HOW MIS SCORING WORKS

The Merchant Integrity Score (MIS) uses a deduction-based model. Merchants start at 100 and lose points for risk signals. Higher scores indicate more trustworthy merchants.

DEDUCTION-BASED SCORING

Start at 100

Every merchant begins with a perfect score of 100 points.

Subtract Penalties

Risk signals detected during analysis subtract points from the score.

Fail-Soft Principle

Missing data = no penalty. Only confirmed issues reduce the score.

EXAMPLE

Score 100 pts - domain_age (15) - no_legal_entity (25) - reputation (10) = 50 pts

80-100

STABLE

Low risk. Safe to onboard the merchant.

50-79

MONITOR

Medium risk. Manual review recommended.

0-49

INTERVENE

High risk. Do not onboard.

Legal & Identity Signals

Max Penalty -110 pts

Verifies whether the merchant is a legitimate, registered business. Checks company registration, status, and geographic consistency. These signals carry high penalties as they indicate fundamental trust issues.

Signals Checked

Business registration (CVR/VAT)

Company status (active/dissolved)

Domain-company mismatch

Entity/site country mismatch

Penalty Rules

Signal	Penalty	Triggered When
company_dissolved	-35 pts	Company status is dissolved
no_legal_entity	-25 pts	No legal entity found (CVR/VAT)
domain_company_mismatch	-25 pts	Domain and legal entity don't match
country_mismatch	-20 pts	Entity country differs from site country
company_status	-5 pts	Company status is unknown

Infrastructure Signals

Max Penalty -25 pts

Analyzes the technical setup including domain age, SSL certificates, and TLS configuration. Newer domains and weak security configurations incur penalties.

Signals Checked

Domain age (WHOIS)

SSL certificate validity

TLS configuration

HTTPS availability

Penalty Rules

Signal	Penalty	Triggered When
domain_age	-15 pts	Domain < 6 months old or age unknown
domain_age	-8 pts	Domain 6-24 months old
https_tls	-10 pts	HTTPS missing or TLS invalid
https_tls	-5 pts	TLS weak configuration

Tiered: Domain age penalties are mutually exclusive — only the highest applicable penalty is applied. Domains > 24 months old receive no penalty.

Reputation Signals

Max Penalty -15 pts

Evaluates customer sentiment from review platforms, primarily Trustpilot. Low ratings and insufficient review history incur penalties. No Trustpilot profile is treated as a risk signal.

Signals Checked

Trustpilot rating

Review volume

Profile presence

Rating thresholds

Penalty Rules

Signal	Penalty	Triggered When
reputation	-15 pts	Trustpilot rating < 2.5/5 (very low)
reputation	-10 pts	Trustpilot rating < 3.2/5 (low) or no profile
reputation	-8 pts	Low review volume (< 20 reviews)

Rating scale: Ratings 3.2+ with 20+ reviews receive no penalty. Good ratings are neutral; only poor ratings or missing data incur penalties.

Cluster Signals

Max Penalty -20 pts

Analyzes infrastructure patterns to detect connections to known fraudulent operations. Known bad IPs trigger significant penalties. If no cluster data is available, no penalty is applied (fail-soft).

Signals Checked

Known bad IP lists

Shared IP detection

Infrastructure fingerprinting

Fraud network associations

Penalty Rules

Signal	Penalty	Triggered When
cluster	-20 pts	Known bad IP detected
cluster	-8 pts	Shared IP with flagged merchants

Fail-soft: If no cluster data is available, no penalty is applied. Only confirmed bad infrastructure triggers deductions.

Contact & Compliance Signals

Max Penalty -70 pts

Verifies merchant contact information and legal compliance. Checks for proper address, phone, returns policy, and consistency across pages. Missing or inconsistent information incurs penalties.

Signals Checked

Address presence

Phone availability

Returns policy country

Company name consistency

Penalty Rules

Signal	Penalty	Triggered When
company_name_mismatch	-15 pts	Company name inconsistent across legal pages
returns_country_mismatch	-15 pts	Returns country differs from entity country
cvr_invalid	-15 pts	CVR number format or checksum invalid
delivery_mismatch	-15 pts	Claimed delivery faster than actual terms
history_mismatch	-15 pts	Company claims to be older than domain
contact	-12 pts	No address and no phone detected
pricing_mismatch	-10 pts	Currency mismatch or VAT not disclosed
contact	-8 pts	Webmail-only contact email

Fail-soft: Missing data (no returns policy, no delivery terms) incurs no penalty. Only confirmed inconsistencies trigger deductions.

Fatal Signals (Sanctions)

Effect INSTANT FAIL

Sanctions screening via OpenSanctions API. A sanctions hit is a fatal signal that immediately clamps the score to a maximum of 5, resulting in an automatic FAILED outcome regardless of other signals.

Signals Checked

OpenSanctions screening

PEP (Politically Exposed Persons)

Debarment lists

Crime/wanted lists

Fatal Rule

Signal	Effect	Triggered When
sanctions_hit	-95 pts (max 5)	Company name matches sanctions/PEP/crime database

Fatal: A sanctions hit immediately sets the maximum possible score to 5, guaranteeing FAILED status. This is the only signal that can override all other scores.

EXAMPLE: New E-commerce Shop (6-month-old domain)

Start

100

base

Domain Age

-8

6-24mo

Reputation

-8

<20 reviews

Contact

-12

no phone

Final Score

MONITOR

EXAMPLE: Established Danish Company (5-year domain)

Start

100

base

Domain

>24mo

Legal

active CVR

All OK

no issues

Final Score

100

STABLE