MCC Miscoding in Online Gambling

How Unlicensed Operators Access Card Networks Through Layered Obfuscation

White Paper | Payments Fraud Intelligence | v1.0 | 2025

Executive Summary

The deliberate misclassification of online casino operators under non-gambling Merchant Category Codes has emerged as a systematic, commercially-organised form of payments fraud. Unlicensed and insufficiently licensed casino operators – primarily offshore – exploit a four-layer gateway and fake storefront architecture to insert gambling transactions into card networks under travel, financial services, or generic retail codes. This is not incidental miscoding: it is a structured service offered by intermediary payment consultancies that onboard, recode, and route transactions at scale on behalf of illegal operators.

The harm is multi-dimensional. Issuers cannot apply statutory gambling restrictions. Problem gamblers are deprived of card-level protection. Acquirers face seven-figure non-compliance assessments under Visa’s Integrity Risk Program (VIRP) and Mastercard’s MCC Miscoding Investigation Program. And card scheme networks sustain systemic integrity risk that undermines the entire MCC-based control architecture.

Detection requires mystery shopping and aggregate behavioural analysis. Standard transaction monitoring is structurally insufficient – by design. The acquirer in the final layer bears full scheme-level financial liability for miscoding perpetrated two or three hops earlier by entities outside its direct chain of accountability.

1. Background and Context

The MCC Architecture

Merchant Category Codes are four-digit ISO 18245 classifiers assigned at merchant onboarding. Every transaction flowing through Visa and Mastercard networks carries an MCC in the authorisation message. Issuers use MCCs to apply product controls – including statutory gambling blocks mandated under UK and EU consumer protection frameworks. Card schemes use MCCs to route, price, and risk-rate transactions.

For gambling, the governing MCC is 7995 – Betting, including Lottery Tickets, Casino Gaming Chips, Off-Track Betting, Wagers at Race Tracks and games of chance to win prizes of monetary value. The Visa Merchant Data Standards Manual is unambiguous: in a card-absent (online) environment, a merchant conducting gambling transactions must use MCC 7995 for all transactions, even if gambling is not the merchant’s primary stated business.[1] Payment Facilitators bear explicit responsibility to evaluate every sponsored merchant and assign the most appropriate MCC to that merchant’s actual business.[2]

Why Miscoding Exists

Online gambling is a licensed industry. In the UK, EU, and most major markets, casino operators must hold a valid licence before accepting card payments. Unlicensed operators cannot obtain a merchant account under MCC 7995 through regulated acquiring channels – the licensing gate blocks them. The miscoding architecture exists to circumvent this gate entirely.

Beyond licensing, MCC 7995 carries structural payment disadvantages: issuers may apply card-level gambling blocks; some issuing banks decline all MCC 7995 transactions by default; interchange pricing reflects the high-risk classification. Miscoding to a lower-risk MCC – travel (4722), financial services, or generic retail – simultaneously bypasses issuer blocks, reduces interchange friction, and conceals the operator’s gambling identity from the acquiring bank’s risk systems.

The commercial logic is powerful. A miscoded gambling merchant processes at near-standard approval rates. A correctly coded one faces systematic declines from gambling-blocking issuers. This structural incentive is what intermediary payment consultancies have commercialised into a repeatable, fee-based service.

Market Context

The global online gambling market is valued at approximately USD 32 billion. The UK casino sector contributes around £14 billion annually, with the online segment representing approximately 33% of total UK market share. A material fraction of this volume enters card networks through miscoded channels, bypassing issuer gambling blocks, regulatory licensing requirements, and responsible gambling obligations.

2. The Four-Layer Obfuscation Architecture

Field intelligence gathered at ICE London (2024) documents a repeatable four-layer obfuscation architecture used by miscoding operators. This is not a single actor’s improvisation – it is an industrialised service delivered by payment consultancies to multiple casino operators simultaneously. The diagram below illustrates the full chain.

FIGURE 1 · MCC MISCODING ARCHITECTURE
FOUR-LAYER OBFUSCATION CHAIN · ICE LONDON DISCOVERY 2024
LAYER 1 — ILLEGITIMATE · FIRST MCC DISGUISE LAYER 2 — ILLEGITIMATE · SECOND MCC DISGUISE LAYER 3 — ILLEGITIMATE · FAKE STOREFRONTS + PAYMENT CONSULTANCY LAYER 4 — LEGITIMATE (UNKNOWING) · ACTUAL ACQUIRING CARD SCHEME INFRASTRUCTURE CASINO 1 OFFSHORE / UNLICENSED CASINO 2 OFFSHORE / UNLICENSED CASINO 3 OFFSHORE / UNLICENSED CASINO N OFFSHORE / UNLICENSED 7995 → 7801 7995 → 7801 7995 → 7801 7995 → 7801 GATEWAY 1 MCC 7801 GATEWAY 2 MCC 7801 GATEWAY 3 MCC 7801 GATEWAY 4 MCC 7801 7801 → 4722 PAYMENT CONSULTANCY MCC LAUNDERER · FAKE STOREFRONT OPERATOR FAKE STOREFRONT 1 MCC 4722 (TRAVEL) FAKE STOREFRONT 2 MCC 4722 (TRAVEL) FAKE STOREFRONT 3 MCC 4722 (TRAVEL) FAKE STOREFRONT N MCC 4722 (TRAVEL) GATEWAY 9 (FINAL) MCC 4722 PASSES UNCHANGED ACQUIRER UNKNOWINGLY ONBOARDS GAMBLING MID VISA / MASTERCARD ISSUER (BLIND) MCC substitution (hard) Converging auth flow Fake storefront chain
MCC MISCODING ARCHITECTURE · FIGURE 1 SOURCE: ICE LONDON DISCOVERY 2024 · VISA MDS · MC SPME PAYMENTS FRAUD INTELLIGENCE · 2025

Layer 1 – Illegitimate: First MCC Disguise

Casino operators hold an offshore licence or no licence at all. They do not possess a licence to operate in the UK or EU. Each operator connects to a payment gateway during the onboarding process. The gateway miscodes the merchant at the point of account creation, substituting MCC 7995 with MCC 7801 (Government-Licensed Online Casinos). The authorisation call is passed onward with the MCC already disguised.

Layer 2 – Illegitimate: Second MCC Disguise

The payment authorisation call is passed on with the already-miscoded MCC. A second-tier payment gateway receives the transaction and has the purpose of further disguising the merchant – the MCC changes again. All Layer 2 gateways connect to a central payment consultancy that sits at the apex of the obfuscation chain.

Layer 3 – Illegitimate: Fake Storefronts

The payment consultancy creates a fake storefront for each casino operator it serves. The fake storefront has a functional URL and a basic checkout interface but has no operational connection to the casino in any way. Based on the fake storefront’s declared identity – travel, FX, subscription services, or similar – a new and final MCC is assigned. MCC 4722 (Travel Agencies and Tour Operators) is the most commonly observed terminal code; the choice is deliberate, as travel agencies generate plausible transaction patterns and are rarely subject to issuer-level blocking. The payment consultancy, functioning simultaneously as a payment gateway, calls the final gateway with MCC 4722 now embedded in the auth message.

Layer 4 – Legitimate (unknowing): Actual Acquiring

The final gateway receives the authorisation with MCC 4722 already in place. It does not change the MCC – it has no reason to. The gateway calls the acquirer as a standard travel merchant. The acquirer calls the card scheme. The scheme processes the transaction as a travel purchase. The acquirer is, at this point, wholly unaware that it is processing gambling transactions.

The Detection Problem

To expose the scheme, the investigating party must conduct mystery shopping – visiting the URLs associated with the fake storefronts and following the checkout flow to its actual destination. Card scheme monitoring programs (Visa GBPP/VIRP, Mastercard SPME) do conduct mystery shopping, but sporadically and not at scale. Standard KYB checks pass the fake storefronts: they have functional URLs, descriptors, and checkout flows. Only operational verification exposes the disconnect. Where a miscoded merchant is identified, the acquirer in Layer 4 bears the financial consequence – not the gateway operators in Layers 1–3 who perpetrated the miscoding.

3. Regulatory and Scheme Obligations

Visa

The Visa Merchant Data Standards Manual is unambiguous on MCC assignment: online gambling transactions must carry MCC 7995, regardless of whether gambling is the merchant’s primary business. Payment Facilitators must evaluate every sponsored merchant and assign the MCC most appropriate to that merchant’s actual business – not the MCC the merchant prefers.[1][2] The Visa Global Brand Protection Program (GBPP), now superseded by the Visa Integrity Risk Program (VIRP), explicitly identifies the intentional miscoding of online gambling transactions as a compliance violation subject to non-compliance assessments or other enforcement action. Entities that miscode MCCs of gambling merchants violate the Visa Rules.[3] Industry data indicates acquirer non-compliance assessments for miscoded MCCs have reached seven figures under VIRP enforcement.[8]

Mastercard

Mastercard’s Security Rules and Procedures – Merchant Edition (SPME) establishes a formal MCC Miscoding Investigation Program. Before acquiring non-face-to-face gambling transactions, an acquirer must register the merchant with Mastercard and obtain copies of all applicable gaming licences for each jurisdiction.[4] All non-face-to-face gambling transactions must be identified using MCC 7995 and Transaction Category Code U, unless the acquirer has separately registered the merchant for MCC 7801 or 7802.[4]

Mastercard may initiate an MCC miscoding investigation without issuer notification. Where a claim is substantiated, non-performance assessments apply per MID: up to BRL 150,000 for transaction volumes above BRL 30 million, escalating to BRL 600,000 per MID for a fourth or subsequent violation within twelve months.[4] Assessments are mitigated by 50% if the merchant is recoded within five calendar days of Mastercard notification, and by 25% within fifteen days – after which no mitigation applies.

4. Detection Signals

Why Standard Monitoring Fails

The scheme is specifically designed to defeat standard controls. The MCC is assigned at onboarding, not per transaction – monitoring systems that check MCC at transaction time see only the final code (4722), not the substitution chain. Gateway-level miscoding happens before the auth message reaches the acquirer, so the acquirer’s fraud engine never encounters 7995. The fake storefront passes basic KYB: it has a URL, a descriptor, and a functional checkout. Only operational verification exposes the disconnect.

Transaction-Level Signals

Several transaction-level patterns are inconsistent with the declared MCC. Merchant descriptors that do not match the MCC category – for example, a gambling-adjacent name under MCC 4722 – are a direct flag. High concentration of round-amount transactions (£10, £20, £50, £100) is characteristic of gambling deposits and anomalous for travel. Rapid-fire repeat transactions by the same cardholder within minutes matches in-session gambling deposits, not travel bookings. Zero refund rate over 30 days is inconsistent with any legitimate travel merchant. High cross-border concentration is inconsistent with a declared domestic travel agent. And elevated decline rates from issuers known to apply gambling blocks – declines that would be inexplicable for a genuine travel merchant – are a strong signal in the issuer-side data.

Aggregate / Merchant-Level Signals

Fraud is a population-level phenomenon. These signals are invisible at the single-transaction level and require aggregation across the full merchant history. Chargeback reason code distribution diverges from MCC 4722 peers – miscoded gambling generates “unrecognised transaction” and “credit not processed” chargebacks rather than the travel-typical “service not provided.” Transaction velocity, average ticket size, and frequency diverge significantly from other MCC 4722 merchants in the acquirer portfolio. Cardholder recidivism – the same cardholders transacting repeatedly to the same merchant – is consistent with player behaviour, not travel booking. Settlement timing follows daily gambling cycles rather than the booking-plus-trip-completion pattern of travel agents. And domain age below twelve months, combined with thin or static website content, flags the fake storefront on basic OSINT review.

The only definitive control is mystery shopping: visiting the merchant URL and following the checkout flow to its actual destination. Any checkout that resolves to a gambling destination – or to a placeholder with no operational inventory – is a binary failure.

5. Case Typologies

Case A – Issuer Gambling Block Circumvention

A cardholder applies a gambling block to their banking card. They initiate transactions to an online casino. The first round of authorisations is correctly declined – the merchant’s MCC at the first gateway is 7995 and the issuer’s block fires. The casino’s payment consultancy then routes subsequent authorisations through a fake storefront coded as financial investments and securities. The second round passes because 7995 is no longer in the MCC field. The FOS upheld a complaint but found the issuer could not be held responsible for the miscoding; the fraudulent behaviour was the operator’s. The acquirer was not party to the FOS proceedings but remained exposed to scheme-level enforcement.[5]

Case B – Unlicensed Offshore Casino

A cardholder deposits a substantial sum into a foreign, unlicensed online casino trading illegally in the UK – a series of large, rapid transactions inconsistent with prior account history. The casino is processed under MCC 4722 at the acquirer. The cardholder contacts the Gambling Commission, which directs him to his bank for a chargeback. The FOS finds no chargeback grounds – the service was rendered, and neither the casino’s unlicensed status nor the MCC miscoding provides chargeback entitlement against the issuer. The FOS separately criticises the issuer for failing to flag the transaction pattern as indicative of vulnerability and potential money laundering.[5] The acquirer faced scheme investigation for onboarding a miscoded gambling merchant.

Case C – Payment Consultancy at Scale (ICE London, 2024)

A payment consultancy operates simultaneously for four or more unlicensed casino operators. For each operator it creates a unique fake storefront in a different declared vertical. All storefronts share the same final gateway and acquirer relationship. The consultancy explicitly offers MCC optimisation as a paid service – operators pay a premium for MCC 4722 routing versus standard MCC 7995 routing. Storefronts maintain functional URLs sufficient to pass automated KYB. Manual mystery shopping exposes the checkout flow routing to gambling destinations with no connection to the declared storefront identity.[7]

6. Recommended Controls

Onboarding

MCC assignment must be independently verified against actual business activity – not accepted from merchant self-declaration. For any merchant in an MCC adjacent to gambling (4722, 5816, 7999, 6012), conduct a manual operational review of the website: verify that bookable inventory, genuine product content, and a traceable business identity exist. Where any gambling indicators are present, obtain and validate a gaming licence before assigning a non-gambling MCC. Mastercard SPME mandates this explicitly. Document the full gateway chain for each merchant; multi-hop arrangements warrant enhanced due diligence and, for Visa, potential HRIPF registration.

Ongoing Monitoring

Run monthly MCC peer-group deviation analysis: flag merchants whose velocity, average ticket, and frequency diverge from the MCC cohort. Monitor chargeback reason code distribution against MCC expectations. Conduct quarterly minimum mystery shopping of merchants in high-risk adjacent MCCs – this is the only control that directly detects fake storefronts. Monitor weekly for elevated decline rates from gambling-blocking issuers on non-gambling MCCs. Review round-amount concentration and cross-border percentage monthly.

Escalation

Where miscoding is identified or suspected: suspend merchant settlement pending investigation; recode to the correct MCC within five calendar days to qualify for Mastercard’s 50% assessment mitigation; notify the relevant card scheme via the designated channel (Mastercard: Brazil.MCC.Performance@mastercard.com); file a SAR with the relevant FIU where grounds exist to suspect connection to money laundering or unlicensed gambling proceeds; and document the full investigation for regulatory purposes.

7. Conclusion

MCC miscoding in online gambling is not an edge case of accidental misclassification. It is a commercially-organised, fee-based service that provides systematic card network access to unlicensed operators. The four-layer architecture – casino, first-tier gateway, payment consultancy with fake storefronts, final gateway to a clean acquirer – is specifically engineered to defeat standard onboarding controls and transaction monitoring systems.

The control gap is structural. Acquirers receive transactions bearing a final MCC that was assigned two or three hops earlier by entities with no compliance obligation to the card scheme. Standard monitoring sees only the output of the obfuscation chain, not the chain itself. Mystery shopping and aggregate behavioural analysis are the primary detection mechanisms – both require deliberate investment that most acquirer monitoring programmes do not make by default.

The liability exposure is asymmetric. The acquirer in Layer 4 bears full scheme-level financial consequence for miscoding perpetrated in Layers 1–3. Visa VIRP assessments reaching seven figures and Mastercard escalating non-performance assessments to BRL 600,000 per MID represent material balance-sheet risk for acquirers operating at scale in markets with significant iGaming activity.

The path forward requires three things: operational website verification at onboarding, not just documentary KYB; systematic MCC peer-group deviation monitoring as a standing control; and a regular mystery shopping programme targeting high-risk adjacent MCCs. None of these is technically complex. All of them require deliberate prioritisation.

References

[1] Visa Merchant Data Standards Manual, April 2026 – Section 2: MCC 7995, gambling provisions, card-absent environment. [2] Visa Merchant Data Standards Manual, April 2026 – Payment Facilitator MCC assignment obligations. [3] Visa Payment Facilitator and Marketplace Risk Guide, 2021 – Section 4: Illegal or Miscoded Gambling; Global Brand Protection Program. [4] Mastercard Security Rules and Procedures – Merchant Edition (SPME), 3 February 2026 – Section 8.7: MCC Miscoding Investigation Program; Section 9.4.2: Non-Face-to-Face Gambling Merchants. [5] FOS Decisions DRN-4065792 (April 2023) and DRN-4035707 (August 2023), cited in: A Unique Position and a Difficult Challenge: Banks’ Support of Individuals Experiencing Gambling-Related Financial Harm. [6] US GAO Report GAO-03-89 – Internet Gambling: An Overview of the Issues (December 2002) – The Associations’ Transaction Coding Systems Can Be Compromised. [7] ICE London iGaming Market Discovery (2024) – internal intelligence briefing: miscoding typology, four-layer architecture, payment consultancy operations. [8] Digital Transactions – Miscoded Merchants Can Be a Seven-Figure Mistake (September 2023).