MVSI launches AIQ SiteScanner for card scheme risk

OnBoard MVSI has launched AIQ SiteScanner for payment providers, banks and acquirers, targeting risks linked to Mastercard BRAM and Visa GBPP rules.

The tool sits within its OnBoard AIQ platform and is designed to identify online merchants that use deceptive tactics to pass compliance checks, including cloaking, redirects, disguised storefronts and hidden business activity.

The launch comes as payment firms face closer scrutiny over the merchants they serve. Card schemes are increasingly holding acquirers, payment facilitators and platforms responsible for merchant conduct, rather than focusing only on the merchant itself.

Daniel Sheahan, Chief Executive Officer of MVSI, said this shift is widening exposure across the payments chain.

"Critically, we are seeing a clear shift toward vicarious liability across the payments ecosystem. Card schemes are no longer focused solely on the actions of individual merchants-they are increasingly holding acquirers, payment facilitators, and platforms accountable for the behaviour of the merchants they enable," he said.

Sheahan added that recent court cases had also changed the risk picture for companies connected to unlawful or harmful activity.

"This shift is being reinforced in the courts, where recent cases have demonstrated a growing willingness to extend liability beyond direct actors to those providing 'substantial assistance' or deriving economic benefit from unlawful or harmful activity. This fundamentally changes the risk model: exposure is no longer direct, but network-wide," Sheahan said.

Hidden risk

Mastercard's Business Risk Assessment and Mitigation framework and Visa's Global Brand Protection Program set rules for merchant activity, but applying them can be difficult when online businesses disguise what they are doing. A merchant may appear acceptable under one card scheme and fail under another, while legal treatment can also vary by jurisdiction.

Generic compliance products often miss that complexity because they focus on visible website content rather than behaviour, identity, geography and legal context. Manual reviews can catch some problems, but they are difficult to maintain across large merchant portfolios.

"Compliance teams are no longer dealing with straightforward websites or straightforward risk," said Sheahan. "They are dealing with merchants who know exactly how traditional checks work and how to get around them. That is what makes this such an urgent problem."

AIQ SiteScanner uses AI-based analysis, configurable compliance logic and auditable outcomes to assess merchant websites. It is intended to compare stated business activity with actual behaviour and support ongoing monitoring, rather than checks only at onboarding.

OnBoard by MVSI says the system can detect cloaking, redirects and disguised activity; identify gaps between a merchant's declared business and its actions; apply Mastercard and Visa rules in context; and factor in geography, legality and operating model.

Testing results

In testing, the software found patterns that standard reviews would probably miss, according to OnBoard by MVSI. These included gambling services presented as eCommerce products, legitimate domains reused for unrelated high-risk activity, redirect chains sending users to external payment or account flows, and inconsistent or missing merchant identity across the customer journey.

For acquirers and payment firms, the commercial stakes can be significant. Card scheme non-compliance assessments can reach tens or hundreds of thousands of dollars, alongside merchant termination, MATCH listing, remediation demands and possible restrictions on acquiring activity.

The launch reflects a wider challenge for compliance teams: reputational damage can spread quickly through social and digital channels once problematic merchant activity becomes public. That raises pressure on payment firms to spot issues early, especially where a direct link to the underlying activity may be disputed, but the association remains visible.

Sheahan said existing tools were not built for the specific demands of these card scheme frameworks.

"This problem has remained unsolved because most tools were never built for this level of complexity," Sheahan said. "BRAM and GBPP demand far more than a surface-level website check. They require contextual analysis, scheme-specific logic, and the ability to spot behaviour designed to mislead. That is exactly why we built AIQ SiteScanner and, to our knowledge, why it is the first solution designed specifically for this challenge."