Section 1 — Getting Started & Platform Guide

Core resources to help new teams get up and running quickly.

User Roles & Permissions

Onlayer supports multiple role types to match your institution's structure. Administrators manage platform settings, user access, and API credentials. Risk Analysts view merchant scans, manage alerts, and create case notes. Developers have access to API keys, sandbox environments, and webhook configurations. Roles can be assigned and adjusted from the Admin panel under Settings → Users & Permissions.

 

Dashboard Overview

Upon login, you are directed to the Portfolio Dashboard, which displays a summary of your merchant portfolio's risk score distribution, recent alerts, and pending case reviews. Use the left navigation to access Merchant Onboarding, Monitoring, Reports, and Settings. The top bar provides access to global search, notification center, and your account profile. Use the guided setup wizard on first login to configure your scanning preferences and notification channels.

 

Alert & Notification Settings

Navigate to Settings → Alerts & Notifications to configure real-time triggers. You can define alert conditions such as high-risk MCC category drift, Transaction Laundering Detection (TLD) flags, or BRAM/VIRP violations. For each condition, choose between email notifications, in-platform alerts, or webhook push events. Severity thresholds — Critical, High, Medium, Low — can be independently configured per module and per user role.

 

Initial Platform Setup

Getting live with Onlayer requires no API integration for your first deployment. Simply provide a list of merchant URLs (for e-commerce) or physical addresses (for POS merchants) and Onlayer handles the rest. Your dedicated support person will schedule an onboarding call within 48 hours of contract execution to guide you through your first scan configuration.

 

Seat & Access Management

The platform license includes up to 5 user seats per institution at no additional charge (MMP license covers up to 25 seats across 3 departments). Additional seats are available as an add-on. To invite a new user, go to Admin → User Management → Invite User. Users receive an onboarding email with login instructions and role documentation.

 

Audit Logs & Evidence Export

All platform activity — including scan triggers, manual reviews, alert acknowledgments, and case decisions — is automatically logged with timestamps. To export audit logs for card scheme audits (BRAM, VIRP, PCI-DSS), navigate to Reports → Audit Logs and apply the desired date range. Exports are available in CSV and PDF format, with digital timestamps and user attribution.

 

Section 2 — Products & Solutions

Onlayer's platform is built around modular products that can be activated independently or combined to cover your entire merchant lifecycle — from onboarding due diligence to continuous compliance monitoring.

 

Core Platform

 

 

 

Service Modules

 

 

Intelligence Add-Ons

 

 

 

Section 3 — API & Integration

Technical documentation for your engineering team.

 

API Integration Guide

Onlayer provides a RESTful API that allows your engineering team to embed merchant risk intelligence directly into existing systems — including CRMs, onboarding portals, and internal case management platforms. Authentication uses API keys generated in Settings → API Management. All requests must include an Authorization: Bearer [API_KEY] header. Full endpoint documentation, request/response schemas, and rate limit details are available in your platform's API Reference section.

 

SFTP Data Delivery

For institutions that prefer bulk data delivery over real-time API calls, Onlayer supports SFTP-based integration. Merchant scan results, alert files, and compliance reports can be delivered to a designated SFTP endpoint on a scheduled basis (daily, weekly, or on-scan-completion). SFTP credentials and file format specifications are provided during the project activation phase.

 

Webhooks

Onlayer supports event-driven webhook notifications for real-time alerts. Configure webhook endpoints in Settings → Webhooks → Add Endpoint. Supported event types include:

• merchant.scan.completed

• alert.triggered (BRAM, VIRP, TLD, dark web)

• merchant.status.changed

• pci.certificate.expiring

Payloads are delivered in JSON format with HMAC-SHA256 signature verification. Retry logic handles failed deliveries with exponential backoff over 24 hours.

 

Sandbox & Test Environment

A dedicated sandbox environment is available for all clients prior to production go-live. The sandbox mirrors production functionality but operates on synthetic merchant data — allowing your team to test API calls, validate webhook delivery, simulate alert events, and verify Decision Engine logic without impacting live merchant data. Sandbox credentials are provisioned during Phase 3 of the project activation.

Integration Timeline

• Quick Start (1–2 weeks): No integration required. Provide merchant URLs or addresses and receive scan reports via the dashboard or SFTP.

• Full Integration (4–8 weeks): API and/or SFTP connectivity, automated scan triggers, Decision Engine integration, and real-time webhook alerting. Timeline depends on your internal technical resources and system complexity.

 

Security & Data Privacy

Onlayer processes publicly available merchant data only — including websites, social media profiles, business registries, and review platforms. No consumer PII or cardholder data is collected or processed. The platform operates under ISO 27001-certified security controls, with full encryption at rest and in transit. Data residency requirements can be accommodated based on your institution's jurisdiction.

 

Section 4 — Modules & Workflow Guides

Step-by-step guides for your daily operations.

 

Merchant Onboarding Workflow

Navigate to Onboarding → New Merchant, enter the merchant's primary URL (for e-commerce) or registered address (for POS). Select the applicable channel type (Online, Offline, Link/Social, App-Only) and choose which add-ons to include. Once submitted, Onlayer's AI begins scanning immediately. A full risk report is generated in under 1 minute. If the Automated Decision Engine is active, an outcome (Pass / Pass with Notes / Fail) is assigned automatically based on your configured ruleset. Case notes and manual override options are available for all decisions.

 

Transaction Laundering Detection (TLD) & Fraud Investigation

When a TLD flag is triggered, navigate to the merchant's case file and review the evidence package — which includes mapped IP correlations, DNS linkages, redirection chains, and behavioral fingerprints. You can initiate a customized test transaction directly from the case view to validate the actual payment flow. Flag the merchant for manual review, escalate to your compliance team, or close the alert with a documented rationale. All actions are audit-logged with timestamps.

 

BRAM/VIRP Compliance Management

When a BRAM or VIRP violation is detected, Onlayer generates an evidence package including screenshots, flagged content, violation category classification, and a severity score. Navigate to Compliance → BRAM/VIRP Cases to review open violations. You can export a ready-to-submit compliance report for card scheme reporting, or mark items as remediated once the merchant has corrected the violation. Policy rules update automatically when Mastercard or Visa changes scheme requirements.

 

PCI-DSS Merchant Management

The PCI-DSS module provides an automated compliance wizard for your merchant portfolio. Merchants are guided through the appropriate SAQ type (A, A-EP, B, B-IP, C, C-VT, D) based on their payment acceptance method. Your team has a centralized dashboard showing each merchant's certification status, document validity, and upcoming renewal dates. Expired or missing AOC documents trigger automatic alerts. Compliance reports can be exported for internal audit and card scheme submission.

 

Continuous Monitoring & Alert Management

The Merchant Monitoring Service (MMS) runs on a configurable cadence — weekly, monthly, or real-time. When a monitoring scan completes, changed risk signals are highlighted relative to the prior scan. Alerts are prioritized by severity and routed to the appropriate team based on type (Risk, Compliance, Operations). To dismiss an alert, navigate to the case, add a resolution note, and mark it as closed. All dismissals require a documented rationale and are captured in the audit log.

 

Exporting Audit Evidence for Scheme Reviews

Before a card scheme audit (BRAM, VIRP, PCI-DSS, or AML), navigate to Reports → Audit Evidence Export. Select the merchant(s), date range, and evidence type (scan logs, alert history, case decisions, or compliance certificates). Files are packaged as a ZIP archive containing individual PDFs per merchant and a consolidated summary CSV.

Note: All workflow guides assume you have the relevant modules activated. If you do not see a specific feature in your platform, it may not be included in your current subscription. Contact [email protected] to discuss module activation.

 

Section 5 — Glossary

Plain-English definitions of key industry and platform terms.

 

BRAM — Brand Risk Assessment for Merchants

A Mastercard program that holds acquirers accountable for ensuring their merchants do not engage in activities that violate Mastercard's brand standards — including selling prohibited goods, adult content, or counterfeit products. Violations result in fines and mandatory remediation.

 

VIRP — Visa Integrity Risk Program

Visa's equivalent of BRAM. VIRP holds acquirers responsible for ensuring merchants comply with Visa's acceptable use policies. Acquirers must monitor merchants for prohibited content and activities, and can face significant financial penalties for uncorrected violations.

 

MMSP — Merchant Monitoring Service Provider

A card-scheme-certified company authorized to provide merchant monitoring services to acquirers. Onlayer is a Mastercard-approved MMSP, meaning acquirers can fulfill their scheme monitoring obligations using Onlayer's platform. Only a select number of companies globally hold this certification.

 

TLD — Transaction Laundering Detection

The detection of illicit transaction laundering — where an unauthorized merchant uses the account of a legitimate, approved merchant to process payments. Also called 'factoring.' It is a major AML and card scheme compliance concern for acquirers.

 

MCC — Merchant Category Code

A four-digit code assigned to merchants by acquirers that classifies the type of business they operate. MCC drift — where a merchant's actual business no longer matches their assigned MCC — is a key risk signal indicating potential fraud, laundering, or policy non-compliance.

 

KYM — Know Your Merchant

The merchant-equivalent of KYC (Know Your Customer). KYM refers to the due diligence process acquirers undertake before accepting a merchant — verifying business legitimacy, content compliance, identity, and financial risk. Onlayer's MOS module automates this process.

 

SAQ — Self-Assessment Questionnaire

A PCI-DSS compliance tool used by merchants to self-report their security posture. Multiple SAQ types exist (A, A-EP, B, B-IP, C, C-VT, D) based on how the merchant accepts payments. Onlayer's PCI-DSS module automates the correct SAQ assignment and completion workflow.

 

AOC — Attestation of Compliance

A PCI-DSS document signed by a merchant certifying their compliance with PCI-DSS standards. Acquirers are required to collect and maintain valid AOC documents for their portfolio. Onlayer tracks AOC validity and alerts on expiring certificates.

 

C.A.R.V.E.™ — Content Agnostic Recursive Vector Encoding

Onlayer's proprietary AI technology for detecting transaction laundering. C.A.R.V.E.™ maps behavioral and technical relationships across domains, IP addresses, DNS records, and digital fingerprints — identifying hidden merchant networks and proxy structures.

 

PSP / Payfac — Payment Service Provider / Payment Facilitator

Companies that process payment transactions on behalf of merchants. PSPs and payfacs carry acquiring responsibilities under card scheme rules, including KYM compliance, BRAM/VIRP monitoring, and AML screening.

 

ICA — Interbank Card Association Number

A Mastercard-assigned identifier for financial institutions participating in the Mastercard network. Used in Onlayer's billing model for platform fees and transaction monitoring services.

 

False Positive

An alert triggered by Onlayer's system that, upon manual review, does not represent an actual risk or violation. Onlayer provides a structured review and dismissal process that feeds back into improving detection accuracy over time.

 

 

Section 6 — Frequently Asked Questions

 

• What do I do if I receive a False Positive alert on a merchant?

Navigate to the alert in your dashboard and click "Review Alert." Examine the evidence package provided. If you determine the alert is not a genuine risk, click "Mark as False Positive," add a brief rationale note, and confirm. The merchant's risk record will be updated and the alert will be closed. Your rationale is audit-logged and can be referenced in scheme reporting. Repeated false positives on a specific signal type can be reported to Onlayer's support team, who will fine-tune detection thresholds for your portfolio.

 

• How do I increase scan frequency to reduce my scheme fine risk?

Navigate to Settings → Monitoring Configuration and locate the merchant or segment you want to adjust. Scan frequency can be set to weekly, bi-weekly, monthly, or real-time (event-triggered). For highest-risk merchants — those with prior violations or operating in high-risk verticals — we recommend weekly or real-time scanning. Contact your account manager to understand the cost implications before adjusting.

 

• How do I reset my password or API key?

Password: On the login screen, click "Forgot Password?" and enter your registered email address. You will receive a reset link within 2 minutes. API Key: Keys can be rotated at any time in Settings → API Management → Rotate Key. After rotation, the old key is immediately invalidated. Ensure your integration is updated before rotating to avoid service interruption.

 

• Does Onlayer support merchants in my specific market and language?

Yes. Onlayer's AI supports multi-language content analysis and is designed for global deployment. The platform is actively used across the Middle East, Africa, Asia-Pacific, and Europe. Compliance configurations can be tailored to local regulatory requirements, including SAMA (Saudi Arabia), CBUAE (UAE), MAS (Singapore), BNM (Malaysia), and PCI-DSS globally.

 

• Who makes the final decision on a merchant — Onlayer or our team?

Your institution always retains full decision authority. Onlayer provides intelligence, risk scores, and — if the Automated Decision Engine is configured — initial classification outcomes. All outcomes can be reviewed and overridden by your risk team at any time. All overrides are logged and attributed to the reviewing team member.

 

• Can we run a Proof of Concept before committing?

Yes. The standard PoC process involves providing a sample of 10–50 merchant URLs or addresses from your existing portfolio. Onlayer's team runs a complimentary assessment and presents the findings using your own merchants as examples — giving your team tangible evidence of platform value before any commercial commitment. Contact [email protected] to initiate.

 

• What data does Onlayer process, and is consumer data involved?

Onlayer processes exclusively publicly available merchant data — including websites, social media profiles, business registries, and review platforms. No consumer PII, cardholder data, or transaction-level financial data is collected. The platform is ISO 27001-certified, with all data encrypted at rest and in transit.

 

• How is Onlayer different from tools like MATCH or Ethoca?

MATCH is a terminated merchant database — it tells you if a merchant has been flagged in the past. Ethoca focuses on dispute and chargeback resolution. Onlayer proactively analyzes each merchant's live website, content, security posture, and behavioral signals to assess risk before problems occur. Onlayer is preventative intelligence; MATCH and Ethoca are reactive tools. They are complementary — not overlapping.

 

 

Section 7 — Support & Contact

 

Support Response SLAs

 

 

24/7 Emergency Support: For Critical severity issues outside business hours, email [email protected] with "CRITICAL" in the subject line. On-call engineers are available around the clock for platform outages.