Card Network Requirements: VIRP and AN 5196 (2026)
Card network compliance is separate from 18 U.S.C. § 2257 — you need both. A 2257-compliant operation can still fail a VIRP audit for missing consumer-side age verification tooling.
Visa VIRP (effective May 1, 2023; fees updated April 1, 2024)
MCC 5967 and MCC 7273 are Tier 1 High Integrity Risk. VIRP requires performer and consumer age verification using a named third-party vendor (Yoti, Jumio, Incode, Veriff, Persona, LA Wallet), pre-publication moderation using both human review and automated tools, a banned-uploader identity registry, monthly acquirer reports, and per-jurisdiction documentation of state AV law compliance. Financial penalties reach $400,000/merchant URL for severe violations. MCC miscoding to evade VIRP: $25,000/merchant.
Mastercard AN 5196 / SPME §9.4.1 (effective October 15, 2021; updated February 3, 2026)
Uniquely requires "only permit uploads from verified content providers" — which mandates a creator KYC platform. The February 2026 SPME update brings AI-generated synthetic adult imagery under the same framework. BRAM penalties up to $200,000/violation, with 75–100% mitigation available via an approved Merchant Monitoring Solutions Provider (LegitScript, Austreme, G2 Web Services).
Visa VAMP (effective April 1, 2025)
Measures (TC40 fraud + TC15 disputes) ÷ settled CNP transactions. No warning tier. Threshold: 1.5%. Fine: $8/transaction over threshold. Acquirers enforce internal caps at 0.5–1.0%. Weak billing descriptors and hard-to-cancel subscriptions cause ratio problems faster than content violations.
Full compliance guide with required legal pages and pre-launch checklist →