The fraud landscape for SMB payment acquirers and processors is entering 2025 in a structurally more difficult position than two years ago. The fraud techniques that dominated 2022-2023 — card-testing via concentrated IP clusters, bust-out fraud through single-merchant accounts, synthetic identity fraud using manually constructed profiles — have evolved. Each has become harder to detect with the tools that worked reasonably well against earlier iterations. At the same time, regulatory and card network pressure on processors has increased, compressing the margin for error. Understanding the current state of each threat vector and its trajectory is the starting point for any realistic operational plan.
Card-Testing: More Distributed, Harder to Cluster
Card-testing attacks in 2024 were notably more distributed than campaigns from 2022. The shift is a direct response to the wider deployment of IP-based velocity controls. Attackers have moved from using concentrated datacenter IP ranges — which are easy to block and increasingly pre-listed in threat intelligence feeds — to residential proxy networks and mobile carrier IP ranges that are more difficult to distinguish from legitimate user traffic at the IP level.
The implication for detection is that IP clustering, once a reliable primary signal for card-testing campaigns, is now a secondary signal at best. A card-testing campaign running across 500 residential proxy IPs, each contributing 2-3 authorization attempts, generates no meaningful per-IP velocity signal. The campaign-level signal is present in BIN sequence patterns, timing regularity, and authorization-to-decline ratios, but extracting it requires cross-merchant correlation and transaction-level timing analysis rather than per-IP velocity counting.
The practical defensive implication: processors relying primarily on IP-based velocity rules are increasingly exposed. The detection capability gap between IP-based rule systems and behavioral/BIN-correlation systems has widened in the past 18 months and will continue to widen as residential proxy infrastructure becomes cheaper and more accessible to fraudsters.
AI-Generated Synthetic Identities and Merchant Onboarding
Synthetic identity fraud — the construction of fictitious but plausible identities for the purpose of establishing payment accounts — has been a known risk in consumer lending for years. Its migration to merchant onboarding is newer and accelerating, driven by the availability of AI tools that generate credible business documentation, web presences, and business identity artifacts at low cost.
The threat in the acquiring context is specific: a fraudulent merchant operator can now assemble, in a matter of hours, a business identity package that includes a registered business name, a professional-looking website, fabricated business history, and synthetic documentation that passes basic KYB (Know Your Business) verification checks. The synthetic identity is constructed to pass screening, not to represent a real ongoing business. Once onboarded, the merchant operates normally for a period before executing a bust-out or simply disappearing.
Current KYB processes at SMB processors and payment facilitators vary significantly in depth. Processors relying primarily on business registration lookups and web presence checks are vulnerable to synthetic merchant identities that satisfy these criteria. More robust onboarding requires cross-referencing business registration data against phone number registrations, address verification against commercial property databases, and ideally, some form of beneficial ownership verification that goes beyond document review. The investment in enhanced onboarding is directly recoverable against a single prevented bust-out event at the higher end of the loss range.
Bust-Out Fraud at Micro-Merchant Level
The structural characteristics of bust-out fraud — build credible transaction history, execute high-volume fraud, exit — are well understood. What has changed heading into 2025 is the target profile. Bust-out activity is increasingly concentrated at the micro-merchant level: businesses processing $5,000 to $20,000 per month, where the individual loss exposure is lower but the volume of events is higher and the monitoring resources per account are thinner.
The logic from a fraudster's perspective is straightforward: a $200,000 bust-out at a mid-size merchant attracts immediate attention and generates a significant investigation response. A $15,000 bust-out at a micro-merchant may not trigger the same response threshold, and the per-incident operational cost of investigation can approach the loss value. Running 20 micro-merchant bust-outs rather than one large one is a rational diversification strategy for fraud operators facing more aggressive investigation at larger transaction scales.
For processors, the implication is that micro-merchant portfolios — which often receive less intensive risk monitoring per account than higher-volume accounts — need the same behavioral drift detection applied at scale. Per-merchant baseline calibration and rolling window analysis need to work efficiently at the level of a merchant processing 50 transactions per month, not just one processing 5,000.
Regulatory Pressure: Card Network Monitoring Programs
Card network pressure on processors has increased through 2024 and the trajectory continues into 2025. Visa's High Brand Risk program and Mastercard's Excessive Chargeback Program have both tightened enforcement. The practical effect is a shorter runway between threshold breach and formal monitoring status, and higher per-chargeback fines at the lower end of the monitoring tier.
Visa has also increased scrutiny of payment facilitators' merchant underwriting practices. Processors found to have onboarded merchants that subsequently generated significant fraud losses face enhanced monitoring requirements and, in some cases, mandatory changes to underwriting and monitoring processes as conditions of continued card network membership. This regulatory vector is distinct from financial fines: it affects operational capacity and can require significant compliance investment.
For SMB processors, the practical implication is that card network compliance is no longer a steady-state concern to be managed through periodic chargeback reviews. It requires proactive portfolio risk management — ongoing monitoring of merchant-level fraud metrics, early intervention when individual merchants approach thresholds, and documented fraud control processes that can be presented in a monitoring review.
What Processors Can Realistically Defend Against
Honest assessment of defensive capability is more useful than optimistic claims. SMB processors with well-implemented fraud infrastructure can realistically defend against: card-testing campaigns detected at the BIN-correlation and timing-analysis level; bust-out fraud identified in the behavioral drift phase before execution; false-positive rates reduced through per-merchant baseline calibration; and chargeback representment improved through automated decision records.
What remains genuinely difficult: sophisticated synthetic merchant identities assembled specifically to pass KYB checks; highly distributed card-testing running through legitimate residential connections at very low per-IP velocity; and organized fraud rings operating across multiple coordinated merchant accounts with shared infrastructure that creates cross-account signals too subtle to detect without network-level analysis. These threat vectors require either deeper onboarding verification or inter-processor data sharing arrangements — neither of which is available at low cost to independent SMB processors today.
Forward-Looking Risk Areas for 2025-2026
Several risk areas warrant particular attention in the 2025-2026 planning horizon. Account-to-account payment fraud — fraud targeting instant payment rails (RTP, FedNow) rather than card rails — is growing in volume and will increasingly intersect with SMB processor operations as more merchants adopt real-time payment acceptance. The fraud patterns on instant payment rails differ from card-based fraud in ways that require different detection approaches.
AI-assisted fraud tooling is reducing the skill level required to execute sophisticated attacks. Tools that automate card-testing at scale, generate synthetic merchant documentation, or assist in crafting phishing campaigns targeting merchant account credentials are available and being actively used. The democratization of these tools means the volume of lower-sophistication attacks will increase even as the ceiling on attack sophistication rises.
Finally, the regulatory environment for processor liability is likely to tighten in 2025-2026 as card networks and regulators respond to increased fraud volumes. Processors that have not invested in documented fraud control processes and measurable detection capability will face both higher exposure in network monitoring programs and potential regulatory scrutiny. Building the fraud operations infrastructure now, before regulatory timelines compress, is substantially lower-cost than building it reactively under a monitoring program notice.