How blacklists (Visa TC40, MasterCard SAFE) work in the fight against carding?

[Mutt]

A detailed explanation of how Visa TC40 and MasterCard SAFE blacklists work in the fight against carding
Carding is a type of fraud in which criminals use stolen bank card data (card number, CVV code, expiration date and, sometimes, cardholder data) to make unauthorized transactions. Such data can be obtained through skimming (reading from devices at ATMs or terminals), phishing, hacking merchant databases or purchasing on the darknet. Visa Transaction Control 40 (TC40) and MasterCard System to Avoid Fraud Effectively (SAFE) are key tools of international payment systems to combat carding. They help identify, monitor and prevent fraudulent transactions, as well as minimize the use of skimmed data. Below is a detailed explanation of how they work for educational purposes, with an emphasis on carding.

1. What is Visa TC40 and MasterCard SAFE?​

1.1. View TC40​

• Full name: Transaction Control 40.
• Description: This is a report that issuing banks (the banks that issued the card) send to Visa when a cardholder reports a fraudulent or unauthorized transaction. The TC40 includes transaction details such as the card number, amount, date, time, merchant ID, and, for online transactions, IP address and device characteristics.
• Purpose: To provide the payment system with fraud information to identify points of compromise (e.g. skimmers or data leaks) and prevent further attacks.

1.2. MasterCard SAFE​

• Full name: System to Avoid Fraud Effectively.
• Description: A similar tool from MasterCard that collects data on fraudulent transactions reported by issuing banks. SAFE focuses on analyzing and reporting information about compromised cards, IP addresses, devices, and merchants associated with fraud.
• Objective: To speed up the identification of fraudulent patterns and help payment system participants (banks, merchants) take measures to prevent further attacks.

Both programs are part of the payment systems’ strategy to reduce fraud and protect the ecosystem (cardholders, banks, merchants).

2. How is carding related to TC40 and SAFE?​

Carding typically involves the following steps:

1. Obtaining card data: Fraudsters use skimmers, phishing sites, malware, or buy data on the dark web.
2. Data testing: Attackers test the validity of the stolen data by making small transactions (such as purchasing digital goods or donations).
3. Monetization: Using skimmed data to make large purchases, withdraw funds, or sell products.

TC40 and SAFE help break this cycle by identifying compromised cards and associated parameters (IP, devices) at the testing or monetization stage, and preventing the reuse of stolen data.

3. How do payment systems exchange data?​

Data exchange under TC40 and SAFE occurs in several stages involving issuing banks, payment systems, acquiring banks and, in some cases, merchants. Here's how it works:

3.1. Fraud detection​

• Initiating the process: The process begins when the cardholder notices an unauthorized transaction and reports it to the issuing bank. For example, the cardholder sees a $50 purchase from an online store that they did not make.
• Data Collection: The issuing bank records information about the transaction, which may include:
  • Card number (or its tokenized version to comply with PCI DSS standards).
  • Date and time of the transaction.
  • Transaction amount.
  • Merchant ID (MID) and outlet name.
  • Transaction type (online, offline, via terminal, mobile application).
  • IP address (for online transactions).
  • Device fingerprint, which includes information about the operating system, browser, screen resolution, etc.
  • Geolocation (if available).
  • Authorization code and other technical parameters of the transaction.
• Chargeback: If a transaction is disputed, the issuing bank will initiate a chargeback, which will also be recorded on the TC40 or SAFE reports.

3.2. Transferring data to the payment system​

• The issuing bank sends a fraudulent transaction report to Visa (for TC40) or MasterCard (for SAFE). This report includes aggregated data about the compromised card and the circumstances of the transaction.
• Payment systems collect this data from all issuing banks, creating a centralized database of fraudulent transactions.

3.3. Analysis and classification​

• Visa and MasterCard analyze incoming data to identify:
  • Compromised Cards: Cards that have been repeatedly involved in fraudulent transactions.
  • Fraud patterns: For example, repeated IP addresses, devices, or merchants associated with fraud.
  • Points of compromise: Merchants, terminals or sites where skimming or data leakage is likely to have occurred.
• Based on the analysis, blacklists are formed, including:
  • Card numbers (or their tokens).
  • IP addresses associated with fraudulent transactions.
  • Fingerprints of devices used for carding.
  • Identifiers of merchants with high fraud rates.

3.4. Dissemination of data​

• Payment systems transmit aggregated data to acquiring banks (banks that serve merchants) and, in some cases, to the merchants themselves.
• Limitation: Access to TC40 and SAFE data for merchants is limited because acquiring banks do not always share this information. Merchants can request data through the acquirer, but this requires additional effort.
• In some cases, payment systems directly notify merchants about high levels of fraud, especially if they are included in monitoring programs (for example, the Visa Merchant Fraud Monitoring Program).

3.5. Use of data by ecosystem participants​

• Issuing banks:
  • Compromised cards are blocked or reissued.
  • Install additional checks (e.g. 3-D Secure) for transactions from suspicious IPs or devices.
  • Update their monitoring systems to track new fraud patterns.
• Acquiring banks:
  • Assess merchant risk based on TC40 and SAFE data. If a merchant has a high chargeback rate, the acquirer may increase fees, impose fines, or terminate cooperation.
  • Transfer data about suspicious IPs and devices to merchants (in limited volume).
• Merchants:
  • Use the data to set up filters in their payment gateways (for example, blocking transactions from certain IPs).
  • Implement additional checks such as geolocation, user behavior analysis or CVV verification.
  • Strengthen the security of their systems to prevent data leaks.

4. How do TC40 and SAFE prevent the use of skimmed data?​

Skimmed data (such as that stolen through skimmers at ATMs, terminals or phishing sites) poses a serious threat because fraudsters can use it to make transactions before the cardholder even notices the problem. TC40 and SAFE help minimize damage by:

4.1. Quick blocking of compromised cards​

• Once a cardholder reports a fraudulent transaction, the card issuing bank records the card details as compromised. These details are transferred to TC40 or SAFE, which allows:
  • Block card: The issuing bank may immediately block the card or impose restrictions on its use (for example, a ban on online transactions).
  • Reissue the card: The cardholder is given a new card with a different number, rendering the stolen data useless.
• Example: If a fraudster uses skimmed data to make a purchase online, the cardholder reports this to the bank. The bank forwards the data to TC40/SAFE and the card is blocked, preventing further transactions.

4.2. IP and Device Blacklists​

• IP Addresses: If a fraudster uses a specific IP address to make transactions with multiple skimmed cards, that IP is blacklisted. Subsequent transaction attempts from that IP may be rejected or require additional authentication.
• Device fingerprinting: Payment gateways and banks collect device data (e.g. browser version, operating system, screen resolution). If a device is associated with fraudulent transactions, it is blacklisted, making carding more difficult.
• Example: A fraudster uses a VPN with IP address 192.168.1.1 to test stolen cards. This IP is recorded in TC40/SAFE, and subsequent transactions from it are blocked or require 3-D Secure.

4.3. Integration with 3-D Secure​

• TC40 and SAFE work in conjunction with 3-D Secure protocols (Verified by Visa, MasterCard SecureCode), which require two-factor authentication for online transactions.
• If a card is marked as compromised, the issuing bank can automatically require 3-D Secure for all transactions with that card. This means that a fraudster would not only need to have the card details, but also access to the cardholder’s phone or password, making carding much more difficult.
• Example: A fraudster tries to use skimmed data to make a purchase on a website. The 3-D Secure system requests a code from an SMS, which the fraudster does not have, and the transaction is rejected.

4.4. Identifying points of compromise​

• TC40 and SAFE help identify merchants or terminals where skimming has occurred. For example:
  • If multiple cards used at the same merchant are later marked as compromised, this indicates a possible data leak or skimmer.
  • Payment systems can notify the acquiring bank so that it can verify the merchant.
• Example: If data from cards used at a particular store appears on the dark web, TC40/SAFE identifies that merchant as the source of the compromise. The store is checked and its terminals are replaced or updated.

4.5. Reducing the level of chargebacks​

• Chargebacks (refunds from disputed transactions) are a key indicator of fraud. TC40 and SAFE record chargeback data, allowing you to:
  • Identify merchants with high levels of fraud.
  • Warn acquiring banks about the need to strengthen control over such merchants.
• If a merchant is frequently featured in TC40/SAFE reports, they may be fined, placed on a monitoring program, or excluded from the payment system, which encourages them to implement anti-carding measures (e.g. anti-fraud systems).

4.6. Trend Analysis and Prevention of Mass Attacks​

• Payment systems use TC40 and SAFE data to analyze fraud trends. For example:
  • If a specific IP address or device is associated with carding enumeration, they are blacklisted.
  • If a new carding scheme is detected (for example, using proxies or bots), payment systems update their algorithms to block such operations.
• Example: Fraudsters buy a database of skimmed cards from the darknet and start testing them en masse through a specific site. TC40/SAFE detects a surge in fraudulent transactions and the site is flagged as risky, leading to increased scrutiny.

5. Practical examples of using TC40 and SAFE in the fight against carding​

Example 1: Skimming in an offline store​

• The fraudster installs a skimmer on the POS terminal in the store. Card data is collected and used for online purchases.
• Cardholders notice unauthorized transactions and report them to their banks. The banks forward the data to TC40/SAFE, identifying the merchant as the point of compromise.
• Visa/MasterCard notifies the acquiring bank, which checks the store's terminals and detects the skimmer. The store updates the equipment, and the compromised cards are blocked.

Example 2: Carding in an online store​

• The fraudster uses stolen card details to purchase digital goods from an online store. He uses a VPN with an IP address that has previously been associated with fraud.
• After chargebacks, the issuing bank forwards the data to TC40/SAFE. The IP address is blacklisted and further transactions from it are rejected.
• The merchant implements a filter that blocks transactions from this IP and activates 3-D Secure for all transactions.

Example 3: Mass testing of maps​

• Fraudsters buy a database of skimmed cards and test them by making small transactions (for example, $1) on a site with a low level of security.
• Issuing banks record many chargebacks and transfer the data to TC40/SAFE. Payment systems identify the site as risky and notify the acquiring bank.
• The site is placed under a monitoring program and is required to implement anti-fraud systems to prevent further carding.

6. TC40 and SAFE Limitations in the Fight Against Carding​

Despite their effectiveness, TC40 and SAFE have several limitations:

1. Data transfer delay:
   • TC40/SAFE data may be delayed (especially in the case of SAFE - up to 60 days), which allows fraudsters to use skimmed data before it is blocked.
   • Solution: Banks and merchants must use additional real-time monitoring systems.
2. Limited access for merchants:
   • Merchants rarely have direct access to TC40/SAFE data as it is transmitted through acquiring banks, making it difficult to respond quickly.
   • Solution: Merchants can use third-party anti-fraud systems (e.g. Signifyd, Riskified) that integrate with payment system data.
3. Incomplete coverage of small transactions:
   • If the fraudulent transaction amount is small (e.g. less than $8), the bank may refund the funds without initiating a chargeback, and such cases do not fall under TC40/SAFE.
   • Solution: Merchants should monitor suspicious small transactions themselves.
4. "Friendly Scam":
   • TC40 and SAFE cannot effectively deal with situations where a cardholder initiates a chargeback themselves, claiming that the transaction was fraudulent (even though they made it).
   • Solution: Merchants must collect evidence of transaction legitimacy (e.g. shipping details, IP address, signature).
5. Limited protection against new carding methods:
   • Fraudsters are constantly developing new ways to bypass systems, such as using proxies, device emulation, or social engineering.
   • Solution: Payment systems should regularly update algorithms and integrate TC40/SAFE data with AI systems to identify new patterns.

7. Additional measures to strengthen the fight against carding​

To improve the efficiency of TC40 and SAFE, participants in the payment ecosystem can use additional tools:

• Anti-fraud systems: Platforms such as Kount, Sift or Forter analyze user behavior, IP addresses, devices and other parameters in real time, complementing TC40/SAFE data.
• 3-D Secure: Mandatory use of two-factor authentication for online transactions.
• Tokenization: Replacing card numbers with tokens that are useless to fraudsters outside of a specific payment system.
• Geolocation checks: Compare the device location with the cardholder's address.
• Behavioral analysis: Tracking user behavior patterns (e.g. speed of data entry, types of purchases).
• Merchant training: Regular training of store and bank employees to identify skimmers and phishing attacks.

8. Conclusion​

Visa TC40 and MasterCard SAFE are powerful anti-carding tools that enable banks, payment systems and merchants to share information about compromised cards, IP addresses and devices. They help:

• Quickly block compromised cards.
• Create blacklists of IPs and devices, making it difficult to reuse skimmed data.
• Identify points of compromise (skimmers, vulnerable sites).
• Reduce chargeback rates and improve ecosystem security.

However, their effectiveness is limited by delays in data transmission, limited access for merchants, and the inability to completely prevent new carding methods. For maximum protection against carding, banks and merchants should complement TC40 and SAFE with modern anti-fraud systems, 3-D Secure, tokenization, and user behavior analysis. These measures, combined with TC40 and SAFE data, create a multi-layered defense that significantly reduces fraud risks and protects cardholders, merchants, and banks from financial losses.