Since 2020, the card networks have treated content moderation as a condition of card acceptance for adult platforms, not a legal footnote. A weak moderation stack is now the fastest route to a terminated merchant account, a MATCH listing, and five years without card processing.
Three regimes govern what you must do: the Take It Down Act (US federal, FTC enforced), Mastercard (BRAM), and Visa VIRP. But which controls apply to you depends on how your platform actually works. That is what this guide sorts out: read the landscape, then answer four questions to see the exact control set an acquirer will expect you to demonstrate.
Especially if you are new
This reads like a guide for merchants already operating, but it matters even more if you are just starting out. Acquirers will not coach you through their rules. From your very first contact, before onboarding formally begins, you are expected to demonstrate readiness, and a gap is grounds for immediate rejection rather than a request for more information. The only question they are really asking is simple: are you ready? If the answer is not a documented yes, the safe decision for them is no.
Three rulebooks, one merchant account
Three regimes now govern what adult platforms must do with content. They overlap in places and conflict in others, and payment processors expect you to satisfy all three at once.
Where they agree, and collide
The safest operating model
Run pre publication review as the default, with a fast track post notification removal path for NCII claims. Automated CSAM hash matching feeds the human queue, it never replaces it.
See what applies to you
Acquirers do not treat every adult business the same. A few quick questions decide which controls apply to you. Answer them the way your platform actually works today.
Your requirements
All adult content on your platform complies with applicable law and Visa/Mastercard requirements. This is the umbrella commitment everything else sits under, the rest of the list is how you prove it. In practice it means a written content policy that names the categories you allow and prohibit, mapped to Visa and Mastercard rules and to the laws of every market you serve. The card networks hold the merchant, not the individual creator, accountable for anything that reaches the site.
You never market or present content in a way that suggests illegal, nonconsensual, or exploitative activity. This covers titles, thumbnails, tags, and ad copy, not just the content itself. Mechanically it is a review pass over titles, tags, thumbnails, category names, and ad creative to catch anything implying minors, non-consent, or coercion. Networks audit these surface signals directly, and a single misleading label can trigger a brand risk review even when the underlying content is clean.
Enforced controls prevent illegal, prohibited, or nonconsensual content from being created, uploaded, or made available. Automated CSAM detection feeds a human queue, it never replaces it. The working stack is hash matching (PhotoDNA or equivalent) plus automated classifiers that flag or block on upload, with a trained human team clearing the queue and an escalation path to NCMEC where required. This is a hard prerequisite under both Mastercard BRAM and the Take It Down Act, the reference sheet below defines the prohibited categories to encode.
Full age assurance for content access is not universally mandatory yet, but it is tightening fast, and your service already falls under the scope of Visa VIRP and emerging state and federal age verification laws. Start building toward government ID or trust service checks now; a self declaration checkbox will not satisfy it once enforcement lands. Workable mechanisms today include government ID checks, reusable digital ID or trust services, and database or estimation providers layered with reverification, not a click through age gate. Treat it as a roadmap item you can show progress on, because underwriters are already asking where you stand.
Only creators whose identity and age you have verified with reliable documentation may upload, stream, or publish. No open, unverified publishing, this is the single control most platforms fail at scale. The mechanism is a government ID capture plus a liveness or selfie match for every uploader before their first publish, rechecked on a set cadence. Mastercard and Visa tie this directly to your right to process, so an unverified upload is read as an unmanaged risk.
The age, identity, and consent of content providers and every individual depicted are verified, documented, and producible on request. In practice that is a signed release plus verified ID for the performer and everyone appearing with them, linked to each specific piece of content and retained. On request from an acquirer or network you must produce the file for any given scene within a short window.
You maintain written agreements with providers, creators, or partners obliging them to comply with law and card scheme rules and to obtain and retain valid consent from everyone depicted. These agreements push the obligation down the chain, the provider warrants they hold valid consent and IDs for everyone depicted and will produce them on demand. It turns your policy into an enforceable, auditable duty rather than an assumption.
Where you work through studios, agents, aggregators, or chain partners, you run onboarding, due diligence, and ongoing monitoring, with age, identity, and consent responsibilities clearly assigned and backed by evidence. Practically you keep an onboarding file per studio or agency, sample audit their consent and ID records, and recheck on a schedule. Networks hold you responsible for what partners upload, so “the studio handles it” is not a defence without documented oversight.
Content is reviewed before it goes live, where applicable, no automatic publish on upload. This is Mastercard’s hardest requirement to run at volume, and where it conflicts with the Take It Down Act’s post notification model. Operationally it is a moderation queue where nothing publishes until a reviewer approves it, backed by automated prescreening to keep throughput manageable. The safest resolution of that conflict is pre publication review as the default, with a fast track removal path bolted on for NCII claims.
Real time content is actively moderated, with the ability to interrupt or terminate a stream the moment prohibited or non-compliant behaviour appears. That requires staffed real time monitoring, or reliable automated flagging with fast human backup, and a documented way to cut a stream instantly. Because live content cannot be pre-reviewed, the networks expect the control to sit at the moment of broadcast.
Anyone depicted can request removal. You verify consent on request and remove content immediately where consent cannot be confirmed or is withdrawn, within 48 hours under the Take It Down Act. The mechanism is a clearly published removal-request path, consent and identity verification on receipt, a logged takedown, and reasonable effort to catch reposts and duplicates. Both the 48 hour clock and the good faith safe harbour for over removal come from the Act.
A clearly accessible complaints and takedown process resolves reports within defined timeframes, with illegal content removed immediately on identification. It must be prominent, not buried in a footer. In practice that is a linked reporting page or form with defined SLAs, ticketed handling, and immediate removal for anything illegal. Mastercard and the Take It Down Act both require it to be conspicuous and to actually resolve, with records proving turnaround.
Users can report content, and every report is reviewed, investigated, and resolved in a timely, documented manner. You give users an in product way to flag content, route it into a tracked queue, and record the investigation and outcome. Documentation is the point, an unlogged “we look at reports” claim does not survive an audit.
Policies and controls prevent exploitation, coercion, trafficking, and abuse, with active monitoring for those risks, including performer welfare safeguards wherever you host live or user generated content. Concretely this is an anti trafficking and anti coercion policy, staff training, monitoring for indicators of exploitation, and, for live and UGC, performer check in and welfare safeguards. Visa and Mastercard both treat exploitation risk as a direct brand-protection and underwriting issue.
Your anti illegal controls and monitoring cover content supplied by third parties or partners, not only first party uploads. Any feed you ingest from partners, licensors, or affiliates runs through the same verification, moderation, and takedown controls as your own uploads. The networks do not accept a lighter standard just because someone else produced the content.
You can provide access to restricted or paywalled content for compliance and audit review on request. This is exactly why an underwriter asks for a live test account during onboarding. You provision a persistent test login that reaches every restricted area, paywalled, subscription, and user generated, and keep it live for ongoing reviews, not just onboarding. Visa VIRP expects an acquirer to be able to inspect the real experience at any time.
You maintain the policies, procedures, and records that demonstrate all of the above and provide them on request. If you cannot show it, an auditor treats it as absent. Keep a single, current evidence pack, policies, verification and consent records, moderation and takedown logs, training and audit trails, ready to hand over. Under a network audit the burden of proof is on you, and undocumented compliance is scored as non-compliance.
All AI generated or AI enhanced content visible to users complies with applicable law and card scheme requirements. The same lawfulness and scheme rules apply to anything synthetic your users can see or interact with, generated images, video, text, and virtual personas. Regulators and networks are explicitly closing the “it is not real” gap.
Enforced controls prevent illegal, deceptive, nonconsensual, or otherwise prohibited synthetic content from being created, uploaded, or made available. That means moderation and provenance checks over generated output, blocking synthetic CSAM, nonconsensual sexual deepfakes, and deceptive impersonation before it is served. The Take It Down Act reaches AI generated intimate imagery just as it does authentic material.
You do not permit misuse of real persons’ likenesses, identities, or implied consent, the deepfake line the Take It Down Act draws explicitly. Practically you gate any use of a real person’s face, voice, or identity behind documented consent, and block tools or prompts that recreate identifiable people without it. This is the specific harm the Act was written to stop.
AI generated content is subject to documented moderation, review standards, and ongoing monitoring, not left unreviewed because it is synthetic. You publish an internal review standard for synthetic content, apply it before and after publication, and log monitoring the same way you would for authentic content. Being AI is not an exemption from moderation, it is an added surface to moderate.
The cost of getting it wrong
A moderation failure does not generate a polite warning. It generates an acquirer investigation, usually triggered by a Mastercard GRIP letter or a Visa VIRP audit finding, and from there the timelines are short.
Your moderation stack is not a compliance checkbox. It is the structural argument you make to your acquirer that your business is worth keeping on the network. Build it before you are asked to show it.
- US Federal Trade Commission, “FTC Begins Enforcing the TAKE IT DOWN Act,” ftc.gov.
- US Federal Trade Commission, “TAKE IT DOWN Act” statute page, ftc.gov.
- Mastercard, “Standards and rules” (BRAM program), mastercard.com.
- Microsoft, “PhotoDNA,” microsoft.com.
