How do banks and merchants use blacklists other than TC40 and SAFE? (Examples of other databases such as MasterCard's MATCH)

S

Student

Professional
Messages
141
Reaction score
129
Points
43

Use of blacklists by banks and merchants in the context of carding​

Carding is a type of fraud in which criminals use stolen credit or debit card data to make unauthorized transactions, test cards (card testing) or launder money. Banks and merchants actively use blacklists to combat carding, as it poses a significant threat: according to reports (for example, Visa Risk Report 2024), carding accounts for up to 60% of all fraudulent transactions in e-commerce. Blacklists help identify and block suspicious cards, devices, IP addresses, emails or even merchants involved in carding schemes. In addition to the well-known TC40 (Visa) and SAFE (Mastercard), which focus on transmitting data on confirmed cases of fraud, there are other databases and tools that play a key role in preventing carding. I will discuss their use in detail, features in the context of carding, as well as examples and limitations.

What are blacklists in the context of carding?​

Blacklists are databases or filtering systems that contain identifiers (e.g. card numbers, IP, email, devices) associated with fraudulent activity. They are used to:
  1. Risk identification at the stage of transaction authorization or merchant registration.
  2. Blocking suspicious transactions in real time.
  3. Monitoring for repeated fraud attempts (for example, carders often use the same infrastructure for attacks).
  4. Data exchange between banks, merchants and payment systems to prevent repeated fraud.

In the context of carding, blacklists are especially important, as carders use automated tools (bots, scripts) for mass testing of cards, which creates a high load on protection systems. The main goals of blacklists:
  • Card testing prevention: Carders test the validity of stolen cards through small transactions (e.g. $1) or purchases of digital goods.
  • Blocking Repeat Fraud: Carders often use the same IP, device or email to attack.
  • Reduced chargebacks: Chargebacks (refunds due to customer complaints) due to carding can result in fines from payment systems (e.g. $25,000 for exceeding the 1% threshold for Visa).

Key databases and tools beyond TC40 and SAFE​

  1. MATCH (Mastercard Alert to Control High-risk Merchants)
    • Description: MATCH is a global Mastercard (formerly Terminated Merchant File, TMF) database used by payment processors (Visa, AmEx, Discover) to track merchants whose accounts have been closed due to violations, including carding, excessive chargebacks, money laundering, or PCI-DSS non-compliance. The database contains records with 12 reason codes (e.g. code 01 - laundering, code 12 - fraud-related).
    • Application in carding:
      • Acquiring banks: Before opening an account for a merchant, the bank checks MATCH to ensure that the business is not associated with carding. For example, if a merchant sold digital goods and was caught accepting fraudulent transactions (e.g. through stolen cards), they are placed in MATCH for 5 years.
      • Merchants: Indirectly use MATCH through processors (e.g. Adyen, Worldpay) that integrate MATCH verification into their systems. If a merchant is in MATCH, their account is blocked, preventing the use of "fake" businesses for carding.
      • Carding context: Carders often create fake stores to launder money through stolen cards. MATCH helps to identify such schemes, as acquiring banks are required to add violators to the database.
    • Example: A merchant selling electronics received >2% chargebacks due to carding (purchases of $5000+ with stolen cards). The acquiring bank adds him to MATCH with the code 04 (excessive chargebacks). A new processor (e.g. Stripe) will reject his application, which reduces the risk of repeat fraud.
    • Limitations: MATCH does not contain data about cards or clients, only about merchants. This limits its use for direct blocking of carders, but helps to suppress their infrastructure.
  2. VMSS/VMAS (Visa Merchant Security System / Visa Merchant Alert Service)
    • Description: Similar to Visa's MATCH, a database of "terminated" merchants associated with fraud, carding or high chargebacks. VMSS focuses on monitoring and data exchange between acquirers.
    • Application in carding:
      • Banks: Use VMSS to screen new merchants and monitor existing ones through the Visa Acquirer Monitoring Program (VAMP). If a merchant exceeds the fraud threshold (e.g. >0.9% of transactions), it is placed into VMSS.
      • Merchants: Indirectly avoid being hit by implementing anti-fraud measures (e.g. 3D-Secure) to avoid being hit by Visa sanctions.
      • Carding context: Carders often target merchants with low security (e.g. without 3DS). VMSS helps banks identify such merchants and demand stronger security.
    • Example: An online clothing store experiences a surge in chargebacks (1.5%) due to carding. Visa adds it to VMSS, and the acquiring bank imposes fines or requires 3DS implementation. Without a fix, the merchant loses the ability to accept Visa cards.
    • Limitations: Like MATCH, VMSS does not provide customer or card data, and its merchant focus makes it less effective for real-time.
  3. Velocity Checks (Visa Velocity and similar)
    • Description: This is not a database, but a system for filtering transactions based on velocity — the number of attempts from one identifier (card, IP, device, email) over a certain period. Visa and Mastercard integrate velocity into their platforms, but banks and merchants set up their own rules.
    • Application in carding:
      • Banks: Use velocity to detect card testing, where carders make many small transactions (e.g. $1–$5) to check the validity of cards. For example, the rule is: "block if >3 transactions from one BIN in 1 hour".
      • Merchants: Integrate velocity through fraud platforms (Sift, Kount, Riskified). For example, block orders if one email tries to make >5 purchases per day.
      • Carding context: Carders use bots to test cards in bulk, generating hundreds of transactions from different IPs or devices. Velocity checks detect such patterns and block them in real time.
    • Example: A carder tests 50 cards through a digital subscription store, making $2 transactions. A Velocity rule (e.g. "max 2 transactions from one IP in 10 minutes") blocks 90% of attempts, reducing the merchant's losses.
    • Limitations: Carders bypass velocity by using proxy/VPN (different IPs) or by spreading attacks over time. Requires combination with other tools (e.g. geolocation).
  4. Shared/Industry Blacklists
    • Description: Joint databases created by groups of merchants or processors (e.g. Kount, Riskified, Forter). Contain anonymized data on fraud identifiers: IP, email, devices (by device fingerprinting), BIN. Due to GDPR, such lists are often limited by region or sector (e.g. e-commerce, travel, gaming).
    • Application in carding:
      • Banks: Integrate industry lists via processors to enrich scoring models. For example, block transactions with IPs associated with carding forums (e.g. Dark Web marketplaces).
      • Merchants: Use via anti-fraud platforms to automatically reject orders. For example, Riskified can block an order if the email has been detected in fraudulent activity by another merchant.
      • Carding context: Carders often reuse infrastructure (email, IP, devices). Industry lists allow you to identify such patterns, even if the attack is on a different merchant.
    • Example: A carder uses email test123@gmail.com to make a purchase from an electronics store. Riskified detects that this email was blacklisted by another merchant (due to a chargeback). The order is automatically rejected.
    • Limitations: GDPR and CCPA restrict the sharing of personal data, which reduces effectiveness. False positives (10-20%) can block legitimate clients, especially when IPs are the same (e.g. on public Wi-Fi).
  5. BIN Blacklists
    • Description: Lists of the first 6-8 digits of the card number (BIN/IIN) associated with high levels of fraud. Collected by processors, banks or networks (Visa, Mastercard). For example, BINs from certain countries (e.g. some African or Eastern European banks) may have a reputation for being "risky".
    • Application in carding:
      • Banks: Block transactions with BINs related to carding. For example, BINs from prepaid cards are often used by carders, as they are more difficult to track.
      • Merchants: Set up rules in gateways (e.g. Stripe Radar) to reject transactions from "bad" BINs or combine with other signals (e.g. geolocation).
      • Carding context: Carders often buy stolen cards by BIN (for example, "Visa Gold BIN 4532XX" is sold on the Dark Web for $10–$50). Blocking such BINs reduces the success of attacks.
    • Example: Merchant blocks transactions with BIN 4917XX (known for carding attacks in Asia). This reduces fraud by 30%, but requires updating the lists, as carders change BIN.
    • Limitations: Carders may use BINs from major banks (e.g. Chase, Citi), making it difficult to filter without false rejections. Requires combination with velocity or 3DS.

How do banks and merchants integrate blacklists into the fight against carding?​

  1. Banks:
    • Acquirers: Check MATCH/VMSS before approving a merchant to avoid cooperating with carding businesses. Use real-time velocity and BIN lists.
    • Issuers: Block cards that are in TC40/SAFE and add them to local blacklists. For example, if a card (PAN) has been used for carding, it is blocked for all transactions.
    • Monitoring: Uses AI scoring (e.g. FICO's Falcon) enriched with data from industry lists to identify carding patterns (e.g. 3:00 AM transactions from another country).
  2. Merchants:
    • Gateway integration: Processors (Stripe, PayPal, Adyen) provide APIs for MATCH, velocity, and BIN checking. For example, Stripe Radar automatically rejects orders with "bad" IPs.
    • Anti-fraud platforms: Use Kount, Sift or Forter to access industry lists. These platforms create device fingerprints (e.g. by MAC, browser) and check them against blacklists.
    • Manual review: For large transactions, merchants manually check orders if the data (email, IP) matches the blacklists.
  3. Combined approaches:
    • Blacklists work more effectively with other tools: 3D-Secure (adds MFA, reducing carding success by 70%), AVS/CVV (checking card address/code) and geolocation (blocking transactions where the IP does not match the card region).
    • Example: Merchant combines velocity (max 3 transactions/hour from one IP), BIN list and 3DS. This reduces fraud to <0.5%, but increases legitimate customer bounces by 5-10%.

Practical examples in the context of carding​

  1. Card testing scenario:
    • A carder buys 1000 cards on the Dark Web and uses a bot to test them on a merchant site ($1 purchases). Velocity rule blocks the IP after 5 attempts in 10 minutes. If the carder uses a proxy, an industry list (like Kount) identifies the duplicate email or device, adding it to the blacklist.
    • Result: The merchant reduces losses by 80%, but loses 2% of legitimate orders due to false positives.
  2. Fictitious merchant:
    • The carder creates an online store to launder money through stolen cards. The acquiring bank checks MATCH and rejects the application, since the merchant was previously in TMF for fraud. If it bypasses MATCH, VMSS detects a high level of chargebacks (>1%) after 2 months, and the account is closed.
    • Result: The scheme is stopped, but the carder can use front men (drops), which requires additional checks (KYC).
  3. Mass fraud with BIN:
    • Carders target an electronics store using BIN 4532XX (Visa, a region with high fraud). The merchant blocks this BIN via Stripe Radar, and the issuing bank adds the compromised PANs to TC40/SAFE. Velocity checks additionally block 10+ attempts from one device.
    • Bottom line: Attack success drops to <10%, but carders move to a different BIN, requiring regular list updates.

Limitations and Challenges​

  1. False positives: Blacklists can block legitimate clients. For example, an IP from a public Wi-Fi network could end up on an industry list if a carder used the same network. According to Riskified, up to 15% of rejections are false.
  2. Bypassing carders: Using VPN, proxy, new emails or devices reduces the effectiveness of the lists. Carders also buy "clean" cards (not in TC40/SAFE).
  3. Regulatory restrictions: GDPR and CCPA restrict the collection and sharing of data (such as email or IP), making it difficult for industry lists to operate.
  4. Data aging: Blacklists require regular updating. For example, MATCH stores data for 5 years, but carders change the infrastructure every 1-2 months.
  5. Processor dependency: Merchants without access to MATCH/VMSS (eg small businesses) rely on gateways, which increases the cost (1-3% per transaction).

Anti-carding trends for 2025​

  1. AI and biometrics: Visa and Mastercard are testing blacklists with device fingerprinting (by MAC, browser, behavior). For example, Visa Advanced Authorization (VAA) integrates biometric data to block carders' devices.
  2. Blockchain blacklists: Some processors are experimenting with decentralized blacklists for anonymously sharing fraud data (e.g. CyberSource).
  3. Regulation: New regulations (e.g. PSD3 in the EU) require banks and merchants to strengthen anti-fraud measures, including mandatory use of 3DS and velocity checks.
  4. Dark Pool Data: Industry lists are starting to include data from the Dark Web (such as BINs sold on forums), increasing accuracy by 20-30%.

Recommendations for banks and merchants​

  1. Banks:
    • Integrate MATCH/VMSS with KYC checks for new merchants.
    • Use real-time velocity and BIN lists in combination with AI scoring (e.g. FICO Falcon).
    • Update TC40/SAFE regularly to block compromised cards.
  2. Merchants:
    • Implement 3D-Secure and AVS to reduce carding success (up to 70% efficiency).
    • Use anti-fraud platforms (Kount, Sift) with access to industry lists.
    • Set up velocity rules for your business (e.g. 3 transactions/day for e-commerce, 10 for travel).
    • Monitor chargebacks (<0.9%) to avoid getting into MATCH/VMSS.
  3. Combined approach:
    • Use blacklists as part of a multi-layered defense: blacklists + 3DS + geolocation + AI.
    • Regularly train staff to recognize carding patterns (e.g. small transactions at night).

Conclusion​

Blacklists such as MATCH, VMSS, velocity checks, industry lists, and BIN databases are critical tools in the fight against carding. They help banks and merchants identify and block fraudulent transactions, reducing losses by 50-80%. However, their effectiveness is limited by false positives, carder bypasses, and regulatory barriers. For maximum protection, it is recommended to combine lists with 3DS, AI scoring, and real-time monitoring. If you have specific questions (such as integrating a specific database or setting up velocity), please let me know and I will go into more detail!
 
You must log in or register to reply here.

Similar threads

Mutt
Details of Visa TC40 or MasterCard SAFE blacklisting processes
Replies
0
Views
135
Mutt
Mutt
Mutt
How blacklists (Visa TC40, MasterCard SAFE) work in the fight against carding?
Replies
0
Views
200
Mutt
Mutt
Mutt
How are banks and stores improving anti-fraud systems?
Replies
0
Views
246
Mutt
Mutt
Mutt
How does PSD2 work in Europe and does it affect Non-VBV BINs?
Replies
0
Views
167
Mutt
Mutt
Mutt
How banks use machine learning to combat carding?
Replies
0
Views
142
Mutt
Mutt
Back
Top