How do banks investigate carding cases? (Chargeback processing, interaction with payment systems)

S

Student

Professional
Messages
141
Reaction score
129
Points
43
For educational purposes, I will walk you through the process of investigating carding cases and handling chargebacks, focusing on key aspects, technical details, roles involved, and prevention measures. Carding is a form of fraud in which criminals use stolen credit card information to make unauthorized transactions. A chargeback is a cardholder protection mechanism that allows you to get your money back in the event of fraud or a dispute. We will walk you through the process step by step, including interactions with payment systems, technical aspects, and challenges, with a focus on carding.

1. What is carding and how does it happen?​

Carding is the use of stolen bank card data (card number, CVV code, owner name, expiration date) to make unauthorized transactions, such as online purchases, cash withdrawals or money transfers. The main methods of data theft are:
  • Phishing: Scammers obtain data through fake websites, emails or messages.
  • Skimming: Installing devices on ATMs or terminals to read card data.
  • Database Hacking: Stealing data from online stores, payment systems or other platforms.
  • Darknet: Buying stolen data on black markets (e.g. card dumps with tracks for physical transactions or data for online purchases).
  • Social Engineering: Deceiving users to reveal data.

Once the data is obtained, the fraudsters carry out transactions, often disguising them as legitimate, using VPNs, proxies or devices that mimic the cardholder's location.

2. Initiating a chargeback: the role of the cardholder​

When a cardholder notices an unauthorized transaction (e.g. through an online banking statement), they initiate the chargeback process. This process begins with contacting the issuing bank (the bank that issued the card).

The cardholder's steps are:
  • Fraud Detection: A customer sees a suspicious transaction on their statement or receives a notification from the bank about unusual activity.
  • Contacting the bank: The client contacts the bank via:
    • Online banking (dispute or chargeback section).
    • Call center.
    • Personal visit to the department.
  • Submitting an application: The client completes the form, indicating:
    • Transaction details (date, amount, merchant).
    • The reason for the dispute (for example, "unauthorized transaction" or a fraud code such as Visa Reason Code 10.4 or Mastercard Reason Code 4837).
    • Evidence, if any (e.g. card theft notification, no contact with merchant).
  • Fraud Confirmation: The Client may indicate that:
    • The card was lost or stolen.
    • Data has been compromised (e.g. through phishing).
    • The transaction was made without his participation (no 3-D Secure, suspicious location).

Actions of the issuing bank:
  • Checks the application for compliance with the rules of the payment system.
  • It may temporarily return funds to the customer (a process called provisional credit ) to minimize inconvenience.
  • Requests additional evidence if the case is ambiguous (e.g. correspondence with the merchant, screenshots, location data).
  • Blocks the card if it is confirmed to be compromised and issues a new one.

3. Investigation by the issuing bank​

The issuing bank conducts an initial investigation to confirm that the transaction is indeed fraudulent. This is a key step, as the bank is responsible for ensuring that the payment system complies with its rules.

The investigation process:
  • Transaction data analysis:
    • Metadata: Date, time, amount, merchant identifier (MID), terminal or IP address.
    • Geolocation: Comparing the location of a transaction with the location of the customer.
    • Transaction type: Online (CNP, Card-Not-Present) or offline (using a physical card).
    • Use 3-D Secure: Checks whether two-factor authentication (e.g. SMS code, biometrics) has been used.
  • Fraud Monitoring Systems:
    • Banks use platforms such as Falcon Fraud Manager (FICO), ThreatMetrix or their own solutions that analyze transactions in real time.
    • Machine learning algorithms detect anomalies: unusual timing, frequency of transactions, geolocation or device mismatch.
  • Checking customer history:
    • The client’s behavior is analyzed: whether there were any disputed transactions before, how often he uses the card.
    • It checks whether the request is false (for example, the customer made a purchase but is trying to get a refund).
  • Contact with the client:
    • The bank may request additional information, such as confirmation that the customer was not present at the location where the transaction was made.
    • If the card was used offline, the bank may request information about possible skimming (for example, use of an ATM).

Result:
  • If the case is confirmed as fraudulent, the bank will initiate a chargeback through the payment system.
  • If there are any doubts (for example, the client entered a PIN code or used 3-D Secure), the bank may refuse a chargeback and recommend that the client contact the merchant or law enforcement agencies.

4. Interaction with the payment system​

Payment systems (Visa, Mastercard, Mir, etc.) act as intermediaries between the issuing bank and the acquiring bank (the bank servicing the merchant). They set the rules for processing chargebacks and ensure their compliance.

Payment system steps:
  • Receiving a request: The issuing bank submits a chargeback request through the payment system platform (e.g. Visa Resolve Online or Mastercard Connect). The request includes:
    • Chargeback reason code (e.g. Visa 10.4 - "Fraud - Card Absent Environment", Mastercard 4837 - "No Cardholder Authorization").
    • Transaction details (ID, amount, date).
    • Evidence of fraud (if required).
  • Compliance check: The payment system checks whether the request is submitted within the specified time frame (usually 45-120 days from the transaction date) and whether it complies with the rules.
  • Forward to acquirer: The request is forwarded to the acquiring bank, which notifies the merchant.

The role of the payment system:
  • Provides a standardized dispute handling process.
  • Stores transaction data in its systems for reconciliation.
  • May implement additional security measures such as Visa Account Updater (to keep card details up to date) or Ethoca (to share fraud information).

5. Investigation by the acquiring bank and the merchant​

The acquiring bank receives a chargeback request and forwards it to the merchant. The merchant must prove that the transaction was legitimate, otherwise he will lose the money.

The acquiring bank's actions:
  • Notifies the merchant of the dispute, providing transaction details and the reason for the chargeback.
  • Sets a time period (usually 7-30 days) within which the merchant must respond.

Merchant actions:
  • Collection of evidence:
    • For online transactions: Confirmation of use of 3-D Secure, IP address, authorization data (CVV, AVS — Address Verification System).
    • For offline transactions: Customer signature, terminal data, video recordings (if available).
    • For goods: Delivery confirmation (tracking number, recipient's signature).
    • Correspondence with the client, if any.
  • Transaction Analysis:
    • The merchant checks whether security measures (e.g. tokenization, 3-D Secure) have been used.
    • It checks whether the transaction is part of a known fraudulent scheme (for example, testing the card with small amounts).
  • Response to chargeback:
    • The merchant may agree to a chargeback (refund of funds to the client).
    • Or challenge it by sending evidence through the acquirer to the payment system ( representation ).

Problems for the merchant:
  • Merchants, especially small ones, often do not have the resources to effectively dispute chargebacks.
  • If a transaction is made without 3-D Secure, the merchant is usually held responsible.
  • A high level of chargebacks may result in fines or termination of the agreement with the acquirer.

6. Chargeback decision​

After receiving a response from the merchant, the payment system and the issuing bank analyze the data:
  • Chargeback approval:
    • If the evidence of fraud is convincing (e.g. a transaction without 3-D Secure, clear signs of carding), the funds are returned to the client.
    • The money is debited from the merchant's account. The acquirer may charge an additional fee (usually $15–50 per chargeback).
  • Chargeback Denied:
    • If the merchant provides evidence (such as 3-D Secure or delivery confirmation), the chargeback is rejected and the customer loses the right to a refund through this mechanism.
  • Arbitration:
    • If the parties do not agree with the decision, the case is referred to the payment system arbitration.
    • The payment system (Visa, Mastercard) reviews all evidence and makes a final decision. This process can take up to 60 days and includes additional fees.

7. Additional measures when carding​

Carding is a serious threat, and banks, payment systems and merchants are taking measures to prevent and investigate it:
  • Blocking and monitoring:
    • If the card is confirmed to be compromised, the issuing bank blocks it and issues a new one.
    • Merchant transactions may be suspended if high levels of fraud are detected.
  • Fraud data sharing:
    • Payment systems use databases such as MATCH (Mastercard) or VMAS (Visa) to track fraudulent merchants and cards.
    • Systems like Ethoca and Verifi allow banks and merchants to share information about suspicious transactions in real time.
  • Law enforcement notification:
    • In the case of large-scale carding schemes (for example, organized groups using card dumps), banks pass the data on to the police or cyber units.
    • International cooperation can be achieved through Interpol or Europol.
  • Technological measures:
    • 3-D Secure: Mandatory two-factor authentication (password, SMS, biometrics) reduces the risk of fraud. In Europe, the SCA (Strong Customer Authentication) standard has been implemented as part of PSD2 since 2021.
    • Tokenization: Replacing card data with unique tokens (e.g. Apple Pay, Google Pay) that are useless to fraudsters.
    • Machine learning: Systems detect anomalies such as multiple transactions from one IP or geolocation mismatches.
    • AVS and CVV: Address verification and CVV code for online transactions.
  • Client training:
    • Banks inform clients about security measures: do not disclose card details, use antivirus software, check websites before paying.

8. Technical aspects and deadlines​

  • Processing times:
    • Initial review by the issuing bank: 5-10 days.
    • Transfer via payment system: 1–5 days.
    • Merchant response: 7–30 days.
    • Final decision: 30–90 days.
    • Arbitration (if necessary): up to 60 additional days.
  • Technologies:
    • Banks use payment system APIs to automate chargeback processing.
    • Monitoring systems (e.g. FICO Falcon , SAS Fraud Management ) analyze millions of transactions per second.
    • 3-D Secure protocols (version 2.0) include dynamic Risk-Based Authentication.
  • Responsibility:
    • If 3-D Secure was used, liability for fraud usually lies with the issuing bank.
    • Without 3-D Secure, the merchant or acquirer is most often held liable.


9. Problems and challenges​

  • False chargebacks ( friendly fraud ):
    • Some customers initiate chargebacks to get money back for legitimate purchases (for example, after receiving the goods).
    • This puts a burden on merchants and banks, increasing costs.
  • High costs:
    • Chargebacks are expensive: processing fees, merchant penalties, operational costs.
    • Small businesses are particularly vulnerable because they are unable to dispute a large number of chargebacks.
  • Difficulty of investigation:
    • Carding often involves complex schemes: using proxies, fake identities, testing cards with small amounts.
    • The international nature of fraud makes it difficult to investigate (for example, card details are stolen in one country, but the transaction is made in another).
  • Balance between security and convenience:
    • Strict security measures (such as mandatory 3-D Secure) may discourage customers due to inconvenience.
    • Too lenient measures increase the risk of fraud.

10. Examples of real scenarios​

  1. Carding via online store:
    • Fraudster buys electronics using stolen card details.
    • The client notices the transaction and initiates a chargeback.
    • The issuing bank confirms that the transaction was made without 3-D Secure and returns the funds.
    • The merchant loses the goods and money if he cannot prove delivery.
  2. ATM skimming:
    • Fraudsters install a skimmer, obtain card data and withdraw cash.
    • The client submits a chargeback request, the bank confirms the anomaly (transaction in another country).
    • The money is returned and the bank passes the data to the police.
  3. False chargeback:
    • A customer purchases an airline ticket, uses it, but initiates a chargeback, claiming that he did not make the transaction.
    • The airline provides evidence (booking details, IP address) and the chargeback is rejected.

11. Carding Prevention Measures​

  • For banks:
    • Implementation of 3-D Secure 2.0 and tokenization.
    • Using AI-based monitoring systems.
    • Regularly updating the database of scammers.
  • For merchants:
    • Mandatory use of 3-D Secure for online payments.
    • CVV and AVS verification.
    • Monitoring suspicious transactions (e.g. multiple orders from one IP).
  • For clients:
    • Using virtual cards for online purchases.
    • Enable transaction notifications.
    • Checking website security before payment (HTTPS, reviews).

Conclusion​

Investigating carding cases and handling chargebacks is a multi-level process involving interactions between the cardholder, the issuing bank, the payment system, the acquiring bank, and the merchant. The main stages are: initiating a dispute, investigating by the bank, forwarding the request through the payment system, checking by the merchant, and making a decision. Technical tools such as 3-D Secure, tokenization, and monitoring systems help minimize risks, but carding remains a serious threat due to its organized nature. To effectively combat carding, coordination between all participants and the implementation of advanced technologies are necessary.

If you want to delve into a specific aspect (for example, prevention technologies, the role of law enforcement, or the specifics of the payment system), let me know and I will provide even more detailed information!
 
You must log in or register to reply here.

Similar threads

Mutt
How blacklists (Visa TC40, MasterCard SAFE) work in the fight against carding?
Replies
0
Views
200
Mutt
Mutt
S
What is 3-D Secure and how does it prevent carding? (Detailed explanation of Verified by Visa, MasterCard SecureCode, their impact on transactions)
Replies
0
Views
27
Student
S
S
How do banks and merchants use blacklists other than TC40 and SAFE? (Examples of other databases such as MasterCard's MATCH)
Replies
0
Views
23
Student
S
S
What is tokenization and how does it protect against carding? (Principles of tokenization, its application in Apple Pay, Google Pay and other systems)
Replies
0
Views
22
Student
S
Mutt
Technical aspects of payment gateways
Replies
0
Views
126
Mutt
Mutt
Back
Top