Who Made Mastercard the Moral Arbiter?

It's been over a month since the activist group Collective Shout turned both Steam and Itch.io upside down, calling for the removal of hundreds of fetish-related not-safe-for-work games from both platforms; however, unlike the usual complaints and petitions that ultimately go nowhere. Collective Shout was able to swiftly and successfully delist most of their targets from Steam, a platform known for its slow and laissez-faire policies, and Itch.io, which, due to its small size, was forced to delist all adult games (over 20,000 games in total).

Now, while this act is genuinely impressive to pull off, it brought more pressing questions on how exactly an Australian-based activist group was able to easily take down games from a multinational corporation like Valve, along with the legal policies and laws surrounding debanking. This brings us to the central question:

Are the payment processors—not the platforms—the real arbiters of content?

To truly understand the situation, you need to understand how payment processors operate.

During the initial takedown of the Steam games, many users online instantly pointed fingers towards the biggest "payment processors", Visa and Mastercard. This was due to multiple statements given by Valve stating, "certain games on Steam may violate the rules and standards set forth by our payment processors and their related card networks and banks... we are retiring those games from being sold on the Steam Store."

While not explicitly mentioning Visa or Mastercard, threads and petitions started to emerge due to the fact that Collective Shout's open letter directly addresses the CEO's of both companies. The latter of the two, Mastercard, would eventually cave to the pressure and release a statement deflecting the blame. The statement titled "Clarifying recent headlines on gaming content" revealed that "Mastercard has not evaluated any game or required restrictions of any activity on game creator sites and platforms, contrary to media reports and allegations."

Valve would respond in record time to this, with a statement to Kotaku on the same day, stating that Mastercard's payment processors and acquiring banks would cite Mastercard Rule 5.12.7 to Valve, which technically means that Mastercard had nothing to do with it. This lies at the crux of the issue: payment processing is a complicated mess with multiple entities all interacting with each other, and while Mastercard isn't directly involved, they still play a huge part in the underlying process.

The payment processing process

When you use Visa or Mastercard to buy a game, DLC, cosmetics, or any other content on Steam, your money doesn't go straight from your credit card to Steam. Instead, your intent to purchase gets securely transmitted to a payment processor. And while the term "payment processor" has been thrown around as a blanket term to imply companies like Visa or Mastercard, neither companies actually process payments. Instead, payment processors like Stripe, Adyen, or Worldpay process and validate your data.

While you might not recognize any of the companies mentioned (other than Stripe), these companies provide the gateway for all online payments, while obviously taking a cut of every transaction too. After the payment processor comes the acquiring bank, which acts as the bank that hosts the merchant's bank account. Many banks you know act as acquiring banks, with Wells Fargo, Bank of America, Chase, and many more being big players.

The transaction information then goes to the payment network, which is your good friends Visa and Mastercard. They provide the backbone for any financial transaction going through their network and, most importantly, get to dictate the rules and standards for every transaction processed (oh, and don't forget their share of the transaction too).

After the network validates the information, the transaction finally ends up at the issuing bank, which is your financial institution that issued the card you used to purchase the goods from the merchant. And if everything checks out, you have just completed a valid transaction, with all the information being sent in only a couple of seconds. This information then goes back through to the merchant, and you can receive your goods.

Now, while the infrastructure is impressive, just looking at the entire process, we have moved as a society from cash transactions between client and merchant to a process that requires your faith and reliance on most likely 5 or more third-party companies/services that have nothing to do with your underlying business, just so you can survive.

A new era of financial censorship

With this many dependencies, you can imagine what happens when one of these services suddenly stops processing your transactions completely, and especially when you consider that many of these payment processing adjacent companies have partnerships with each other.

So when Collective Shout, an organization known for petitioning and disrupting businesses due to being "concerned about the increasing pornification of culture," decided to call and mass report the games to various networks, Mastercard, acting as the ultimate arbiter for morality seeing Valve violated their rules, quickly nudged both Valve's payment processor and acquiring bank, who in turn nudged Valve.

So while Valve is known for their IDGAF mentality when it comes to legal content on Steam, given the ultimatum of either censorship or not being able to process 38% of all global credit cards in circulation, choose to save their business by capitulating to big daddy Mastercard, or rather, the payment processors and banks that Mastercard also warned.

When it comes to PayPal transactions, the situation worsens for Steam, as Valve revealed that one of PayPal's own acquiring banks has fully terminated its acceptance of all transactions related to Steam. This would restrict the use of PayPal to only the most popular and widely accepted currencies, such as USD, CAD, EUR, AUD, GBP, and JPY.

While Itch.io faced a similar situation regarding Stripe, which resulted in them deindexing all adult games due to their lack of size compared to Steam. Many people speculated on how Valve (a company estimated to control 80% of the USD 76.73 billion PC gaming market) was unable to put up even a small fight back against Mastercard or PayPal.

The 'ick' of adult content

But why do networks like Mastercard or other large financial institutions even care what you spend your money on? Well, there are two sides to the coin here. The first side is the legitimate reasons why adult-oriented businesses might not be the best to work with. Depending on the type of high-risk market (gambling, adult content, cannabis/CBD, MLM, weapons and ammunition, etc.), there might be more regulations or chargebacks in each sector.

Validating these payments and controlling whether all transactions are legal, especially when the financial and legal burden can rest on the processor, leads to many companies mitigating their risk by refusing to work with these sectors entirely.

However, the other side of the coin lies the more arbitrary and opinionated reason, brand association and reputation.

Due to the highly controversial, dogmatic, and political nature of these industries, especially concerning adult content. Publicly traded companies like Mastercard or Visa, along with other aging financial institutions with a little too much power, can choose not to work with any business that is potentially harmful to their brand reputation, which is basically a death sentence to any offbeat business.

For Mastercard, the rule is 5.12.7, which states "A Merchant must not submit to its Acquirer, and a Customer must not submit to the Interchange System, any Transaction that is illegal, or in the sole discretion of the Corporation, may damage the goodwill of the Corporation or reflect negatively on the Marks."

While for Visa, the Visa Integrity Risk Program (VIRP) is a set of requirements that help Visa manage illicit or brand-damaging transactions. A quote from the Visa rule book shows that the VIRP is designed not to "process transactions that may adversely affect the goodwill of the Visa system."

If the rules that both Visa and Mastercard set are broken, both companies have the right to impose fines or suspend/terminate the ability to accept Visa/Mastercard cards. For Mastercard, they might go further due to their Business Risk Assessment and Mitigation (BRAM) program.

Just like how Mastercard stated that they have not "evaluated any game or required restrictions of any activity on game creator sites and platforms," the BRAM investigation and resolution process shows how exactly Mastercard are allowed to get away with this, while also censoring games. BRAM clearly states that when Mastercard gets notified of a potential violation, it reports its findings to the acquiring bank of the merchant. The acquiring bank then investigates and helps resolve the situation.

Mastercard goes even further by using its blacklisting tool, known as the Member Alert to Control High-Risk list or MATCH database. If merchants are terminated by their acquiring bank for a reason such as fraud, money laundering, or brand-damaging activity, they are automatically added to the MATCH list, making it harder to find a different payment network or processor. MATCH is also a global tool, so even though it is a Mastercard product, both Visa and Mastercard can contribute.

While this would sound unfortunate for Valve, due to PayPal's acquiring bank terminating all transactions with Steam. Valve would most likely not be on the MATCH list due to the fact that it was one of PayPal's banks. Due to the lack of a direct acquirer-merchant relationship, Valve would most likely not be on MATCH.

If Valve were on the MATCH list, they would likely need to work with what are known as "high-risk" payment processors. These processors, like CCBill and Verotel, are some of the most prominent payment processors for adult entertainment. They exist by charging larger fees due to their acceptance of higher-risk industries. In an ideal world, there should only be one type of payment processor that validates all legal transactions. However, for now, there's going to be payment challenges, and companies will be forced to either change their business model or seek alternative payment methods that are not reliant on the major card networks.

Déjà vu?

A situation similar to this happened around August 2021, when OnlyFans, the most popular adult content subscription service, announced that it would start to ban all adult content due to increasing pressure from banks and payment processors, just like Valve. However, after only 6 days of relentless backlash, they decided to remove the ban after they "secured assurances necessary to support our diverse creator community."

Importantly, they were able to secure a deal thanks in part to an interview with OnlyFans CEO Tim Stokely on the FT, where he openly called out banks like JP Morgan Chase, BNY Mellon, and Metro Bank for being unfair on adult content. OnlyFans executives would later state that Stokely's public statements during the interview allowed for open lines of communication between the banks and OnlyFans.

Looking at the details of OnlyFans now, it's especially jarring that the primary payment processor for OnlyFans is still Stripe, the same company that just refused to work with Itch.io due to ceasing to process transactions "designed for sexual gratification." Now, to be fair to Stripe, this seems like another case of banks being the moral arbiters, and not Stripe itself.

Their official statement, "Stripe is currently unable to support sexually explicit content due to restrictions placed on them by their banking partners, despite card networks generally supporting adult content (with the appropriate registrations)," seems to be in line with the general opinion of other Stripe users. A post on Y Combinator about Stripe processing adult payments shows one user complaining about Wells Fargo blocking their adult toy store due to violating their standards.

While it seems that OnlyFans also uses more high-risk payment processors like CCBill, it still shows that with enough influence (with $6.6 billion in gross payments and $1.307 billion in revenue in 2024) and media attention, you can negotiate and make deals with these immoral institutions. So it's interesting to see that Valve has so far not released a statement on their behalf yet and has only reached out to large media organizations. Valve should be actively fighting against the removal of legal content from its store, regardless of the moral implications.

Because Valve processes much more in gross payments, they should have an obligation to protect the developers and consumers who help make the Steam engine run.

So who's at fault?

It's hard to pinpoint one specific entity or institution that is at fault for this blatant censorship. While the duopoly of Visa and Mastercard can be easily blamed, at the same time, legacy banking institutions that are too big to fail also engage in the exact same practices.

An actual answer would be the entire payment processing system, a system that was developed while you weren't even born yet, and a system that will most likely stay in place with no protest when you die. To not sound too cynical, there are active strides to open up banking to everyone, with the executive orders that President Trump signed, along with the "Fair Access to Banking Act" by Sen. Kevin Cramer. The link to both of these can be found here and here.

With increasing regulation and restrictions on online content like the UK's Online Safety Act, the increasing popularity of ID verification, and decreasing ownership of the products we purchase, the Mastercard-Steam situation is just another drop in the bucket of our ever-changing digital landscape.