Guides
API Reference
Start typing to search…

Payment Processors

Overview

Payment processors face unique verification challenges driven by card network requirements, chargeback risk, and rapid merchant onboarding demands. Unlike lending products, payment processors typically do not assess credit risk but must rigorously evaluate industry type, business legitimacy, and fraud patterns to comply with Visa and Mastercard merchant monitoring programs.

Key challenges for payment processors:

  • Industry compliance: Card networks impose strict restrictions on high-risk merchant categories
  • Fraud velocity: Detecting repeat fraud attempts across multiple applications
  • Website authenticity: Verifying the merchant's online presence matches their stated business
  • Speed to approval: Minimizing friction for legitimate merchants while catching bad actors

This guide provides a standard verification workflow optimized for payment processor onboarding and underwriting teams.

Verification Workflow Overview

A typical payment processor business verification flow includes four key stages:

  1. Fraud Screening: Detect repeat applications and known fraud patterns (Baselayer + Partner/s)
  2. Business Verification: Validate business identity, industry, and legitimacy (Baselayer)
  3. Individual Verification: Verify the business owner or principal (Partner/s)
  4. Final Review: Cross-check identity alignment and account details (Partner/s)

Each stage uses a combination of Baselayer endpoints and third-party verification tools to build a complete risk picture.

Step 1: Fraud Screening

Purpose: Identify fraudulent applications early by analyzing business identity patterns, application velocity, and consortium intelligence.

Required Tools

  • Fraud screening provider (for device/identity signals and digital intelligence)
  • Baselayer: Business identity network and fraud consortium

Baselayer Endpoints

POST /searches
GET /businesses/{business_id}/applications

Note: Baselayer is developing a standalone fraud check product launching in Q1 2026 that will streamline this step. The current approach uses the business search endpoint combined with application tracking.

Verification Logic

// Submit business search
response = POST /searches with business details

// Check application velocity
applications = GET /businesses/{business_id}/applications

// Count recent applications
applications_last_7_days = count(applications where submitted_at >= today - 7 days)
applications_last_30_days = count(applications where submitted_at >= today - 30 days)

// Evaluate velocity flags
IF applications_last_7_days >= 4:
    flag = "RED"
    reason = "High application velocity - 4+ applications in 7 days"
    
ELSE IF applications_last_30_days >= 4:
    flag = "YELLOW"
    reason = "Elevated application velocity - 4+ applications in 30 days"

// Check fraud consortium
IF COUNT(response.fraud_consortium_hits) > 0:
    flag = "RED"
    reason = "Business or individual in Baselayer Fraud Consortium"

// Combine with third-party fraud screening
IF fraud_screening_provider.risk_score > threshold:
    flag = "RED"
    reason = "Failed fraud screening"

Note: Baselayer fraud consortium is only available for member entities who contribute regularly to the fraud database.

Context

Combining fraud screening signals with Baselayer's business identity network provides comprehensive fraud detection covering both the individual and the business entity. The application velocity check catches fraudsters attempting multiple submissions with slight variations.

Step 2: Business Verification

Purpose: Validate the business exists, is properly registered, operates in a compliant industry, and maintains an authentic web presence.

Required Tools

  • Baselayer: Business search, industry prediction, website analysis

Baselayer Endpoints

POST /searches
POST /web_presence_requests

Tip: The web presence request has 20-30 second latency. Consider initiating this request early in your workflow (e.g., after or during Step 1) to improve customer experience.

You can re-use the API response from the POST /searches request from Step 1 and avoid extra charges.

Verification Logic

Industry Screening

// Extract industry prediction from /web_presence_requests response
industry = response.industry_prediction

// Check Mastercard high-risk flag
IF industry.mcc_codes.mastercard_risk == TRUE:
    flag = "YELLOW"
    reason = "Mastercard restricted industry"

// Check Visa risk tier
IF industry.mcc_codes.visa_risk_tier IS NOT NULL:
    flag = "YELLOW"  
    reason = "Visa risk tier assignment"

// Check keyword matching
IF ANY keyword IN industry.keywords MATCHES high_risk_keyword_list:
    flag = "RED"
    reason = "High-risk industry keyword detected"

// Check high-risk NAICS codes with confidence threshold
IF industry.code IN high_risk_naics_list:
    IF industry.accuracy >= 0.75:
        flag = "RED"
        reason = "High-risk industry with high confidence"
    ELSE:
        flag = "YELLOW"
        reason = "Potential high-risk industry, needs review"

Note: High-risk keyword and NAICS code lists are proprietary and available to Baselayer customers upon request. Contact your account representative for access.

Business Identity Verification

This workflow assumes only registered businesses are approved. If sole proprietorships are also able to use the product, we recommend setting up a separate route as explained in our Sole Prop Verification guide.

// Extract match signals from /searches response
business_id = response.business.id
name_match = response.business_name_match
address_match = response.business_address_match  
tin_matched = response.tin_matched
registrations = response.business.registrations
watchlist_hits = response.watchlist_hits

// Check Baselayer match

IF business_id == NULL:
    flag = "RED"
    reason = "No business match" // skip all other steps

// Check name and address matching
name_address_approved = FALSE

IF name_match == "EXACT" AND address_match IN ["EXACT", "CITY", "STATE"]:
    name_address_approved = TRUE
    
ELSE IF name_match == "SIMILAR" AND address_match == "EXACT":
    name_address_approved = TRUE

IF NOT name_address_approved:
    flag = "RED"
    reason = "Weak name/address match"

// Verify TIN
IF tin_matched == NULL:
    # IRS outage - handle per policy
    # See [IRS Outage Handling Guide](#) for detailed guidance
    flag = "YELLOW"
    reason = "TIN verification unavailable (IRS outage)"
    
ELSE IF tin_match == FALSE:
    flag = "RED"
    reason = "TIN does not match business name"

// Check registrations
domestic_active = FALSE
FOR EACH registration IN registrations:
    IF registration.type == "domestic" AND registration.status == "active":
        domestic_active = TRUE
        domestic_state = registration.state

IF NOT domestic_active:
    flag = "RED"
    reason = "No active domestic registration"

// If business operates in different state, verify foreign registration. 
// Operating state is usually the one from the application address - you can use operating_state == response.search_address.state
IF operating_state != domestic_state:
    foreign_active = FALSE
    FOR EACH registration IN registrations:
        IF registration.type == "foreign" AND registration.state == operating_state AND registration.status == "active":
            foreign_active = TRUE
    
    IF NOT foreign_active:
        flag = "YELLOW"
        reason = "No active foreign registration in operating state"

// Check watchlists
IF COUNT(watchlist_hits) > 0:
    flag = "RED"
    reason = "Positive sanctions or watchlist match"

Website Analysis (Optional)

// Retrieve website analysis from /web_presence_requests response
website = response.website_analysis

// Simple fraud check: email domain vs. found website
IF website.url IS NOT NULL AND website.email_deliverable == TRUE:
    submitted_email_domain = EXTRACT_DOMAIN(application.email)
    
    IF submitted_email_domain != website.url:
        flag = "RED"
        reason = "Email domain does not match business website"

Note: Website analysis and social reviews are use-case specific. For extended best practices on website verification and online presence review, see Online Presence: Best Practices. Other areas like social media or online reviews continue to gain weight in onboarding applications, and are also discussed in that guide. We recommend discussing website requirements with prospects before implementation, as criteria vary significantly by processor type (ecommerce vs. card-present, etc.).

Context

Industry screening is critical for payment processors due to card network requirements. The business verification logic ensures the entity is legitimate, properly registered, and not on sanctions lists. Website analysis adds an additional fraud prevention layer, particularly for ecommerce merchants.

Step 3: Individual Verification

Purpose: Verify the identity and compliance status of the business owner or principal officer.

Required Tools

  • KYC provider (for AML/identity verification)
  • Bank account verification provider

Context

Individual verification ensures the person applying on behalf of the business is legitimate and not on sanctions lists. Bank account verification confirms the business controls the account where funds will be settled and there is no suspicious activity.

Baselayer works with hundreds of partners and can recommend ideal providers for every product and case.

Step 4: Final Review

Purpose: Perform final identity verification on the individual completing the application.

Required Tools

  • KYC provider (for AML/identity verification)

Context

This final check ensures the individual's identity aligns with who they claim to represent. The fraud screening from Step 1 combined with Baselayer's application tracking provides a unified business + individual fraud detection layer.

Baselayer works with hundreds of partners and can recommend ideal providers for every product and case.

Implementation Checklist

Use this checklist to implement the payment processor verification workflow:

Setup

  • Integrate fraud screening provider
  • Integrate Baselayer API
  • Integrate KYC provider
  • Integrate bank account verification provider
  • Request high-risk industry lists from Baselayer representative

Step 1: Fraud

  • Implement POST /searches endpoint
  • Implement GET /businesses/{business_id}/applications endpoint
  • Configure application velocity logic (7-day and 30-day thresholds)
  • Integrate third-party fraud screening

Step 2: Business

  • Implement POST /web_presence_requests endpoint
  • Configure industry screening logic with Mastercard and Visa flags
  • Implement standard KYB verification logic (name, address, TIN, registrations)
  • Configure watchlist screening
  • Implement website/email domain comparison (optional)

Step 3: Individual

  • Implement AML/KYC check
  • Implement bank account verification

Step 4: Final Review

  • Implement identity verification check
  • Configure manual review queues
  • Set up rejection workflows

For questions about implementation or to request high-risk industry lists, contact your Baselayer account representative.

Updated about 2 months ago