< Back to Insights

From Compromise to Cash-Out: Understanding the Fraud Life Cycle

abstract of credit card sitting on motherboard with digital image of lock
abstract of credit card sitting on motherboard with digital image of lock
Article
MAY 19 2026

Charlotte Ritonya, Vice President, Risk and Fraud, Card Services, Fiserv

 

Strategies to protect payment cards from threat actors

When people discover fraud on a payment card, they typically know who to call to initiate a dispute. 

But the standard sequence of events leading to that fraud event isn’t as well known. Many people are unaware there is an entire criminal ecosystem dedicated to the compromise, trafficking and unauthorized use of payment cards. 

In fact, the process that culminates in fraud has been so streamlined and pushed to industrial scales of operation that there is often a predictable framework preceding unauthorized transactions. Threat intelligence researchers can map out the fraud life cycle based on some of the more common events in that framework. 


The fraud life cycle

While no card’s journey toward fraud is set from the moment it’s stolen, there are typical events that precipitate the crime. That series of events often includes:

The compromise step is nearly universal, with the exception of first-party, chargeback and friendly fraud, when the cardholder initiates the crime. The card’s appearance on a dark web marketplace and the use of tester or checker services vary. 

The frequency with which a given card appears in a marketplace differs from one case to the next. For example, a card might be posted for sale at one shop one day and show up at a completely different marketplace the following week. 

Similarly, tester transactions can occur before or after the card posts for sale on a marketplace. 
 

The card-compromise event

Before an unauthorized transaction can occur, a threat actor must access the payment card data to use the account for money, goods or services. Common examples include malware in a point-of-sale (POS) system, card skimmers, scam merchants and bank identification number (BIN) attacks.

Payment Card Industry Data Security Standards are intended to mitigate data breach risk, but card compromise can still occur for many reasons. Among them are the exploitation of new forms of technology around the POS, errors or malicious intent from people interacting with the systems, and integration with third parties that may not have all the necessary security patches in place.

Fiserv offers a range of fraud solutions designed to help organizations detect and respond to potential sources of compromise based on available data signals. Capabilities and results vary by client configuration, data inputs and operating environment.

Common point-of-purchase (CPP) analysis is one such strategy. CPP investigations are particularly helpful for cards compromised with either a skimmer or malware infection at a POS.

Fraud analysts research the transaction history of a group of cards and track them back to a common merchant. When the CPP is confirmed, the analysts identify all cards from the portfolio that also transacted with the merchant and could be compromised.


The dark web marketplace

Dark web marketplaces are, in some ways, comparable to the aboveground eCommerce environments many consumers visit regularly. 

The webpages have intuitive designs and easily navigable user experiences built into them. The entire process, from sorting payment card records according to desired criteria to loading up a cart and proceeding to checkout, is analogous to ordering new shoes online. 

The shops’ administrators share partial details, including the BIN, the last four digits on the card, the expiration date and some additional personally identifiable information (PII), such as name and billing zip code, to entice prospective buyers. 

Fiserv partners with threat intelligence researchers for card resolution, during which web scrapers go to the dark web marketplaces and return the partial card details for further analysis to find unique matches with cards belonging to Fiserv clients. Fiserv reports the card to its client, which can elect to issue a new one or introduce additional fraud rules to more closely scrutinize the account. 

The goal of threat intelligence monitoring is to discover which cards are compromised before the cash-out phase. 

Charlotte Ritonya

Vice President, Risk and Fraud, Card Services, Fiserv

Tester and checker transactions

A tester or checker service validates that a payment card is still open, active and capable of being used to conduct fraudulent transactions. 

Testing represents another point in the fraud life cycle when analysts can identify compromised payment card data. Testing attempts typically show up in the card’s transaction history. 

Threat actors usually initiate tester transactions at various points in the fraud life cycle, most likely because they intend to sell the card or initiate a fraudulent transaction. It’s common to see more than one tester transaction on an account before or after a cash-out.

Fiserv analysts are optimally positioned to conduct testing research because the company portfolio represents a large swath of data. A single financial institution’s portfolio could show some tester activity but not as much as the entire population of banks and credit unions that partner with Fiserv. 
 

The cash-out purchase

By the time a threat actor makes an illegal purchase, the card has been compromised, possibly posted for sale on the dark web and likely tested. 

There are multiple ways fraudsters use the cards. 

Clone cards can be programmed with stolen data and used to obtain cash from an ATM. The threat actor gets the PIN and available account balance after buying the card through a dark web marketplace. Clone cards are among the most convenient cash-outs because they alleviate the need to buy and sell merchandise. 

When fraud involves acquiring goods, common examples include easily liquidated merchandise such as jewelry, electronic devices or gift cards. Some threat actors use the card for services such as online subscriptions for movies, music or software. 
 

The key to reducing fraud risk before the cash-out

Each of the four fraud phases represents an opportunity for threat intelligence analysts to thwart attempts at unauthorized transactions. 

Sources of compromise, appearances at card marketplaces, tester activity and attempts at cash-outs have verifiable data points Fiserv analysts can identify and disseminate. The goal of threat intelligence monitoring is to discover which cards are compromised before the cash-out phase. 

Fiserv then can notify the financial institution so it can make informed decisions about mitigation strategies, such as which cards to reissue and which ones should have the added scrutiny of a well-calibrated fraud rules solution. 

decorative white images

Ready to get started?

Contact us to find out more

Explore additional insights

Solution
person holding credit card and document

Card Risk Management

Stay in control of your card programs while reducing debit and credit card fraud with risk mitigation and management services from Fiserv.
VIDEO
person holding a card while typing on laptop

A winning formula in the fight against card fraud

Reducing card fraud while approving transactions is a delicate but critical balance to maintain.
ARTICLE
Group of coworkers in dark office gathered around computer

Fiserv focuses on fraud detection

New Fraud Strategy Center brings expertise together with data to help clients