Merchant Category Codes (MCCs) Explained: How They Control Business Spend

A merchant category code (MCC) is a 4-digit number a payment processor assigns to a merchant to classify what kind of business it runs. Card networks use the MCC to categorize transactions, set interchange, and decide whether your card controls approve or decline a purchase.

For finance leaders, MCCs stay invisible until something breaks. A legitimate purchase gets declined, a transaction lands in the wrong expense category, or a rebate check comes in lighter than the model predicted. Behind each of those is an MCC doing exactly what it was configured to do. Knowing how the code works is how you make card controls work for you instead of against you.

Key Takeaways

• An MCC is the 4-digit code, set by a merchant's payment processor under the ISO 18245 standard, that classifies the merchant's business type for every card network.

• MCCs are the mechanism behind card controls. When a transaction is authorized, the issuer checks the MCC against the card's allow-list or block-list and approves or declines it in real time.

• Allow-lists lock a card to specific categories, which suits single-purpose virtual cards. Block-lists permit everything except named categories, which suits general corporate cards.

• MCCs aren't perfect. A vendor can be miscoded or use different codes at different locations, so finance teams pair MCC rules with vendor allow-lists, per-card limits, and monitoring.

• Because interchange varies by MCC, the accuracy of those codes also drives how much rebate a corporate-card program earns.

What is a merchant category code?

A merchant category code is a 4-digit number that identifies the type of goods or services a business sells. They drive transaction categorization, interchange pricing, and the category-level controls that govern corporate cards. It's governed by ISO 18245:2023, the current international standard for merchant category codes, and every major network (Visa, Mastercard, and American Express) maintains its own MCC list under that standard. The codes started in the 1970s and 1980s as a way to handle tax reporting on card payments.

Today they do far more.

People sometimes confuse MCCs with SIC codes. They're related but not the same. A SIC code is a broad government classification of an entire company's industry, while an MCC classifies a specific merchant for card-acceptance purposes. The MCC is what travels with a card transaction, so it's the one that matters for spend controls.

Who assigns an MCC, and when?

A merchant's acquiring bank or payment processor assigns the MCC when the merchant first sets up card acceptance. The acquirer picks the code based on the merchant's stated business type, following the card networks' classification rules.

Once set, the MCC generally stays put. Changing it requires the acquirer to step in, so a merchant can't simply re-tag itself on a whim. That stickiness is usually a good thing for control, but it's also why a miscoded merchant stays miscoded until someone intervenes.

How is the 4-digit code structured?

MCCs are grouped into ranges by industry, which makes them easier to reason about in bulk. The 5000s cover retail (grocery, restaurants, clothing), the 7000s cover services (hotels, repair, entertainment), and the 8000s cover professional and membership services (medical, legal, schools).

Mastercard's October 2024 version lists 879 MCCs organized into 20 MCC categories, according to Mastercard's published merchant category reference. Knowing the rough range a purchase should fall into is the fastest way to spot a code that looks wrong.

How do merchant category codes power card controls?

MCCs power card controls by acting as the test an issuer runs at the moment of authorization. When a card is used, the transaction carries the merchant's MCC, and the issuer checks that code against the rules configured on the card before the purchase clears.

If the MCC isn't permitted, the transaction is declined in real time, before any money moves. The whole check takes milliseconds. That single mechanism is what turns a written spend policy from a document nobody reads into something a card actually enforces at the register.

This is the part finance leaders most need to understand, because it's the difference between a policy that lives in a PDF and one that stops an out-of-policy purchase at the register. The codes are the enforcement layer underneath the card controls and spend policies a program sets, and they apply across every type of corporate card a team issues.

What's the difference between an allow-list and a block-list?

An allow-list and a block-list are two opposite ways to configure the same MCC mechanism. An allow-list is restrictive, so the card works only at the MCCs you name and everything else declines. A block-list is permissive, so the card works everywhere except the MCCs you name. Allow-lists fit narrow, single-purpose cards where you know exactly where spend should go.

Block-lists fit general-purpose corporate cards where you want broad utility with a few hard stops, like gambling or jewelry.

How does real-time enforcement actually work?

Real-time enforcement means the MCC check happens during authorization, not in a report you read after the fact. The issuer evaluates the card's rules in the moment, declines anything out of policy, and can fire a notification to the cardholder and the program admin at the same time.

Pairing MCC declines with real-time alerts and regular monitoring is what closes the loop, so a blocked transaction becomes a documented enforcement event rather than a surprise on next month's statement.

Card fraud is a real driver here. Global card fraud losses reached $33.41 billion in 2024, and the U.S. carried 41.87% of those losses despite running 26.31% of worldwide card volume, according to the Nilson Report's January 2026 fraud analysis. MCC-based controls are one of the most direct levers a finance team has to defend against payment fraud and keep spend inside approved categories.

Which MCCs should you allow or block?

The table below maps the MCC ranges finance teams encounter most, with a starting control recommendation for each. Treat these as defaults, not rules. Every program should map its own written policy to its MCC configuration, because a category that's off-limits for one team is a core expense for another.

Which MCCs are commonly blocked on corporate cards?

A handful of categories show up on almost every general-use block-list because they're historically where out-of-policy spend hides. The usual suspects:

• Gambling and betting (7995).

• Jewelry and watches (5944).

• Package liquor stores (5921).

• Dating and escort services (7273).

• Pawn shops and clothing outside of uniform programs.

None of these are inherently fraudulent, but they're rarely a legitimate business expense, so blocking them by default removes an easy avenue for misuse and shrinks the list of declines anyone has to investigate.

Which MCCs look suspicious but are often legitimate?

Some codes trigger a second look but are perfectly valid in the right program. Knowing which is which saves a lot of needless investigation:

• Digital goods (5816) is a common abuse vector, but it's also where legitimate app-store and subscription charges land.

• Charitable organizations (8398) looks unusual on a corporate card, yet it's exactly right for a company donation-matching program.

• Computer programming and SaaS (7372) covers most modern software vendors, so a block here will decline tools your teams actually need.

When a code is ambiguous, the answer usually comes down to context. Which employee, which card, and whether the purchase ties to an approved budget.

Why do MCCs get misclassified, and what can't they catch?

MCCs get misclassified more often than most finance teams expect, and an honest control strategy plans for it. A merchant self-describes its business at onboarding, and the acquirer codes it from that description, so an office-supply vendor might land under general merchandise, or a software company might be tagged as a computer store rather than a programming service. Worse, a single merchant can carry different MCCs across locations or terminals, which means the same vendor can be approved at one store and declined at another.

The practical limit is simple. A block-list only catches what's coded correctly. If a restricted vendor happens to sit under a benign MCC, the rule sails right past it. That's why MCC controls work best as one layer in a stack, paired with vendor-name rules, per-card limits, role-based scopes, and post-transaction monitoring.

The first time most teams learn this is when a perfectly normal purchase gets declined and nobody can immediately say why. MCCs are a strong first line of defense, not the whole defense.

Why does a legitimate purchase get declined?

A legitimate purchase usually gets declined for one of three MCC reasons. The merchant's MCC sits outside the card's allow-list, the MCC is on the block-list, or the merchant's code has changed since you wrote the rule. The fix starts with the receipt.

Check which MCC the transaction actually carried, ask the merchant which code its acquirer assigned, and then either request a one-time override or adjust the card's rule so the category clears going forward.

Can a merchant change its MCC?

A merchant can change its MCC, but not easily and not alone. Because the acquirer sets the code, updating it takes acquirer intervention and a justification that the original classification was wrong. Merchants can't self-edit their MCC, which is why a miscoded vendor often stays that way until a cardholder or finance team flags the problem and pushes for a correction.

How do MCCs affect interchange rates and card rebates?

MCCs directly affect the economics of a card program because interchange, the fee a merchant pays to accept a card, varies by category. Some MCCs carry materially higher interchange than others, and a corporate-card rebate is funded partly out of that interchange. U.S. merchant processing fees hit $187.20 billion in 2024 on nearly $11.9 trillion of card volume, according to the Nilson Report's March 2025 analysis, which is the pool a well-run corporate card program earns its rebate against. Where your spend lands by category is a real lever on what comes back.

Why does rebate revenue depend on MCC accuracy?

Rebate revenue depends on MCC accuracy because a miscoded vendor can quietly pay less interchange than your rebate model assumes. When that happens, the issuer-funded portion of the rebate shrinks, and the program earns less than projected on that spend.

Teams running large card programs should audit their MCC distribution at least once a year to confirm that high-volume vendors are coded the way the cash-back and return-on-spend math expects.

How do MCC controls work in virtual cards?

Virtual cards use MCC allow-lists set to the smallest workable scope, which is what makes them so effective at controlling spend. A single-use or vendor-locked virtual card can be configured to work only at one MCC for one supplier, so even if the number leaks, it's useless anywhere else.

That tight scoping is why virtual cards have become the default for vendor payments and subscription spend, and it's the same MCC mechanism corporate cards use, just dialed down to a single category. For recurring employee purchases, a scoped business expense card applies the same idea with a wider but still bounded set of allowed categories.

Control category spend with Corpay commercial cards

The hard part of category control isn't deciding what to block. It's making the block stick on every card, watching it in real time, and reconciling the result back to your books without a separate spreadsheet. MCCs give you the mechanism; the work is wiring that mechanism to your policy and your ERP.

Corpay's commercial card platform exposes MCC controls as a primary policy lever. You can configure allow-lists and block-lists at the program or per-card level, issue virtual cards locked to a single MCC and vendor, and set corporate card rules that enforce category limits before a purchase clears. What sets it apart:

• MCC controls paired with daily monitoring and real-time notifications, so a blocked transaction is logged as a clean enforcement record.

• Category and expense management data that reconciles against AP invoices in your general ledger, not in a separate spend silo, through 180+ ERP integrations.

• Rebate economics at scale, since Corpay is the number-one B2B commercial Mastercard issuer in North America, serving 800,000+ customers.

Talk to our team about turning your written spend policy into MCC rules that enforce themselves on every card.

Frequently asked questions about MCCs

What is a merchant category code (MCC)?

A merchant category code is a 4-digit number that classifies the type of business a merchant operates. A merchant's payment processor assigns it under the ISO 18245 standard, and card networks use it to categorize transactions, price interchange, and enforce the category controls on a card.

Who decides which MCC a merchant gets?

The merchant's acquiring bank or payment processor decides the MCC, assigning it when the merchant sets up card acceptance. That acquirer bases the code on the merchant's stated business type, following the card networks' classification rules. Merchants don't get to pick the code directly.

Can a merchant change its MCC?

Yes, but it requires the acquirer to make the change, and it's uncommon. A merchant can't update its own MCC. Correcting a miscoded merchant usually means demonstrating that the original classification was wrong and asking the acquirer to reassign it.

What is an MCC restriction on a corporate card?

An MCC restriction is a rule that allows or blocks transactions based on the merchant's category code. It's how a finance team enforces category-level spend policy, for example blocking gambling or jewelry on every card, or limiting a virtual card to a single approved vendor category.

Why was my corporate card declined by MCC?

Your card was likely declined because the merchant's MCC fell outside the card's allow-list, sat on its block-list, or had changed since the rule was written. Check the transaction's MCC, confirm the code the merchant's acquirer assigned, and request an override or a rule update.

How are MCCs different from SIC codes?

An MCC classifies a specific merchant for card-acceptance purposes and travels with each card transaction. A SIC code is a broader government classification of a company's overall industry. They overlap conceptually, but only the MCC is used to categorize transactions and enforce card controls.

How do MCCs affect interchange rates and rebates?

Interchange varies by MCC, so the categories your spend runs through shape what a merchant pays and what your program earns back. Because corporate-card rebates are funded partly from interchange, accurate MCCs are essential to capturing the rebate revenue a program is projected to earn.

How many MCCs are there?

Card networks each maintain their own MCC list under ISO 18245, and the active set runs into the hundreds, organized into roughly 20 broad categories. The lists are revised periodically as new generic codes are added and outdated merchant-specific ones are retired.

David Luther

Product Marketing Program Manager

David Luther, MBA is a product marketing program manager with years of experience in commercial banking, finance, and technology sectors, with research and writing appearing in financial publications.

Commercial Cards

Virtual Card

Risk management