Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

Why Merchant Service Providers Should Care About Transaction Laundering

You've seen it in the movies: Seemingly legitimate businesses such as restaurants, dry cleaners and taxi services acting as a facade to launder money gained from illicit activities.

With the rapid growth of digital business and e-commerce, an emerging threat that is viewed by some as another form of money laundering is transaction laundering. Transaction laundering involves a merchant processing payment transactions on behalf of another merchant, and its primary intent is to hide nefarious activity behind supposedly credible merchant transactions.

So how do merchants launder transactions? At first glance, the merchant will appear completely legitimate to a Merchant Services Provider (MSP) - which includes acquirers, payment processors or ISOs - because they present themselves as a low-risk business type, knowing they will clear all standard underwriting procedures.

>>Learn more about the Trustwave Transaction Laundering Detection (TLD) service. 

For instance, we have documented criminal merchants on file who disguise their businesses as engineering consultancy firms, web design companies, health food vendors, and many others. Once their application is approved with the MSP, the merchant uses its account credentials to connect the previously unknown (and criminally backed) websites to the "approved" payment stream through back-end web services, a practice known as aggregation. This activity is difficult to detect and can quickly turn into a game of whack-a-mole, because if, and when, the merchant is terminated with one provider, it switches to the next.

According to our research, roughly eight percent of any merchant portfolio includes the aggregation of transactions from unregistered websites. And this number is projected to grow.

If you're liable for your merchant's activities, it is important to be aware of this trending issue and assess how it may impact your business. One good question to start with is: "What is the cost to my business if we are seen facilitating illegal transactions?"

Then you must specifically:

1) Identify all online aggregating merchant websites.

2) Validate the physical address of all merchants.

3) Register low-risk sites.

4) Register the appropriate Merchant Category Code (MCC)

5) Take immediate action upon merchants conducting criminal activity on the previously unknown merchant websites.

Remember that not only are there payment security requirements (like the Payment Card Industry Data Security Standard) enforced by the card brands' compliance programs, there are also policies and laws around what is appropriate and legal to sell. Think about the financial and reputational impact if your business is caught facilitating illegal and/or policy-violating merchant transactions. In many cases, even though you are an unwitting party to this activity, the outcome can result in a high chargeback percentage, financial penalties and legal issues.

Transaction laundering is a threat to the integrity of the entire payments system, especially because it can touch so many different stakeholders, including banking, processors and their agents, federal and state government bodies, consumer protection agencies and average consumers. That is why it is critical for a global payments industry community to come together and directly address this new threat.


Aside from routine and persistent monitoring of the active merchant portfolio to identify existing or unrecognized merchant websites, you should instill additional processes to prevent criminal merchants from entering your merchant portfolio without disrupting existing on-boarding processes.

Alex Kaluski is a technical product manager at Trustwave.