OnBoard by MVSI, the global leader in automated merchant and business client onboarding for regulated markets, today announced the launch of AIQ SiteScanner, a new capability within its OnBoard AIQ platform, built to help payment providers, banks, and acquirers tackle one of the fastest-growing challenges in payments: Merchants using deception to bypass Mastercard BRAM and Visa GBPP rules and controls.

“Critically, we are seeing a clear shift toward vicarious liability across the payments ecosystem. Card schemes are no longer focused solely on the actions of individual merchants—they are increasingly holding acquirers, payment facilitators, and platforms accountable for the behaviour of the merchants they enable,” said Daniel Sheahan, CEO of MVSI. “This shift is being reinforced in the courts, where recent cases have demonstrated a growing willingness to extend liability beyond direct actors to those providing “substantial assistance” or deriving economic benefit from unlawful or harmful activity. This fundamentally changes the risk model: exposure is no longer direct, but network-wide.”

At the same time, brand risk is being reshaped by the speed and scale of public scrutiny. Issues that may once have remained isolated can now escalate rapidly across social and digital channels, drawing immediate attention from consumers, advocacy groups, and the media. For global brands, this creates a new layer of exposure—where association with problematic merchant activity can trigger widespread reputational damage, regardless of direct involvement. In this environment, perception moves faster than investigation, and the consequences of inaction—or delayed action—can be significant.

From cloaking and redirects to disguised storefronts and hidden business activity, online merchants are using increasingly sophisticated tactics to evade traditional compliance checks. What appears compliant on the surface can, in reality, be something very different, creating a growing risk gap for payment providers.

Traditional checks are often too static, too shallow, and too easy to fool. They may capture what a merchant wants a reviewer or scanner to see, but miss what is really happening behind the scenes. At the same time, compliance teams are under pressure to apply increasingly complex card scheme rules across large merchant portfolios, often with limited visibility and heavy manual effort.

Until now, this problem has remained largely unsolved. Generic compliance tools are not designed to handle the layered complexity of Mastercard and Visa’s BRAM and GBPP requirements, where risk depends not just on website content, but on behaviour, identity, jurisdiction, legality, and the differences between Mastercard and Visa rules. Manual review can catch some issues, but it is difficult to scale and even harder to sustain as merchant tactics evolve.

“Compliance teams are no longer dealing with straightforward websites or straightforward risk,” said Sheahan. “They are dealing with merchants who know exactly how traditional checks work and how to get around them. That is what makes this such an urgent problem.”

AIQ SiteScanner has been developed to change that.

Built specifically to help organizations address the complexity of Mastercard’s Business Risk Assessment and Mitigation (BRAM) framework and Visa’s Global Brand Protection Program (GBPP), AIQ SiteScanner combines AI-driven analysis with configurable compliance logic and auditable outcomes to detect hidden risk at scale.

It enables organizations to:

• detect cloaking, redirects, and disguised activity
• identify gaps between a merchant’s stated business and actual behaviour
• apply Mastercard and Visa rules in context
• factor in geography, legality, and operating model
• monitor merchants on an ongoing basis, not just at onboarding

With brand protection a core priority for both Mastercard and Visa, BRAM and GBPP compliance is no longer a simple box-ticking exercise. A merchant may appear acceptable under one scheme but fail under another. A business model may be allowed in one jurisdiction but prohibited in another. High-risk activity may be deliberately concealed behind a legitimate-looking website. These are not easy issues to catch with manual review or general-purpose scanning tools. The cost of getting it wrong can be severe, with card scheme non-compliance assessments escalating into the tens or even hundreds of thousands of dollars, alongside merchant termination, MATCH listing, intensified remediation, and potential restrictions on acquiring activity.

In testing, AIQ SiteScanner uncovered deceptive patterns that standard reviews would be likely to miss, including gambling services disguised as ecommerce products, legitimate domains repurposed for unrelated high-risk activity, redirect chains leading users to external payment or account flows, and inconsistent or missing merchant identity across the customer journey.

As merchant tactics become harder to detect and easier to scale, MVSI believes compliance needs to become more intelligent, more dynamic, and far more resilient to deception.

“This problem has remained unsolved because most tools were never built for this level of complexity,” said Sheahan. “BRAM and GBPP demand far more than a surface-level website check. They require contextual analysis, scheme-specific logic, and the ability to spot behaviour designed to mislead. That is exactly why we built AIQ SiteScanner and, to our knowledge, why it is the first solution designed specifically for this challenge.”

With AIQ SiteScanner, MVSI is helping payment providers move from static checks to continuous, intelligent compliance, giving them a stronger way to detect hidden risk, reduce manual effort, and respond faster to evolving merchant behaviour.