
Mastercard Adult Content Rules in 2026
You run an adult platform. An acquirer emails asking how you comply with Mastercard's adult content standards, and you have a few days to respond. You search for the rules, and almost everything you find is dated 2021 or 2022. It talks about AN 5196 as if it were a single announcement frozen in time. It is not.
Since 2021, the requirements have moved into Mastercard's live rulebook, picked up new monitoring obligations under MMP, and started running in parallel with a stack of other card scheme and federal rules. Each one is enforced on its own. This article is the current version: what Mastercard actually requires in 2026, what changed in January, how AI and generated content fit in, how the wider rule stack interacts, and a practical checklist you can work from.
What AN 5196 Is (And Where It Came From)
AN 5196 is the Mastercard "Announcement to Customers" bulletin, number 5196, formally titled Revised Standards for New Specialty Merchant Registration Requirements for Adult Content Merchants. Mastercard published it on April 14, 2021, with a compliance deadline of October 15, 2021. It was a direct response to the December 2020 New York Times report on Pornhub, and it applies to merchants processing adult content payments on the Mastercard network.
Here is the part the old articles miss. AN 5196 was the announcement. The operative rules now live in Mastercard's Security Rules and Procedures, Merchant Edition, Section 9.4.1, and they have been amended since the original bulletin. When you respond to an acquirer in 2026, you are being measured against that current text, not the 2021 press release.
The Five Core AN 5196 Requirements
Section 9.4.1 sets the operational baseline. These are the things you actually have to do, not just principles to agree with.
Pre-Publication Content Review
Every piece of content must be reviewed before it goes live. If you offer real-time or live streaming, you have to run it on a platform you fully control, with the ability to monitor in real time and remove the stream immediately. AI-assisted moderation is fine as a tool, but you still need human review for anything flagged, and you need to be able to show your review process on request.
Performer Identity and Age Verification
You need a government-issued photo ID for every person depicted in monetized content, with a robust process that validates the ID and confirms it actually belongs to that person. Mastercard recommends using a third-party verification vendor. This obligation overlaps directly with federal law under 18 U.S.C. 2257, and the same documentation generally satisfies both. The obligations are independent, so you have to meet both, not pick one.
Written Consent and Content Provider Agreements
You need written consent from every person depicted, and that consent has to specifically cover being depicted, public distribution and upload to your platform, and, if the content can be downloaded, download by users. Separately, you need a written agreement with each content provider that prohibits illegal content and requires them to verify age and identity. Solo creators are not exempt. The rules apply even when the performer is also the producer.
Complaint Resolution Process
You need a public-facing way for anyone to report content, and you must review and resolve complaints within 7 business days. If a review turns up illegal content, you remove it immediately. The current rules also add an appeal path: any person depicted can ask to have content removed, and if consent cannot be established or is void, you remove it with immediate effect. If you dispute that the consent is void, the matter goes to a neutral body, at your expense. Note that this 7-day window is not your only deadline. The TAKE IT DOWN Act adds a 48-hour rule for non-consensual intimate imagery, and Visa's VIRP adds its own timeline. The strictest applicable deadline wins for any given report.
Monthly Acquirer Reporting
Every month you submit a report to your acquirer listing all content flagged as potentially illegal or non-compliant, including URLs and videos, the actions you took, and every complaint and take-down request you received. Your acquirer shares it with Mastercard on request. This is the requirement merchants most often overlook until a compliance notice lands. Late or missing reports can trigger escalation on their own. There is also a related power worth knowing: on request, your acquirer must be able to give Mastercard temporary credentials to view all of your paywalled or members-only content for up to 7 days. Gated does not mean unseen.
What Changed Under Mastercard MMP in January 2026
The Merchant Monitoring Program (MMP) revised standards took effect on January 1, 2026, and they change how adult merchants are onboarded and watched. The headline shift is that risk detection moved earlier and never really stops.
A merchant must undergo an initial website scan before processing its first transaction. Monitoring no longer starts after you are already live.
Monitoring now extends into restricted, members-only, and password-protected areas of your site. Surface-level checks of public pages are no longer enough.
An open compliance issue that stays unresolved past 15 calendar days counts as a separate compliance failure.
Acquirers generally cannot satisfy MMP with internal teams alone unless those teams hold the required certification, which pushes more structured monitoring onto the relationship.
For adult merchants, the practical effect is that underwriting is more rigorous and slower than it used to be, existing accounts face enhanced ongoing monitoring, and your acquirer may ask to see gated content for review. The era of an adult merchant getting approved and then forgotten is over.
AI and Synthetic Content Under the Revised Standards
The current edition of Mastercard's rules, dated February 2026, makes clear that the adult content requirements do not stop at filmed material. Section 9.4.1 applies to situations where a content provider can, in Mastercard's own words, "upload or generate content." That single word, generate, pulls AI-made and synthetic adult content into the same rulebook as everything else.
In practice, that means the coverage reaches AI-generated images, AI-generated video, synthetic representations of people, and hybrid content that mixes a real performer with generated elements. None of it gets a lighter standard because it came out of a model.
The operational implications for adult AI merchants are direct. The consent and identity requirements still apply when the depicted person is partially or fully synthetic. If a real, identifiable person's likeness informs the output, you need that person's consent, the same as you would for filmed content. Deepfake content built on a real person without their consent is prohibited and is the kind of violation that gets an account terminated, not just warned. And because synthetic content is just as exposed to non-consensual imagery claims, it sits squarely inside the same VIRP and TAKE IT DOWN obligations covered below.
If you operate in this space, the takeaway is simple: the NSFW AI vertical is not a gap in the rules, it is inside them. The compliance posture is the same as the rest of the adult space, applied to a generated pipeline. For how this works in practice, see our coverage of adult AI and NSFW AI payment processing.
How AN 5196 Fits Into the Broader Compliance Stack
AN 5196 does not operate alone. In 2026 it runs in parallel with Mastercard MMP, federal 2257 record-keeping, the TAKE IT DOWN Act, and Visa's own programs. Most articles treat these as separate topics. Operationally, they are fused, and each is enforced on its own. Visa is part of this picture too: the Visa Acquirer Monitoring Program (VAMP) consolidated Visa's older fraud and dispute programs in April 2025, with the merchant ratio threshold dropping from 1.5% to 0.9% in January 2026, and the Visa Integrity Risk Program (VIRP) classes adult as Tier 1 with its own takedown SLA and annual attestation. Below is how the core programs interact with AN 5196.
Mastercard MMP
Covered in detail above. Within the stack, treat MMP as the continuous-monitoring layer that sits on top of the AN 5196 content rules and determines how closely you are watched after approval.
18 U.S.C. 2257
A federal record-keeping law that has been in force for years. It requires producers, primary and secondary, of sexually explicit content to keep records of every performer's age and identity, with a named custodian of records. It is operationally fused with AN 5196: the same documentation usually satisfies both. But the obligations are independent. Mastercard standards do not replace 2257, and meeting one does not excuse the other.
TAKE IT DOWN Act (2025)
A federal law signed in May 2025. It requires covered platforms to remove non-consensual intimate imagery (NCII), including AI deepfakes, within 48 hours of a valid request, and to maintain a notice-and-removal process. Platforms have until May 19, 2026 to stand that process up, so by the time this article is live, it is an active obligation. Where it intersects with AN 5196: your complaint process now has a stricter parallel deadline for a specific content category. You must handle NCII reports under the 48-hour rule even when the 7-business-day rule would otherwise apply.
AN 5196
Covered in full earlier in this article. In stack terms, AN 5196, as it now lives in Section 9.4.1 of Mastercard's rules, is the content-control baseline: registration, age and identity verification, consent, pre-publication review, complaint resolution, and monthly reporting. The other programs layer monitoring, federal record-keeping, and faster takedown obligations on top of it.
Practical Compliance Checklist

Pre-Onboarding (before you apply for an adult MID)
MCC 5967 Specialty Merchant Registration submitted and accepted.
2257 statement live on every page, with a named custodian of records.
Public, unauthenticated takedown intake (a /report or /removal style URL).
Age verification system in place, ideally third-party.
Written content provider agreements drafted.
Performer release template covering distribution, upload, and download.
Content moderation policy documented.
Clear refund and cancellation policy in the checkout flow.
Billing descriptor designed for discreet, recognizable customer billing.
Per-Content (for every piece you publish)
Government-issued photo ID for every performer on file.
Signed performer release on file.
Pre-publication review completed and logged.
Content tagged to its performer records for fast retrieval.
Ongoing (operational)
Real-time monitoring on live streams, with the ability to terminate.
48-hour removal for NCII reports (TAKE IT DOWN Act).
VIRP-flagged content removed within Visa's defined SLA.
5-business-day resolution for general complaints.
Monthly acquirer report submitted on time.
VAMP ratio monitored and kept under 0.9%.
Chargeback ratio monitored and kept under 1%.
Periodic
Annual third-party attestation (VIRP, for higher-volume merchants).
2257 records audit.
Prompt, documented responses to acquirer compliance reviews.
What Happens If You Are Not in Compliance
The consequences escalate, and they stack. In rough order:
An acquirer compliance notice asking for documentation or remediation.
Acquirer-imposed fines, passed through from the card schemes.
Increased reserve requirements.
Account suspension.
Account termination.
MATCH list placement (Mastercard's file of terminated high-risk merchants), which blocks new merchant accounts for five years.
On the Visa side, VAMP and VIRP violations can carry scheme fines that exceed a merchant's monthly processing cost. TAKE IT DOWN Act violations bring federal civil liability that is separate from anything the card networks do. The important point is that these do not happen one at a time. A single failure can trigger several at once: a Mastercard fine, a Visa fine, an acquirer reserve increase, and a MATCH listing, together.
Where MobiusPay Fits
MobiusPay works inside this stack every day. We verify AN 5196 and 9.4.1 compliance up front during underwriting, support you when an acquirer requests a compliance review, and manage disputes in a way that helps keep your VAMP ratio under threshold. We work with both traditional adult merchants and the newer adult AI and NSFW AI vertical, so the generated-content rules are not new territory for us.
We are honest about the limits. We cannot make a non-compliant merchant compliant. What we can do is help a compliance-ready merchant build and keep a stable processing relationship under the current rules. We can also consult with a merchant and advise on what changes should be implemented to become compliant. If that is where you are, let's talk.
AN 5196 in 2026 is not the rule it was in 2021. Compliance is no longer a single box to check. It is a set of card scheme and federal requirements that interact, overlap, and are each enforced on their own. The merchants who stay on the network are the ones who treat it that way, and who work with a processor that understands the whole stack rather than one piece of it.
FAQ
What is the difference between AN 5196 and Mastercard MMP?
AN 5196 is the 2021 announcement that set the adult content registration and content-control requirements, now living in Section 9.4.1 of Mastercard's rules. MMP is the Merchant Monitoring Program, revised effective January 2026, which governs how acquirers monitor merchants over time. One defines the content rules; the other defines how closely you are watched.
Do Mastercard rules apply to AI-generated adult content?
Yes. The current rules apply to content a provider can upload or generate, so AI-generated and synthetic adult content is covered by the same consent, age verification, and review requirements as filmed content. If a real person's likeness informs the output, the consent and verification obligations attach to that person.
What is MCC 5967 and do I need to register?
MCC 5967, Direct Marketing, Inbound Telemarketing, is the merchant category code used for card-not-present adult content. If you process adult content payments, your acquirer must register you under the Specialty Merchant Registration Program before you process your first transaction. It is not optional.
What is the current VAMP threshold for adult merchants?
Visa's merchant VAMP ratio threshold was 1.5% from April 2025 and drops to 0.9% in January 2026. For adult portfolios, which tend to run higher dispute volume, that tightening matters. Keeping disputes and fraud under control is now a card-network compliance issue, not just a cost.
What happens if my acquirer requests a compliance review?
Respond quickly and with documentation. A review is usually a request to show your registration, your 2257 records, your consent and ID files, your complaint process, and your monthly reports. Under MMP, your acquirer may also ask to see gated content. Treat it as routine and answer in full; ignoring it is what escalates to fines or termination.
