Details of Visa TC40 or MasterCard SAFE blacklisting processes

[Mutt]

For educational purposes, I’ll provide a detailed explanation of the Visa TC40 and Mastercard SAFE (now Fraud and Loss Database, FLD) processes, specifically in the context of carding—a type of fraud where stolen credit card information is used to make unauthorized purchases or test card validity. This response will delve into the mechanics of these systems, their role in detecting and managing carding, their implications for merchants, and how carders exploit or are affected by these processes. I’ll also clarify the concept of “blacklisting” in this context, ensuring the explanation is comprehensive while maintaining a neutral, educational tone. The goal is to help understand how these systems work to combat fraud like carding, without promoting or enabling illegal activities.

Context: What is Carding?​

Carding is a form of cybercrime where fraudsters use stolen or illegally obtained credit card details to make unauthorized transactions, often to purchase goods, services, or gift cards, or to test card validity for further exploitation. Common carding techniques include:

• Card Testing: Making small, low-value transactions to verify if a stolen card is active without triggering immediate suspicion.
• Account Takeover: Using stolen credentials to access and misuse legitimate cardholder accounts.
• Bulk Purchases: Rapidly purchasing high-value items before the card is reported as stolen.
• Gift Card Fraud: Buying gift cards that can be resold or used anonymously.

Carding often targets e-commerce merchants due to the speed and anonymity of online transactions, making systems like Visa TC40 and Mastercard FLD critical tools for detecting and mitigating such fraud.

Visa TC40: Detailed Process in the Context of Carding​

Overview:

• Definition: The TC40 (Transaction Code 40) is part of Visa’s Risk Identification Service (RIS), a system that aggregates fraud reports from issuing banks when cardholders report unauthorized transactions, including those from carding.
• Purpose in Carding Context: TC40 helps Visa, issuing banks, and acquiring banks identify merchants with high fraud rates, often due to carding attacks like card testing or bulk fraudulent purchases. It tracks fraud patterns to flag risky merchants or transactions.

Mechanics of TC40:

1. Fraud Detection and Reporting:
   • When a cardholder notices an unauthorized transaction (e.g., a carding attempt like a $1 test charge or a high-value purchase), they report it to their issuing bank.
   • The issuing bank verifies the claim and submits a TC40 report to Visa, detailing:
     • Merchant Information: Merchant name, address, Merchant Category Code (MCC), and acquirer details.
     • Transaction Details: Date, time, amount, and whether it was card-present (in-store) or card-not-present (online, common in carding).
     • Card Information: Partial card number (e.g., first six and last four digits) and issuing bank details.
     • Fraud Type: Often coded as unauthorized use, which aligns with carding activities.
   • TC40 reports are not chargeback requests but fraud notifications, meaning they don’t directly initiate refunds but signal potential carding activity.
2. Data Aggregation and Analysis:
   • Visa compiles TC40 reports to calculate a merchant’s fraud-to-sales ratio (total fraud dollars divided by total sales dollars) and the volume of fraudulent transactions.
   • In carding, this ratio spikes when fraudsters test multiple stolen cards (e.g., hundreds of $1 transactions) or make large unauthorized purchases.
   • Visa uses this data to identify patterns, such as:
     • High volumes of small transactions (indicative of card testing).
     • Repeated transactions from the same IP address, device, or email (common in automated carding scripts).
     • Unusual spikes in transactions for specific MCCs (e.g., electronics or gift card retailers, frequent carding targets).
3. Impact on Merchants:
   • Fraud Monitoring Programs: TC40 data feeds into programs like the Visa Acquirer Monitoring Program (VAMP). Merchants exceeding fraud thresholds (e.g., a fraud-to-sales ratio above 0.9% or excessive TC40 reports) may be flagged for:
     • Enhanced Monitoring: Acquirers may require merchants to implement stricter fraud controls.
     • Increased Fees: Higher processing fees to offset risk.
     • Account Termination: Persistent high fraud can lead to the acquirer closing the merchant’s account.
   • MATCH List: If a merchant is terminated due to excessive TC40-reported fraud (often tied to carding), they may be added to the Member Alert to Control High-Risk (MATCH) list under Reason Code 05 (Excessive Fraud). This effectively “blacklists” the merchant, preventing them from opening new accounts with most acquirers for up to five years.
   • Carding-Specific Challenges: Carding often involves low-value test transactions that don’t immediately trigger chargebacks but accumulate in TC40 reports, silently increasing a merchant’s fraud ratio. Merchants may not realize they’re being targeted until they’re flagged.
4. Merchant Access to TC40 Data:
   • Merchants don’t receive TC40 reports directly from Visa. They must request them from their acquiring bank or payment processor, who may not always comply.
   • The reports are complex, often containing thousands of lines of data, making it hard for merchants to parse without specialized tools.
   • Third-party services like Verifi offer real-time TC40-based alerts, helping merchants identify carding attempts (e.g., multiple small transactions from the same source) and act before fraud escalates.

Carding-Specific Insights:

• Card Testing Detection: Carders often use automated scripts to test stolen cards with small transactions (e.g., $0.01–$5). TC40 reports can reveal clusters of these transactions, helping merchants identify compromised payment gateways.
• Fraud Patterns: TC40 data may show repeated declines or authorizations from specific regions, devices, or card ranges, indicating carding botnets.
• Merchant Vulnerabilities: E-commerce sites with weak fraud controls (e.g., no 3D Secure, no CAPTCHA, or lax address verification) are prime targets for carders, and TC40 reports reflect this exposure through elevated fraud counts.

Limitations in Carding Context:

• Delayed Reporting: TC40 data can take weeks to reach merchants, as cardholders may not report fraud immediately, and issuers have flexible reporting timelines. This delay allows carders to exploit cards before detection.
• Friendly Fraud Risk: Some TC40 reports stem from “friendly fraud” (cardholders falsely claiming unauthorized use), which can mimic carding and unfairly penalize merchants.
• Incomplete Actionability: TC40 reports don’t provide real-time tools to block carding attempts, requiring merchants to rely on external fraud detection systems.

Mastercard FLD (Formerly SAFE): Detailed Process in the Context of Carding​

Overview:

• Definition: The Fraud and Loss Database (FLD), which replaced SAFE (System to Avoid Fraud Effectively) in October 2020, is Mastercard’s equivalent to TC40. It collects fraud reports from issuing banks to track unauthorized transactions, including those from carding.
• Purpose in Carding Context: FLD helps Mastercard and its partners monitor fraud trends, identify merchants targeted by carders, and enforce compliance programs to reduce risk.

Mechanics of FLD:

1. Fraud Detection and Reporting:
   • When a cardholder reports a transaction as unauthorized (e.g., a carding-related purchase), the issuing bank submits a fraud report to Mastercard’s FLD.
   • The report includes:
     • Merchant Details: Name, location, MCC, and acquirer information.
     • Transaction Data: Amount, date, time, and transaction type (e.g., online, common in carding).
     • Cardholder Data: Partial card details and issuing bank information.
     • Fraud Indicators: Codes specifying the type of fraud, such as unauthorized use due to stolen card details.
   • Like TC40, FLD reports are fraud notifications, not chargeback triggers, but they signal potential carding activity.
2. Data Aggregation and Analysis:
   • Mastercard aggregates FLD data to assess merchant fraud levels, focusing on metrics like fraud volume and fraud-to-sales ratio.
   • In carding, FLD reports highlight:
     • High-frequency, low-value transactions (card testing).
     • Rapid, high-value purchases from stolen cards.
     • Geographic or device-based patterns (e.g., transactions from high-risk regions or VPNs used by carders).
   • This data feeds into Mastercard’s fraud monitoring and compliance programs.
3. Impact on Merchants:
   • Fraud Monitoring Programs: Merchants with high FLD-reported fraud (e.g., from carding attacks) may be enrolled in Mastercard’s compliance programs, facing:
     • Stricter Oversight: Requirements to implement fraud prevention tools like 3D Secure or velocity checks.
     • Penalties: Increased transaction fees or fines.
     • Account Termination: Persistent fraud can lead to acquirers closing the merchant’s account.
   • MATCH List: Similar to Visa, excessive FLD-reported fraud can result in MATCH listing under Reason Code 05, effectively “blacklisting” the merchant from future accounts.
   • Carding-Specific Impact: Carding often involves rapid, automated attacks (e.g., bot-driven card testing), which inflate FLD reports and put merchants at risk of penalties, even if they’re victims of fraud.
4. Merchant Access to FLD Data:
   • Merchants don’t receive FLD reports directly from Mastercard. They must request them from their acquirer, who may provide limited or delayed access (up to two months).
   • The data is voluminous and technical, requiring merchants to use fraud management tools to interpret it.
   • Services like Ethoca provide real-time FLD-based alerts, enabling merchants to detect carding attempts (e.g., multiple failed authorizations) and issue refunds or block transactions before chargebacks.

Carding-Specific Insights:

• Card Testing Detection: FLD reports can identify carding patterns like repeated small transactions or declines, often linked to automated carding tools (e.g., carding bots testing stolen card lists).
• High-Risk MCCs: Carders target MCCs like 5732 (electronics) or 7997 (gift cards), and FLD data highlights merchants in these categories as high-risk.
• Botnet Indicators: FLD may reveal carding botnets through patterns like identical transaction amounts, rapid succession of attempts, or use of proxy servers.

Limitations in Carding Context:

• Delayed Reporting: Mastercard allows issuers up to two months to submit FLD data, giving carders a window to exploit stolen cards before merchants are alerted.
• Data Complexity: FLD reports are not user-friendly, requiring merchants to invest in analytics or third-party services to detect carding patterns.
• False Positives: Legitimate transactions misreported as fraud (e.g., friendly fraud) can inflate FLD counts, mimicking carding activity and penalizing merchants unfairly.

Blacklisting in the Context of Carding​

Merchant Blacklisting (MATCH List):

• Process: Both TC40 and FLD data contribute to fraud metrics that can trigger enrollment in monitoring programs. If a merchant’s fraud levels (often from carding) remain high, their acquirer may terminate their account and add them to the MATCH list under Reason Code 05 (Excessive Fraud).
• Impact: MATCH listing is often referred to as “blacklisting” because it prevents merchants from opening new accounts with most acquirers for up to five years. This can cripple a business, especially if carding attacks were the primary cause of high fraud reports.
• Carding Context: Carders exploit merchants with weak fraud controls, leading to spikes in TC40/FLD reports. Merchants may be unfairly “blacklisted” if they fail to mitigate these attacks, even if they’re victims.

Customer Blacklisting:

• Merchant-Level Blacklisting: TC40 and FLD don’t directly blacklist cardholders, but merchants can use insights from these reports to create internal blacklists. For example:
  • Flagging Carding Patterns: Merchants may block IP addresses, email domains, or card numbers linked to repeated fraud attempts identified in TC40/FLD data.
  • Tools Used: Fraud detection platforms like Kount or Sift use TC40/FLD insights to flag suspicious customers, preventing future carding attempts.
• Risks: Overzealous blacklisting can lead to false positives, blocking legitimate customers and harming revenue. For instance, a cardholder whose card was used in a carding attempt may be flagged incorrectly.
• Carder Strategies: Carders bypass blacklists by using proxies, VPNs, or new email addresses, making customer-level blacklisting less effective without advanced fraud tools.

No Political Blacklisting:

• There’s no evidence in available data that Visa or Mastercard blacklist merchants or customers based on political opinions. Blacklisting (via MATCH or internal lists) is driven by objective fraud metrics, such as those triggered by carding activity.

How Carders Interact with TC40 and FLD​

Carder Tactics to Evade Detection:

1. Card Testing: Carders make small, inconspicuous transactions (e.g., $1 donations or micro-purchases) to test card validity without triggering immediate TC40/FLD reports. These transactions often go unnoticed by cardholders, delaying fraud reporting.
2. Distributed Attacks: Carders use botnets to spread transactions across multiple merchants or regions, keeping fraud ratios low enough to avoid immediate TC40/FLD scrutiny.
3. Spoofing Data: Carders manipulate transaction data (e.g., using VPNs to mask locations or fake billing addresses) to bypass fraud filters and delay TC40/FLD detection.
4. Exploiting Delays: The delayed reporting of TC40 (weeks) and FLD (up to two months) gives carders time to maximize fraudulent purchases before merchants or banks respond.

How TC40/FLD Counter Carding:

• Pattern Recognition: Both systems aggregate data to identify carding patterns, such as:
  • High volumes of low-value transactions (card testing).
  • Repeated declines or authorizations from the same source.
  • Transactions from high-risk regions or MCCs.
• Merchant Alerts: While delayed, TC40/FLD data can help merchants identify carding campaigns and adjust fraud controls (e.g., implementing velocity checks to limit transaction frequency).
• Third-Party Tools: Services like Verifi (Visa) and Ethoca (Mastercard) use TC40/FLD data to provide near-real-time alerts, enabling merchants to block carding attempts before chargebacks or MATCH listing risks escalate.

Challenges for Carders:

• Fraud Detection Tools: Merchants using TC40/FLD insights with tools like 3D Secure, Kount, or Sift can block carding attempts by requiring additional authentication or flagging suspicious patterns.
• Issuer Actions: Issuing banks may freeze cards reported in TC40/FLD, limiting carders’ ability to use stolen cards for extended periods.
• MATCH List: Carders targeting the same merchant repeatedly may trigger enough TC40/FLD reports to get the merchant blacklisted, forcing carders to find new targets.

Merchant Strategies to Combat Carding Using TC40/FLD​

1. Accessing Data:
   • Request TC40/FLD reports from acquirers, though access may be limited or delayed.
   • Use third-party services like Verifi or Ethoca for real-time alerts based on TC40/FLD data, which can identify carding attempts early.
2. Fraud Prevention Tools:
   • 3D Secure: Implement protocols like Verified by Visa or Mastercard SecureCode to require cardholder authentication, deterring carders who lack full cardholder details.
   • Velocity Checks: Limit the number of transactions per card, IP, or device within a timeframe to block card testing.
   • AVS and CVV: Enforce strict Address Verification System (AVS) and Card Verification Value (CVV) checks to filter out stolen cards.
   • Fraud Platforms: Use tools like Kount, Sift, or Riskified to analyze TC40/FLD patterns and block carding attempts in real time.
3. Monitoring and Response:
   • Analyze TC40/FLD reports for carding indicators (e.g., clusters of small transactions or high decline rates).
   • Issue refunds for suspected carding transactions before they escalate to chargebacks, reducing fraud ratios.
   • Train staff to recognize carding patterns, such as repeated orders with slight variations in billing details.
4. Avoiding MATCH Listing:
   • Maintain fraud-to-sales ratios below Visa and Mastercard thresholds (e.g., 0.9% for Visa).
   • Respond promptly to acquirer warnings about high TC40/FLD activity to avoid termination and blacklisting.
5. Educating Customers:
   • Encourage cardholders to monitor statements for small, suspicious charges (common in card testing) to reduce delayed TC40/FLD reports.
   • Provide clear refund policies to minimize friendly fraud, which can inflate fraud metrics.

Key Differences and Similarities in TC40 and FLD for Carding​

Similarities:

• Fraud Tracking: Both systems collect fraud reports from issuers to monitor carding-related unauthorized transactions.
• Merchant Impact: High TC40/FLD reports from carding can lead to monitoring programs, fees, termination, or MATCH listing.
• Delayed Access: Merchants face delays (weeks for TC40, up to two months for FLD) and rely on acquirers or third-party services for data.
• Carding Patterns: Both identify carding through small transactions, high decline rates, or geographic anomalies.

Differences:

• System Names: Visa uses TC40 within RIS; Mastercard uses FLD (replacing SAFE).
• Reporting Timelines: FLD allows issuers up to two months to report, while TC40 timelines vary but are often shorter.
• Third-Party Integration: Visa partners with Verifi for real-time alerts; Mastercard uses Ethoca, each tailored to their respective systems.
• Data Specificity: TC40 may provide more granular transaction details (e.g., specific carding patterns), while FLD focuses on broader fraud trends.

Educational Takeaways​

1. Role in Carding Detection: TC40 and FLD are critical for identifying carding patterns like card testing and bulk purchases, but their delayed reporting limits real-time prevention.
2. Merchant Challenges: Merchants are often victims of carding yet face penalties (e.g., MATCH listing) if fraud levels spike. Accessing and acting on TC40/FLD data is crucial but challenging.
3. Carder Strategies: Carders exploit system delays and weak merchant controls, using techniques like distributed attacks and spoofing to evade detection.
4. Prevention Strategies: Merchants can mitigate carding by leveraging TC40/FLD insights, real-time alert services, and advanced fraud tools, reducing the risk of blacklisting.
5. Systemic Importance: TC40 and FLD protect the payment ecosystem by flagging high-risk merchants and enabling fraud prevention, but their effectiveness depends on merchant proactivity and acquirer cooperation.

Conclusion​

Visa TC40 and Mastercard FLD (formerly SAFE) are essential tools for tracking carding-related fraud, aggregating unauthorized transaction reports to identify patterns like card testing or bulk purchases. While they don’t directly blacklist merchants or customers, excessive fraud reports can lead to merchant account termination and MATCH listing, often referred to as “blacklisting.” Carders exploit delays in these systems and target merchants with weak fraud controls, making proactive prevention critical. Merchants can combat carding by accessing TC40/FLD data (via acquirers or services like Verifi/Ethoca), implementing tools like 3D Secure and velocity checks, and monitoring fraud metrics to avoid penalties. For further details on implementing fraud prevention or accessing these reports, merchants should contact their acquirer or explore platforms like Kount or Sift.

If you need specific examples of carding patterns, fraud prevention tools, or additional insights into TC40/FLD data analysis, let me know!