Transaction laundering attracts more scrutiny as fraudsters dodge PCI

Register now

Fraudsters, aware of the scope of the Payment Card Industry data security standards, increasingly deploy fraud methods that fall outside of PCI safety.

Having helped independent sales organizations and acquirers comply with PCI for more than a decade, security provider Trustwave has seen most every trick a hacker can develop — and it has led to the company adding a transaction laundering detection [TLD] service to its Web Risk Monitoring portfolio.

It's one of those nefarious activities hackers are becoming prolific at that falls outside the scope of PCI compliance, which is essentially designed to secure payment card data as it moves through a network.

Trustwave's TLD helps acquirers, banks, payment processors, payment gateways and ISOs more closely monitor their merchant client's websites for any illegal activity that could be lurking beneath the surface of the merchant's legitimate site.

"In this particular case, it is identifying transactions that have been laundered on websites set up behind seemingly legitimate sites that are using the processing and gateway capabilities to facilitate illegal transactions," said Michael Petitti, senior vice president of global alliances for Trustwave.

Hackers seeking payment credentials and other personal information may set up what appears to be a legitimate business site, such as a flower service, simply to steal that data. But they can expand upon that crime by steering transactions from the phony flower shop to a site offering child exploitation materials, illegal online gambling, firearms or tobacco, or counterfeit goods or pharmaceuticals.

While such transaction laundering may not be widespread, it is a "big and growing issue" that various vendors like Trustwave, G2 Web Services, WebShield and others have been trying to resolve for some time, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.

Indeed, transaction laundering prevention company EverCompliant says his type of activity is the new face of payment fraud as banks may be processing transactions from between 6% and 10% of unauthorized e-commerce sites without permission or awareness, according to its own research.

There's a reason this particular crime is on the rise, Conroy said.

"While the card brands encourage direction for transaction laundering, it's not yet mandated," Conroy said. "That said, I think it's just a matter of time [for a mandate], since the increasing prevalence of marketplaces and payment facilitators is making this type of activity fairly easy for crime rings to perpetrate."

It can work either way, with hackers hiding behind an unsuspecting merchant's site or through development of a "fake" legitimate site, with transaction laundering hiding underneath it, Petitti said.

"Now the card brands are saying they want ISOs and acquirers to take a thorough look in identifying unknown merchants and transactions that could be laundered," Petitti said. "Our new service is designed to help acquirers comply with those regulations, as the cards brands don't want to be associated with those types of transactions."

The screening for transaction laundering gets far deeper than looking at a merchant's transaction summary or simply examining URL sites and secure socket layer configurations.

"We are evaluating language and keywords on the sites and we have robust detection tools that can look at images on the site," Petitti said. "In some cases, we bring in a team of people to examine the findings to determine if transactions should be flagged so the ISO can see it on the system dashboard."

The TLD service adds to other site monitoring for content, malware, terms of service violations or identification of third-party relationships.

"It adds further to enhance the integrity of the payment industry and transaction supply chain," Petitti said. "We want to supply those services in a one-stop shop environment, with a single dashboard with all of this information."

For reprint and licensing requests for this article, click here.
Payment fraud Fraud detection