MCC Control Design

This guide explains how to design account-level controls (ALCs) for MCC ranges. For general information on ALCs, see these guides:

Merchant category codes (MCCs) are 4-digit numbers established by ISO 18245 to categorize merchants by type, such as hotels, airlines, bookstores, gas stations, and so on. Merchants pass their MCCs to card issuers in authorization request messages.

You can set MCC controls at three levels:

  • MCC blocklist
  • Account level
  • Product level

MCC blocklist conventions

  • Set for all Galileo programs at the product level, the MCC blocklist typically blocks some gambling-related MCCs and other MCCs according to your bank's guidelines.
  • This control overrides all other MCC and merchant ID controls.
  • Changing this blocklist is done by Galileo at your request.

🚧

Warning

When deciding which MCCs to add to the blocklist, make sure there is no overlap with existing product-level MCC controls. If there is overlap, the product-level control will be invalidated. Ask Galileo to help you change product-level MCC controls as needed to accommodate the blocklist.

Account- and product-level MCC control conventions

An account-level MCC control is applied in addition to product-level MCC controls, not instead of. MCC ranges in an ALC cannot overlap existing MCC ranges, including the blocklist. For example, if the MCC ranges at the product level are 2000–3000 and 4500–4550, then the ALC MCCs cannot overlap those ranges. An ALC that specified 2995–3100 would not be valid.

Furthermore, if you have existing velocity ALCs with MCC ranges, then you cannot create an account-level MCC control that would deny any part of those ranges. Be aware that because product-level MCC ranges are set and modified without the t

  • If no MCC controls exist, then all MCCs are allowed, except those MCCs in the MCC blocklist.
  • You are not required to set MCC controls at the product or account level.
  • Product-level controls are set in cooperation with Galileo during product setup and can be edited by request.
  • When inputting values in the endpoint calls or the CST, the valid range is 0001–9999, but the values 0001–0599 are not currently mapped to any merchant categories.
  • Multiple ranges of MCCs can be specified at the product level, but the ranges cannot overlap.
  • The MCC range of an account-level control cannot overlap a product-level range or another account-level range.
  • MCC ranges at the product or account level cannot overlap the values in the MCC blocklist.
  • An MCC control must either ALLOW or DENY a range.
    • If one or more MCCs are ALLOW, then all other MCCs are denied.
    • If one or more MCCs are DENY, then all other MCCs are allowed.
  • All MCC controls at the product and account levels must have the same ALLOW/DENY property. You cannot mix ALLOW with DENY.
  • Account-level controls cannot contradict the ALLOW/DENY property of product-level controls. For example, if the product-level controls are ALLOW, then the account-level controls must also be ALLOW.
    • If the product-level MCC control is 0000–0000 ALLOW it means DENY ALL, so account-level MCC controls can be ALLOW. In contrast, 0000–0000 DENY is not a valid setting, because ALLOW ALL is already the default.
    • Setting 0000–0000 ALLOW must be done at Galileo by your request.
  • MCC controls can be set for online transactions only, at both the product and account levels.
  • When Galileo denies an authorization request because of an MCC violation, the response code is 03 for Mastercard or 57 for all other networks.

🚧

Warning

When an account is switched to a new product, the account-level MCC controls move with it. However, if the account-level MCCs conflict with the new product's MCC controls, the authorization process will fail and authorization requests will be denied. Before performing product switches, ensure that the account-level controls do not conflict with the new product's MCC controls. You may need to consult with Galileo to confirm or adjust the values.

Example MCC controls

This table shows how MCC controls are applied.

Example 1Example 2Example 3
TransactionMCC 3000MCC 3000MCC 3000
MCC blocklistβ€”β€”MCC 3000
Product levelMCC 2000–2999 ALLOW
MCC 4000–4999 ALLOW
MCC 2000–2999 ALLOW
MCC 4000–4999 ALLOW
MCC 2000–2999 ALLOW
MCC 4000–4999 ALLOW
Account levelβ€”MCC 3000 ALLOWMCC 3000 ALLOW
ResultDENYALLOWsetting not valid
ReasonMCC 3000 falls outside the product-level ALLOW rangesMCC 3000 is allowed at the account levelMCC 3000 ALLOW cannot be set at the account level because it overlaps with the MCC blocklist
  • Consult the Authorization workflow in Designing Authorization Controls to see the order of operations when MCC controls are applied.
  • See Examples 1–8 of MCC and Merchant ID ALC Examples for demonstrations of how product-level and account-level MCC controls result in authorization requests being approved or denied.

Online-only property

All MCC controls, at both the product and account levels, can be configured to apply only to online (card not present) transactions. By default, an MCC control applies to all transactions. You cannot specify that a control apply only to non-online (card present) transactions.

This table shows how the online-only property is applied.

Example 4Example 5Example 6
TransactionMCC 5750
online
MCC 5550
not online
MCC 5750
online
MCC blocklistMCC 7995MCC 7995MCC 7995
Product-level MCC5500–5600 ALLOW5500–5600 ALLOW5500–5600 DENY
Online only (product)YYN
Account-level MCCβ€”β€”5750 DENY
Online only (account)β€”β€”Y
ResultDENYDENYDENY
ReasonMCC 5750 is outside the ALLOW range.MCC 5550 is allowed only for online transactions.MCC 5750 is denied at the account level for online transactions.
  • See Examples 12–20 in MCC and Merchant ID ALC Examples for examples of how the online-only property affects authorization requests.

Define product-level MCC controls

This table shows examples of product-level MCC controls that you might set. (When planning your own MCC controls, obtain the latest version of ISO 18245 to confirm the MCCs instead of using this guide.)

MCC controlMerchant types
3000–3300 ALLOWAirlines
3350–3450 ALLOWCar rental
3500–3899 ALLOWHotels
4000–4790 ALLOWGround transportation
5044–5046 ALLOWOffice supplies
5531–5533 ALLOWAuto parts
5541–5542 ALLOWGas stations, fuel pumps
6010–6012 ALLOWATMs and other cash disbursement

With these MCC ranges set to ALLOW, all other MCCs are denied.

Other factors to keep in mind:

  • Some merchants use more than one MCC. For example, Amazon began life as a bookstore, but since branching out it now uses multiple MCCs, depending on the service. Some of its MCCs are:
    • 5942 (Bookstores) β€” Amazon Marketplace
    • 5968 (Continuity/subscription) β€” Amazon Prime, Audible
    • 5411 (Grocery stores, supermarkets) β€” Groceries
  • New MCCs can be added to ISO 18245 at the request of merchant groups when the category has at least $10 million annual revenue. Always consult the most recent version of ISO 18245 when setting MCC controls.

Design account-level MCC controls

When determining which account-level MCC controls to set, remember that the account-level controls are applied in addition to product-level MCC controls, not instead of. For this reason they cannot overlap any of the product-level MCC ranges or the MCCs in the blocklist. They must also have the same ALLOW/DENY property as the product-level controls.

If you set the product-level MCC controls in the table above, all of your account-level MCC controls must also be ALLOW, and they cannot overlap any of the product-level ranges. This table shows which account-level controls would be valid and which would not.

ALCMerchant typesValidity
5812–5814 ALLOWRestaurantsValid
5942–5943 ALLOWBooks and stationeryValid
3690 ALLOWCourtyard by Marriott HotelNot valid. Cannot overlap other ranges.
5611–5691 DENYClothing storesNot valid. Must be ALLOW.
4121 DENYTaxi cabs and limousinesNot valid. Must be ALLOW, and cannot overlap other ranges