CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Why Merchant Service Providers Should Care About Transaction Laundering

You've seen it in the movies: Seemingly legitimate businesses such as restaurants, dry cleaners and taxi services acting as a facade to launder money gained from illicit activities.

With the rapid growth of digital business and e-commerce, an emerging threat that is viewed by some as another form of money laundering is transaction laundering. Transaction laundering involves a merchant processing payment transactions on behalf of another merchant, and its primary intent is to hide nefarious activity behind supposedly credible merchant transactions.

So how do merchants launder transactions? At first glance, the merchant will appear completely legitimate to a Merchant Services Provider (MSP) - which includes acquirers, payment processors or ISOs - because they present themselves as a low-risk business type, knowing they will clear all standard underwriting procedures.

>>Learn more about the Trustwave Transaction Laundering Detection (TLD) service. 

For instance, we have documented criminal merchants on file who disguise their businesses as engineering consultancy firms, web design companies, health food vendors, and many others. Once their application is approved with the MSP, the merchant uses its account credentials to connect the previously unknown (and criminally backed) websites to the "approved" payment stream through back-end web services, a practice known as aggregation. This activity is difficult to detect and can quickly turn into a game of whack-a-mole, because if, and when, the merchant is terminated with one provider, it switches to the next.

According to our research, roughly eight percent of any merchant portfolio includes the aggregation of transactions from unregistered websites. And this number is projected to grow.

If you're liable for your merchant's activities, it is important to be aware of this trending issue and assess how it may impact your business. One good question to start with is: "What is the cost to my business if we are seen facilitating illegal transactions?"

Then you must specifically:

1) Identify all online aggregating merchant websites.

2) Validate the physical address of all merchants.

3) Register low-risk sites.

4) Register the appropriate Merchant Category Code (MCC)

5) Take immediate action upon merchants conducting criminal activity on the previously unknown merchant websites.

Remember that not only are there payment security requirements (like the Payment Card Industry Data Security Standard) enforced by the card brands' compliance programs, there are also policies and laws around what is appropriate and legal to sell. Think about the financial and reputational impact if your business is caught facilitating illegal and/or policy-violating merchant transactions. In many cases, even though you are an unwitting party to this activity, the outcome can result in a high chargeback percentage, financial penalties and legal issues.

Transaction laundering is a threat to the integrity of the entire payments system, especially because it can touch so many different stakeholders, including banking, processors and their agents, federal and state government bodies, consumer protection agencies and average consumers. That is why it is critical for a global payments industry community to come together and directly address this new threat.


Aside from routine and persistent monitoring of the active merchant portfolio to identify existing or unrecognized merchant websites, you should instill additional processes to prevent criminal merchants from entering your merchant portfolio without disrupting existing on-boarding processes.

Alex Kaluski is a technical product manager at Trustwave.

Latest Trustwave Blogs

Law Enforcement Must Keep up the Pressure on Cybergangs

The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware...

Read More

Effective Cybersecurity Incident Response: What to Expect from Your MDR Provider

Companies engage with a managed detection and response (MDR) provider to help ensure they detect cyber threats before they do any damage. The "response" part of the MDR moniker is key to that effort,...

Read More

The Power of Red and Purple Team Drills in Enhancing Offensive Security Programs

Despite investing in costly security solutions, keeping up with patches, and educating employees about suspicious emails, breaches still occur, leaving many organizations to wonder why they are...

Read More