A high-risk payment compliance checklist is the difference between an underwriting file that closes in days and one that bounces back with a request for more documents. Before any acquirer or processor approves your account, they audit how visible your policies are, how cleanly your entity is documented, how you prove delivery, and how you handle disputes. Treat this as the operational prep work that sits underneath every high-risk payment gateway approval decision — long before the application form is even opened.
The aim of this guide is narrow on purpose. It does not re-explain what a high-risk gateway is (that is covered in our high-risk payment gateway explained piece). It walks through the documents, policy text and evidence packs an underwriter wants to see in the file, so that merchant accounts in nutra, supplements, peptides, CBD, adult, gaming, FX, dating, subscriptions and other high-risk verticals submit once and approve once.
Why compliance is the real gate to approval
High-risk merchant compliance is not a one-page form. Acquirers carry liability for every approved MID, and Visa’s Acquirer Risk Standards plus card-scheme dispute monitoring programs (VAMP, VDMP, ECM) push that liability down to the underwriter that signs you. When a file is incomplete or contradicts what the website shows, the safest decision for the underwriter is decline.
That is why a payment compliance checklist is structured around three audit lenses: what the public site says, what the legal entity proves, and what the operational history shows. Each lens has its own document set, and all three must agree.
Website compliance for payment processing
The website is the first thing every underwriter opens. They are not browsing — they are auditing for specific elements that prove the storefront is legitimate, that consumers know what they are buying, and that disputes can be resolved without the card brand.
- Legal entity name in the footer, matching the entity on the application.
- Physical business address and a working contact channel (email plus phone or live chat).
- Terms & Conditions, Privacy Policy and — if you sell to EU residents — a GDPR-compliant cookie notice.
- Refund & cancellation policy reachable from every page (not buried in checkout).
- Clear product claims. No miracle-cure language, no medical claims unless backed by approved labelling. This is the single most common reason supplement, nutra and peptide sites are declined.
- Pricing transparency: total amount, currency, billing cadence (one-time vs subscription), trial terms, and the exact descriptor that will appear on cardholder statements.
- SSL across the entire domain, no mixed content, and a checkout that complies with PCI DSS SAQ-A or higher depending on integration type.
- Age-gating where the vertical requires it (adult, gaming, peptides, CBD).
If you are still mapping how the stack splits responsibility for these elements, our breakdown of payment gateway vs payment processor shows which side enforces what.
KYB documents for payment gateway underwriting
KYB (Know Your Business) and beneficial-ownership checks are non-negotiable. Underwriters need to prove the entity exists, is in good standing, and that the people behind it are not on sanctions or PEP lists. Have the following ready as PDF or signed scans before applying:
- Certificate of incorporation or registry extract (issued within the last 6–12 months).
- Memorandum & articles of association or operating agreement.
- Proof of registered address (utility bill or lease, < 3 months old).
- Tax ID / EIN / VAT number certificate.
- UBO declaration covering every individual who owns or controls ≥ 25%.
- Government ID (passport preferred) plus proof of personal address for each UBO and director.
- Recent audited or management accounts — last 12 months at minimum.
- Bank statement of the settlement account (last 3 months).
- Voided check or bank confirmation letter for the same settlement account.

Bundle these into one indexed PDF named KYB-Pack-[LegalEntity]-[YYYY-MM].pdf. Underwriters log every email — a single, structured file shortens review time and reduces back-and-forth, which is a positive signal in itself.
Refund policy and cancellation terms for processor approval
Refund policy approval by a payment processor depends less on how generous the terms are and more on how unambiguous they are. The processor wants to see that a cardholder, before paying, has been told exactly when refunds apply, how to request one, and how long it will take.
- Refund window stated in calendar days (for example, “14 days from delivery”, not “reasonable time”).
- Conditions for partial vs full refund.
- Process for requesting a refund (email address, ticket form, hotline).
- Refund SLA — typically 5–10 business days back to the original card.
- Cancellation rules for subscriptions: how to cancel, how late a charge can be reversed before renewal, and what the descriptor will show.
- Localised versions if you process in multiple jurisdictions (EU consumer right of withdrawal must appear for EU buyers).
Subscription verticals get extra scrutiny here. Hidden trials and forced continuity are the biggest sources of disputes, and they are exactly what triggered card-scheme enforcement against verticals like supplement brands and peptide businesses. If your model is recurring, document the renewal cadence on the checkout page, send a pre-renewal notification, and keep timestamped logs of cardholder consent.
Risk documentation for high-risk merchants
Risk documentation is the operational history pack. It tells the underwriter how your business has actually behaved over the last 6–12 months. Even brand-new entities are expected to provide whatever subset applies.
- Processing statements from prior gateways or PSPs covering the last 3–6 months (transaction volume, average ticket, refund rate, chargeback rate, decline ratio).
- Statement of any prior MATCH/TMF listings, with explanation if applicable.
- List of currencies, settlement banks and corridors currently in use.
- Existing fraud-prevention stack: 3-D Secure version, device fingerprinting, velocity rules, AVS/CVV usage, blocklist provider.
- Refund ratio and chargeback ratio by month (target chargeback ratio < 0.9% under Visa VDMP thresholds, < 0.65% under VAMP).
- Customer-service KPIs: first-response time, refund SLA achieved, ticket-to-chargeback conversion.
Delivery proof for high-risk merchants
Delivery proof is the most under-prepared item on most high-risk applications, and it is the single piece of evidence that wins the most chargebacks. Build the infrastructure now so the file is ready before disputes arrive.
- Physical goods: tracking numbers from a major carrier (DHL, UPS, FedEx, national post) with delivery confirmation and, where available, signature on delivery.
- Digital goods: download logs, login IP timestamps, account activity logs and licence-key issuance records.
- Services / subscriptions: usage logs, login frequency, session timestamps, content access records.
- Events / tickets: redemption logs, QR scans, attendance records.
- Retention policy of at least 540 days — the dispute window for card-not-present transactions stretches that long in edge cases.
Chargeback documentation: building a compelling evidence kit
Compelling evidence is what flips a chargeback from a loss to a recovered transaction. Underwriters look at whether you have the kit and whether you actually use it. The kit per transaction should contain:
- Order summary with cardholder name, billing address, shipping address, IP and device fingerprint.
- Authorization data: AVS result, CVV match, 3-D Secure liability shift evidence.
- Proof of delivery (signature, tracking, redemption log, or digital access log).
- Refund/cancellation policy snapshot as the customer saw it at checkout, with timestamp.
- Customer-service correspondence: every email, ticket and chat transcript related to the order.
- Subscription consent record: opt-in checkbox state, timestamp, IP, T&C version accepted.

The deeper playbook on how to drive ratios down structurally lives in our guide to reducing chargebacks in high-risk industries — the documentation kit is the second half of the same problem.
Underwriting documents at a glance
The table below collapses the high-risk payment approval requirements into one reference. Print it, walk it as a final pre-submission check, and only apply once every row has a green tick.
| Category | Document or evidence | Why underwriting wants it |
|---|---|---|
| Website compliance | Footer entity name, T&C, Privacy, Refund, Cookie notice, SSL, PCI scope statement | Confirms the storefront is consistent with the application |
| Entity (KYB) | Incorporation cert, M&A, registered address, tax ID, UBO declaration | Proves the legal entity and ownership |
| Identity | UBO & director IDs, personal address proofs | Sanctions, PEP and AML screening |
| Banking | Settlement-account statement (3 months), voided check / bank letter | Confirms payout destination |
| Financials | Last 12 months management accounts or audited statements | Solvency and exposure sizing |
| Processing history | 3–6 months of prior PSP statements, MATCH/TMF disclosure | Behavioural risk baseline |
| Policies | Refund, cancellation, subscription, shipping, returns | Maps liability and reduces disputes |
| Delivery proof | Tracking, signature, digital-access logs, redemption logs | Compelling evidence per transaction |
| Chargeback kit | Per-transaction evidence template + 540-day retention | Dispute response capability |
| Fraud stack | 3-D Secure 2.x, AVS/CVV, velocity, blocklists, device fingerprint | Pre-authorization risk control |
Pre-application self-audit (run this before you hit submit)
Treat the next seven checks as the final cabin-pressure test. If any one fails, fix it before the file leaves your side — reopening an underwriting case is far more expensive than delaying by 48 hours.
- Open the live site in a private window. Does the footer entity match the application?
- Click checkout. Are refund terms, descriptor and renewal cadence visible before the pay button?
- Open the KYB pack PDF. Is every document under 12 months old and the UBO section signed?
- Pull the last 3 processing statements. Are chargeback and refund ratios under VAMP/VDMP thresholds and trending flat or down?
- Pick three real orders from last week. Can you produce the full chargeback evidence kit in under 10 minutes?
- Run a sanctions and PEP screen on every UBO and director. Any near-match needs a written explanation in the file.
- Confirm the descriptor on file with the new processor matches what is on the checkout page. Mismatches drive friendly fraud.
Niftipay underwrites high-risk merchant accounts for nutra, supplements, peptides, adult, gaming, FX and subscription models, and we structure onboarding around exactly the checklist above. If your file is ready, you can move from application to live MID without the document ping-pong that costs other merchants weeks.
Frequently asked questions
1. What does a high-risk payment compliance checklist actually cover?
It covers three audit lenses underwriters use to approve a merchant: website compliance (visible policies, claims, descriptor), entity and KYB documentation (incorporation, UBO, banking), and operational history (processing statements, refund and chargeback ratios, delivery proof, chargeback evidence kit).
2. What KYB documents does a payment gateway require?
Certificate of incorporation, articles of association, registered address proof, tax ID/VAT certificate, UBO declaration covering every ≥ 25% owner, government ID and personal address proof for each UBO and director, last 12 months of accounts, and a 3-month statement of the settlement bank account.
3. What chargeback ratio is acceptable for high-risk merchants?
Under Visa’s VDMP standard programme the threshold sits at 0.9% of transactions, and the newer VAMP framework tightens it to 0.65%. Mastercard’s ECM uses 1.0% (100 basis points) and 100 disputes per month. Most high-risk acquirers ask the merchant to stay comfortably below those numbers.
4. How does refund policy approval affect underwriting?
The refund policy has to be unambiguous and reachable from every page of the site. Underwriters reject vague language like “reasonable time”. They want a calendar-day window, a clear request channel, an SLA back to the original card, and — for EU buyers — the consumer right of withdrawal.
5. How long should I retain delivery proof and chargeback evidence?
Retain delivery proof, customer-service logs and consent records for a minimum of 540 days. The card-not-present dispute window can extend that far in edge cases, and missing evidence is the most common reason merchants lose chargebacks they should have won.
