on
The mechanics below come from Chapter 11 ( System) and Chapter 7 (screening standards) of the February 3, 2026 Security Rules and Procedures, Merchant Edition, quoted directly where it matters. The enforcement story comes from the FTC's public record in FTC v. Cliq (formerly CardFlex), decided May 2026. Where a claim rests on an industry source rather than a rulebook or a court, we say so in place. Nothing here comes from anonymous "we got a client off MATCH" anecdotes.
What actually happens when the account dies
MATCH stands for Mastercard Alert To Control High-risk Merchants. The mechanics in the current rulebook are specific. If either side moves to terminate the acquiring relationship and, at that moment, the acquirer has reason to believe one of the listing conditions exists, the acquirer must add the merchant to within five calendar days. The clock runs from the termination decision, not the effective date. Adding and inquiring are both mandatory, and Mastercard requires every acquirer with merchant activity to use the system. An acquirer that signs a merchant without inquiring first faces compliance cases, filed by whoever inherits the mess, that it will lose, and each failure to inquire carries an assessment of up to USD 5,000 per instance.
The audience reading the database is wider than most terminated merchants assume. Beyond acquirers, the current rules provision access for registered third-party processors, payment facilitators, and data-storage entities, which in practice means the PSP considering your application can surface the listing even when it is not itself the acquiring bank. American Express acquirers report into the same database under their own thresholds, so a termination on the Amex side of the house can seed the listing that later blocks a Mastercard application. And the listing is not a moment-in-time check: runs retroactive matching for 365 days, so an acquirer that inquired about you in March gets an alert if someone else lists you in September.
What sits in the record is the reason the "fresh LLC" plan fails. A listing carries the merchant's legal name, DBA, addresses, phone numbers, URLs, tax IDs, and up to five principal owners with their names, dates of birth, addresses, driver's license numbers, email addresses, and, in the US, Social Security numbers. Matching runs on exact and phonetic logic: the rulebook's own examples are "Easy" matching "EZ" and "Lee" matching "Li" and "Leigh." A new entity with the same UBO does not slip past this. It surfaces as a possible match on the principal, which is what the system was built to do.
5 years
How long a MATCH Pro record lives before automatic purge
Set in Section 11.10 of the February 2026 rules: five years, then automatic purge, with no pause or reset mechanism anywhere in the chapter, and the clock runs whether or not the merchant ever learns the listing exists. Inquiry records are stored for 365 days, which powers retroactive alerts to every acquirer that ever asked.
The reason codes, from the current edition rather than the copies
Almost every MATCH article online reproduces a 14-code table, and even Stripe's otherwise useful documentation still shows the legacy version. That table is stale. The February 2026 edition lists eleven codes an acquirer can use, and the differences are not cosmetic: the old standalone code for Common Point of Purchase is folded into Account Data Compromise, the old Fraud Conviction and Merchant Collusion codes are gone from the authorized-user table, and a Coercion code (06) arrived in the 2025 rules cycle, tied to the coercion-investigation program Mastercard stood up alongside it. If a consultant's site still shows you code 07 or 11, you know which edition of the rules they last read.
| Code | Official name (Feb 2026) | What it covers, and the gambling read |
|---|---|---|
| 01 | Account Data Compromise | Breach of account data used for fraud, absorbing the old CPP code. Rare as a gambling listing. |
| 03 | Transaction Laundering | Submitting card volume that has no merchant agreement behind it. This is the "processing someone else's traffic" code, and the historical enforcement record of gambling payments, from the poker-processing prosecutions onward, is mostly this conduct. |
| 04 | Excessive Chargebacks | The thresholds are written down: the number of chargebacks over the previous three months exceeding 1.5% of monthly Mastercard sales transactions, with USD 5,000 or more in chargebacks. The most common code on iGaming applications, and note how much lower this bar sits than the network monitoring programs; an acquirer can list you long before ECP or VAMP would have flagged you. |
| 05 | Excessive Fraud | Also precise: fraud-to-sales ratio of 8% or more over the previous three months plus ten or more fraudulent transactions totaling USD 5,000 or more. Despite the name recognition this code gets, its thresholds make it rarer than 04 in practice. |
| 06 | Coercion | Transactions processed under threat of physical harm or unlawful taking. Added in the 2025 rules cycle. |
| 08 | Questionable Merchant Audit Program | Mastercard's own audit program determined the merchant met QMAP criteria. The network's investigation drives the determination; the acquirer then files the listing. |
| 09 | Liquidation/Insolvency | The merchant cannot discharge its financial obligations. Shows up when an operator collapses owing reserves. |
| 10 | Violation of Standards | The broad one, and it explicitly covers the accuracy of transaction-message data the merchant controls, naming the MCC. Gambling coded as digital goods, a casino running on an e-commerce descriptor, a sweepstakes book reclassified by a state statute: when that terminates, this is the code that fits. |
| 12 | PCI DSS Noncompliance | The only code with a documented early exit, covered below. |
| 13 | Illegal Transactions | "Engaged in illegal Transactions," one line, no thresholds. Unlicensed gambling volume from a jurisdiction that prohibits it, the classic offshore-facing-US scenario, lands here. |
| 14 | Identity Theft | The listed identity was stolen to open the account. The rules direct extra diligence here because the named principal may be a victim, not a perpetrator. |
Three of these do the heavy lifting in gambling: 04 for the chargeback book, 10 for the miscoded book, 13 for the unlicensed book. The distinction matters when you plan the next application, because a code 04 has a remediation story an underwriter can price (ratios improve, evidence exists), while 10 and 13 are findings about what the business is, and no processing statement talks an underwriter out of those.
One correction of our own while we are here: our sweepstakes payments analysis previously described the reclassification exit as a reason code 05 listing. The official definitions above make clear that miscoding lands under code 10, with code 13 in reserve for the illegality itself, and code 05 is a fraud-threshold code that has nothing to do with it. We have fixed that article and logged the correction in our public corrections log.
The five rights the rulebook gives you
This is the section the removal-services industry has no incentive to write. A terminated merchant has standing, in the text of the rules themselves, to learn and challenge what was filed. None of it requires a retainer.
First, you are entitled to the identity of the lister and the code. Acquirer requirement 10 in Chapter 11: "The Acquirer is required to supply to the MATCH Merchant or another Acquirer the ICA of who added the MATCH Merchant and the reason code." Ask the terminating acquirer, in writing. This single sentence removes the informational black hole that removal services charge to navigate.
Second, deadlines bind the acquirer, not you. An acquirer must respond to a removal request within 30 calendar days and to questions about a listing within seven calendar days, and Mastercard reserves the right to demand copies of those responses. A stonewalled merchant can say, accurately, that the acquirer is out of compliance with its own network's rules.
Third, the rules anticipate you doing this yourself. Section 11.5.1, verbatim: "there is no requirement for a MATCH Merchant to engage legal counsel regarding a request to be removed from ." A removal request needs exactly four things: current and previous merchant name, address, principal owner first and last name, and the website URL if there is one. Lawyers add leverage in genuine dispute cases, and payments-litigation firms are candid that forcing information out of Mastercard itself takes discovery or a subpoena. But the opening moves are letter-writing, not litigation.
Fourth, the listing cannot be used as a debt-collection stick. The rules prohibit an acquirer from using or threatening MATCH over "minor MATCH Merchant discretionary activity"; one of the defined reason codes must exist or be suspected at the decision to terminate. An acquirer that says "settle your reserve dispute or we list you" is describing a noncompliance assessment it is exposing itself to.
Fifth, accuracy is the acquirer's problem. The data filed must match what you provided at onboarding, and an acquirer that files erroneous data and fails to correct it within a reasonable period faces assessments. If the listing misstates the entity, the dates, or the principals, the error-correction path below is live.
Two exits, one clock
Mastercard removes a listing in exactly two situations. The listing acquirer reports it was added in error, or the listing is reason code 12 and PCI compliance has since been validated. The code 12 path is more usable than most merchants know: the request goes to Mastercard in writing with an acquirer attestation plus a validation letter from a Mastercard certified forensic examiner, and if the acquirer refuses to submit it, the rules explicitly let the merchant submit the same request to Mastercard itself. That is the only reason code with a merchant-initiated exit.
Everything else waits out the five years, which leaves the removal-guarantee industry with a problem worth stating plainly: there is no standard early-removal process for a correctly filed listing, so a service guaranteeing removal is guaranteeing something the rules do not provide. We looked for a regulator warning about these services and did not find one, so we will not claim the FTC has acted here. The rules simply contain no third exit.
The first six weeks, mapped to the deadlines in the rules
Day 0
Termination lands. The acquirer has five calendar days from the decision to file the MATCH Pro record. Freeze your own paperwork now: download every processing statement, the merchant agreement, and all correspondence while portal access still works.
Days 1-5
Written request to the terminating acquirer: the reason code and the lister's ICA, which requirement 10 obliges them to supply. Ask what data was filed. Say nothing speculative about the causes in writing.
Days 8-12
The acquirer's seven-calendar-day window to answer questions about the listing runs from receipt of your request, so a request sent in the first week comes due here. Silence past the window is a rules violation you can cite back to them.
Days 7-14
Decide the path on the facts: error in the filing (entity, dates, principals) supports an error-correction request; a code 12 listing starts the PCI validation route; a correct code 04/10/13 listing shifts the goal from removal to documentation.
Days 37-44
The acquirer's 30-calendar-day window to respond to a removal request, counted from receipt, closes. Whatever the answer, you now hold the reason code, the filed data, and the response in writing.
Beyond
Build the file the next underwriter will ask for: six months of statements, the chargeback ratios, what changed. A disclosed listing with a remediation story gets priced; a discovered one gets declined.
The workaround is the crime
Every terminated operator eventually hears the pitch: a processor who can board you "under a different name," an aggregator who will run your volume through an account that already exists. The public record now contains a precise illustration of where that road goes. On May 13, 2026, a federal court in Nevada held the processor Cliq, formerly CardFlex, and two of its executives in civil contempt and imposed $6.5 million in sanctions, per the FTC's announcement. The conduct: processing hundreds of millions of dollars for merchants on the , helping merchants process under different names, and shifting transactions from closed accounts to live ones. This was the second round; the FTC first charged CardFlex in 2014 for boarding merchants it knew were on industry high-risk lists, and the 2026 contempt enforces the order that case produced.
Set the sanctioned conduct next to the sales pitch: they describe the same acts. Processing around a under a different name is not a gray-zone workaround; it is the specific behavior a federal court just priced at $6.5 million, and on the network side it is reason code 03 waiting to attach to everyone involved. That FTC case is also as close as the public record gets to a named MATCH enforcement story of any kind, and the merchants named in it were not gambling businesses. We looked for named gambling operators on MATCH, through court filings, regulator actions, and the trade press, and found none. Listings are contractual and invisible, and they surface only when litigation drags them into the open. Claims you may have read that the Black Friday poker processors were MATCH-listed are not supported by anything in the documented record, which describes miscoding and laundering prosecutions instead.
Processing while listed
One line in the rulebook reframes the whole problem, and the current edition makes the point twice, in the system-features section and again in the inquiry rules: "For the avoidance of doubt, an Acquirer may onboard a MATCH Merchant listed in ." MATCH is an alert system, not a ban list. Nothing in the rules prohibits an acquirer from signing a listed merchant; the system exists so the acquirer prices the risk knowingly. The practical question is who chooses to.
Mainstream rails opt out: Stripe states it generally cannot process for MATCH-listed businesses short of extenuating circumstances like identity theft. A visible segment of US high-risk specialists openly markets MATCH-listed onboarding, and their pricing pages put gambling at roughly 8 to 16 percent all-in with reserves of 10 to 20 percent held 90 to 180 days; treat those figures as that segment's own disclosures, since nobody publishes a post-MATCH gambling rate card. We also checked provider sites across our own catalog, from tier-one acquirers to the crypto rails, and found no published acceptance policy for MATCH-listed applicants in either direction. The only MATCH language a merchant actually signs is the clause consenting to being listed on termination, which sits in the standard agreements of major PSPs. Decisions happen case by case at underwriting, which is why the acquirer underwriting file matters more after a listing than before it, and why "who takes post-MATCH merchants" has one accurate answer: the ones your documentation convinces.
Crypto rails sit outside this system structurally. MATCH access runs through card-network membership, and none of the crypto gateways we review discloses MATCH screening in its onboarding, so a listing does not mechanically block that lane the way it burdens a card application. That describes the screening plumbing only: the licensed gateways still run their own and AML, and a business that just lost its card acquiring for code 13 reasons will get asked the same questions in different words.
FAQ
Can I check whether I am on MATCH before applying anywhere?
Not directly. There is no merchant-facing query, and inquiry access belongs to acquirers and registered service providers. Your rules-backed route is the terminating acquirer, which must supply the reason code and the lister's ICA on request. The unofficial route most merchants use is the one Stripe describes: you find out when an application dies. If you suspect a listing, asking your former acquirer in writing is faster and cleaner than burning applications to test it.
Who can actually remove a listing?
The acquirer that filed it, and in practice only for error correction, plus the code 12 PCI path where Mastercard accepts a validated compliance package, including one submitted by the merchant itself if the acquirer will not cooperate. Mastercard does not arbitrate disputes about whether a correctly filed listing was deserved. Anyone guaranteeing removal outside those two paths is selling something the rules do not contain.
Does MATCH exist outside the United States?
Yes. It is a global Mastercard system, and participation is mandatory for Mastercard acquirers with merchant activity "unless excused by Mastercard or prohibited by law," in the rules' own words. American Express acquirers report into it under their own thresholds. Visa runs its own mandatory equivalent, the Visa Merchant Screening Service: per Visa's developer documentation, acquirers add terminated merchants within one business day and screening looks back five years. Clearing one scheme's file does not clear the other's.
Will forming a new company get around a listing?
The database stores up to five principal owners per listing with their personal identifiers, matches phonetically as well as exactly, and alerts retroactively for a year after any inquiry. A new entity with the same principals surfaces as a possible match on the people. The versions of this plan that involve a cooperative processor and someone else's merchant account are the conduct a federal court sanctioned at $6.5 million in May 2026.
The five-year term is the real cost accounting. An operator listed under code 04 in 2026 re-enters normal card acquiring in 2031, having spent the interval on specialist pricing that runs multiples of tier-one rates. Against that arithmetic, the monitoring-program math we cover in the VAMP and Mastercard ECP and EFM analyses stops being compliance homework and becomes the cheapest insurance in the vertical, because an acquirer can file a code 04 at thresholds well below the network programs' own. The termination letter is late notice; the listing decision was made in a risk meeting you were never in. What the rulebook gives you afterward is a reason code you are entitled to know, two deadlines you can hold the acquirer to, and a clock. Use the first two quickly, and plan the business around the third.
Sources (9)
- 01Mastercard: Security Rules and Procedures, Merchant Edition (Feb 3, 2026 PDF), Chapter 11 MATCH Pro System
- 02FTC press release: Federal Court Holds Payment Processor Cliq in Contempt (May 2026)
- 03FTC press release: FTC Asks Court to Hold Payment Processors in Contempt (January 2026)
- 04Payments Dive: Judge fines payments processor Cliq
- 05FTC press release: FTC Charges Payment Processors Involved in I Works Scheme (2014)
- 06Stripe documentation: The MATCH and VMSS lists
- 07Visa Developer: Visa Merchant Screening Service (VMSS)
- 08Global Legal Law Firm: Getting off the MATCH list
- 09Law Offices of Paul A. Rianda: The MATCH List, a Blackhole