A high-risk merchant account has never just been a label. It is a decision that affects every aspect of how your merchant account operates. 2026 will be another critical year for merchants in this category, as the card networks further tighten their compliance requirements in 2025 and will introduce further tightening in 2026. At the same time, the technology available to assist high-risk merchants is improving and becoming more accessible.
There are two changes merchants in various high-risk categories should be aware of. First, the compliance and monitoring requirements have become stricter. However, the technology available to assist merchants in reducing fraudulent transactions has improved. As such, having a high-risk merchant account does not mean that a merchant will face greater challenges in 2026. Rather, they will face significantly easier challenges and higher success rates in navigating common issues.
What Is a High Risk Merchant Account, Really?
A high-risk merchant account is created for merchants or companies that are likely to create more credit, fraud, compliance, and chargeback issues than a typical low-risk merchant. These can take many forms, including the nature of the business, order fulfillment, how the business obtains and bills customers for products, and the chargebacks it may incur. Payment providers will review each of these factors to determine whether a merchant account is high risk for the company.
A merchant account is only one component of a complete high-risk merchant payment processing setup. Other aspects of payment processing include the payment gateway, the payment processor or third-party service provider (PSP), the acquiring bank, and more. The overview of the onboarding process on Stripe’s website describes the payment gateway as the secure transfer of data between the merchant and the PSP (acquiring bank).
This is also why the common phrase “high-risk merchant payment gateway” is somewhat misleading. While the payment gateway encrypts and secures the data transferred between the merchant and the payment processor, the acquiring bank and payment processor must still decide whether the merchant and the business model are acceptable.
Why 2026 Feels Different
The biggest change is that network oversight is more unified and visible. The Visa Acquirer Monitoring Program (VAMP) consolidated several programs into one, and the Visa 2025 fact sheet makes it clear that the new thresholds took effect on June 1, 2025. For the AP, Canada, EU, and US, the threshold for excessive merchants dropped from 220 basis points to 150 basis points on April 1, 2026.
Mastercard has its own Excessive Chargeback Program, and the manual states that it allows Mastercard to closely monitor the chargebacks that merchants generate. This enables them to recognize when a merchant is charging back excessively and take appropriate action once they determine this is an ongoing problem.
The rules regarding e-commerce pages on the PCI SSC website have also changed. The PCI Security Standards Council states that the effective date for PCI DSS v4.0.1 did not change the March 31, 2025, effective date for future-dated requirements. Additionally, the Council has published guidance on Requirements 6.4.3 and 11.6.1, which relate to securing e-commerce pages and preventing e-skimming.
How Merchants Should Think About Provider Choice in 2026
The first question that a merchant should ask is not “Who says yes the fastest?” Instead, the first question should be “Who can actually support the risks that I have?” A provider that understands the merchant’s specific billing model will offer more value than someone who offers a quick form fill.
The second question is whether the high-risk merchant payment processing solution resolves the merchant’s most significant operational problems. If the biggest problem is friendly fraud, the focus should be on descriptor management, evidence collection, authentication, and delivery communications. If the biggest problem is declining recurring payments, the focus should be on network tokens, account updater support, and stored credential management. If the biggest problem is PCI scope, the focus should be on the checkout process rather than on a more complicated fraud-prevention system.
The third question is whether the merchant’s internal controls are ready to support increased monitoring. Even the best payment provider in the industry will not be able to help a merchant with poor internal controls, vague product descriptors, poor handling of refund requests, poor subscription management, poor fulfillment communications, and unmanaged scripts within their website.
What’s Getting Harder
“High Risk Merchant Account Instant Approval” Is Usually Not Final Approval
While the phrase “high risk merchant account instant approval” scores well in terms of SEO, it’s not a great description of what happens in accepting risk from high-risk merchants. There’s still a process for verifying the business, its documentation, its website and policies, and the volume of sales that a merchant expects to take in. Companies like Stripe, PayPal, and Braintree all describe this as a process of underwriting and onboarding. With high-risk merchants, “instant approval” means one of two things: that the merchant gets fast intake from the merchant acquisition provider, or that the high-risk merchant is approved with provisional access to the accounts. In either case, the provider will ask for financial and operational details and policies during a review. If this goes badly, the provider may open a reserve on the account, delay funding of that merchant, or even alter the nature of that merchant’s account with the provider.
There Is Less Room for Disputes and Fraud Slippage
Visa’s current VAMP model has a single ratio that looks at both fraud and disputes on card-not-present transactions over the VisaNet network. The thresholds for merchants also mean that there is less leeway for merchants with high numbers of disputes. For example, the threshold for excessive merchants will fall from 220 basis points to 150 basis points in AP/Canada/EU/U.S. on April 1, 2026. Mastercard shows the same trend, even if merchants do not feel it directly from Mastercard. The ECP looks at each merchant individually and allows Mastercard to require additional action from a merchant if that merchant is deemed to be excessive for several months in a row. In this way, high-risk merchants have to manage their descriptors well, handle refunds quickly, and minimize the instances of fraud in their transactions. Visa’s Merchant Data Standards Manual also makes clear that good descriptor management is essential. The standard states that using the correct merchant name and descriptor will minimize the number of requests for copies and the costs that result from using unrecognizable merchant names. For high-risk merchants that may use unclear descriptors, this can create problems in terms of being able to resolve disputes.
Embedded Checkout Pages Carry More Security Responsibility
PCI’s 2025 guidance on e-skimming is probably the most significant reason that merchants on the e-commerce side of online sales have to worry more. Requirements 6.4.3 and 11.6.1 from the PCI SSC require that merchants ensure that scripts on the payment page are authorized, have integrity, and are not susceptible to tampering. As noted in the February 2025 FAQ from PCI, the eligibility of a merchant for a SAQ A for e-commerce with embedded checkout forms depends on whether the merchant confirms that the checkout page is not susceptible to script attacks. The PCI-compliant processor or TPSP must also confirm the implementation of that security measure being used by the merchant to protect that page.
What’s Getting Easier
A Better High Risk Merchant Payment Gateway Stack Can Remove Friction Upstream
A modern high risk merchant payment gateway does more than pass data from the checkout form to the processor. It can work within a system that includes hosted fields and redirect solutions, device and transaction data collection, and authentication tools from the card issuers. EMVCo says that the EMV 3-D Secure protocol allows the merchant and the card issuer to exchange data to authenticate the consumer and approve the transaction. This is especially helpful for merchants in high-risk categories. Fraud can be reduced while preserving sales opportunities. Rather than turning on 3-D Secure authentication across the board, merchants and payment processors can work together to create rules to authenticate only when the risk or issuer data justifies it.
Network Tokens and Account-Update Tools Reduce Avoidable Declines
One of the main reasons that high-risk merchants lose good revenue is not because of fraudulent activity. Rather, it is due to stale credentials and unnecessary declines for card-not-present transactions. Visa states that the Visa Token Service can help merchants to increase the number of authorizations, protect card data, and enable digital transactions. Mastercard also provides the Automatic Billing Updater, which securely communicates account and credential changes. For merchants with subscription and installment plans, this is a great improvement. While this does not solve the underlying underwriting risk, it will improve high-risk merchants’ revenue projections. In 2026, this will be one of the most notable improvements for better operators.
Some Checkout Models Can Simplify PCI Scope
While the PCI standards may seem to be bad news for some merchants, there is also a positive element to consider. As stated in the PCI’s FAQ, the clarification of the eligibility for SAQ A applies to merchants that feature embedded pages and forms for payments, but does not apply to those that redirect customers to the processor. For 2026 and beyond, this means that some merchants will find it easier to simplify their compliance and risk management by changing the structure of their online checkout models. While the merchant will have to implement the solution offered by the payment provider, a more hosted checkout will reduce the merchant’s exposure to managing the scripts of the payment page.
FAQs
Q: What is a high-risk merchant account?
A: A high-risk merchant account is for businesses that have a higher probability of presenting issues such as fraud, credit, or disputes than other types of merchants. This could be due to the industry they operate in, the way they bill, the nature of delayed deliveries, and how they process payments.
As such, there is usually a level of detailed underwriting that goes into determining whether the merchant can be approved, and there are often requirements for reserves or reviews that are placed on these types of merchants that standard, low-risk merchants do not see.
Q: Is high risk merchant account instant approval real?
A: In some cases, yes. The instant approval refers to the initial risk approval. However, the provider will still need to review the documents and the merchant’s details and website.
Additionally, there may be periodic reviews of the merchant after the initial approval. High-risk merchants should note that instant approval does not mean the process is complete, and they should be aware of which documents may be required and when reviews will occur.
Q: What does a high-risk merchant payment gateway do?
A: A high-risk merchant payment gateway will securely transmit payment data from the merchant to the payment processor. It might also perform additional security measures, such as setting up authentication protocols like EMV 3-D Secure.
However, this does not necessarily mean that the merchant will be approved. The payment processor will still have to determine whether the nature of the merchant’s business is acceptable to them.
Q: How is high-risk merchant payment processing different from standard processing?
A: High-risk payment processing involves additional underwriting and security. The specific nature of the products or services provided by the high-risk merchant requires additional review and protection.
For instance, in 2026, Visa and Mastercard will continue to monitor merchants’ activity on the payment networks. Additionally, the Payment Card Industry standards for e-commerce will also be in full swing.
Conclusion
A high-risk merchant account in 2026 will be harder to obtain due to increased scrutiny from the different payment networks. However, it will also be easier for merchants with good infrastructure and who better understand how to configure their systems and processes.
The merchants that will fare best in 2026 will be the ones that understand that securing an account is only the beginning of the process. Ongoing efforts must be made to ensure that the merchant, the acquiring bank, and the merchant’s customers have the best possible experience.
Sources
- Visa. “Visa Acquirer Monitoring Program Overview.” Accessed March 2026.
- Visa. “Visa Merchant Data Standards Manual.” Accessed March 2026.
- Mastercard. “Security Rules and Procedures—Merchant Edition.” Accessed March 2026.
- PCI Security Standards Council. “Just Published: PCI DSS v4.0.1.” Accessed March 2026.
- PCI Security Standards Council. “New Information Supplement: Payment Page Security and Preventing E-Skimming.” Accessed March 2026.
- PCI Security Standards Council. “FAQ Clarifies New SAQ A Eligibility Criteria for E-Commerce Merchants.” Accessed March 2026.
- EMVCo. “EMV 3-D Secure.” Accessed March 2026.
- Visa. “Visa Token Service.” Accessed March 2026.
- Mastercard Developers. “Automatic Billing Updater (ABU).” Accessed March 2026.
- Stripe. “Merchant Onboarding Explained: How It Works and What to Expect.” Accessed March 2026.
- Braintree. “Underwriting Overview.” Accessed March 2026.
- Braintree. “Periodic Reviews.” Accessed March 2026.
