"Sitting at home, bills arrive from overseas," "Credit cards kept close to the body, yet transactions appear in places the cardholder has never visited," "Only discovering upon checking accounts after receiving transaction notifications that the actual transactions occurred two days earlier, with no prior alerts"... Over the past few days, similar card fraud information has flooded social media platforms, pushing Shanghai Pudong Development Bank (SPDB) and MasterCard into the spotlight.

Based on multiple sources, SPDB's current card fraud incident primarily centers on the SPDB MasterCard "Red Sassoon" credit card products. After detecting some unauthorized transactions, SPDB, MasterCard, and Wanglian have initiated emergency investigations, with cardholders not required to bear the fraudulent charges.

This is not an isolated case. On September 16, further investigation revealed that beyond the aforementioned "Red Sassoon" credit card products caught in the fraud storm, China CITIC Bank's MasterCard debit cards have also experienced fraudulent transactions since September. Multiple consumers reported that their CITIC Bank "Diablo" MasterCard debit cards were fraudulently used. Behind the fraud information from different banks and card types, all point to MasterCard as the service provider. As the core hub connecting global merchants and card-issuing institutions, MasterCard's role and responsibility in this incident has become a key window for examining cross-border payment security ecosystems.

**Reality Gaps in Technical Defense Lines**

While SPDB's credit card fraud incident garnered widespread attention, debit cardholders from another bank quietly faced the same problems.

Consumer Zhang Tian (pseudonym) reported receiving a consumption notification from CITIC Bank on September 12, showing his bank card was used overseas for 9.64 yuan. Zhang Tian quickly realized his card had been fraudulently used and immediately reported the information to CITIC Bank customer service.

After verification by CITIC Bank customer service, the transaction occurred in Indonesia for approximately 22,000 Indonesian rupiah. Four days before the deduction, Zhang Tian's debit card had already undergone pre-authorization on September 8, which he was completely unaware of. This made him question why there was no alert during pre-authorization. CITIC Bank customer service explained that Zhang Tian had not activated SMS notification services.

After sharing this experience on public social platforms, Zhang Tian found several other users holding CITIC Bank "Diablo" MasterCard debit cards who were similarly defrauded, with one victim's transaction merchant matching Zhang Tian's. In discussions initiated by Zhang Tian, many other holders of the same series debit cards reported encountering similar situations.

Zhang Tian's experience also caught Liu Yu's (pseudonym) attention. Earlier than Zhang Tian, Liu Yu received consecutive SMS notifications from CITIC Bank on the evening of September 3, indicating that transactions were stopped by anti-fraud security locks. "This card was always with me, and the last time I used it was in Japan in December 2024. The fraudsters attempted three transactions, all intercepted by the system, causing no actual loss. The next day, I applied for a card replacement, which updates the card's expiration date and CVV2 code. Since actual transactions were stopped, the bank couldn't determine where the fraud specifically occurred," Liu Yu stated.

Regarding consumer feedback about debit card fraud, what situations trigger "anti-fraud security locks," and what preventive measures exist for fraudulent and risky transactions, attempts to reach CITIC Bank for comment were unsuccessful by publication time.

During the period when Liu Yu and Zhang Tian experienced fraud, SPDB's MasterCard "Red Sassoon" credit cards were fraudulently used on a large scale, with increasing numbers of consumers posting information on social platforms, drawing widespread attention. According to multiple sources, the fraudulent credit cards involved various situations including abnormal transactions not being intercepted, limited cards being charged beyond limits, and cards that had been reported for cancellation or loss still being fraudulently used, with all transaction locations occurring overseas.

On September 13, SPDB Credit Card Center, MasterCard, and Wanglian successively issued situation statements, all indicating detection of unauthorized transactions on some MasterCard World Elite cards and immediate activation of emergency responses. According to the latest developments, involved parties confirmed that cardholders would not bear fraudulent charges, with account adjustments to be processed gradually.

**Responsibility Boundaries Between Card Organizations and Multiple Parties**

Compared to credit cards that can be used for large purchases, some debit card fraud victims felt somewhat fortunate that due to low debit card balances, financial losses were minimal. However, this doesn't completely alleviate cardholders' concerns about fraud.

Regarding the causes of related fraud, industry opinions vary, with more questions directed at issuing banks' and card organizations' risk control systems. Industry insiders noted that bank card fraud occurs periodically in the industry, especially in cross-border payments, with diverse causes that cannot be addressed with a "one-size-fits-all" approach. Additionally, Liu Yu mentioned in interviews that his other MasterCard debit cards from HSBC and China Merchants Bank experienced no fraud.

Behind SPDB and MasterCard's statements promising "emergency response activated" and "customers bear no losses" lies a complex cross-border payment responsibility allocation system.

In cross-border payments, issuing banks are responsible for issuing payment cards, reviewing transactions, and debiting corresponding funds from cardholder accounts. Card organizations like MasterCard are responsible for building global payment networks, transmitting transaction instructions between different banks, conducting clearing and settlement, and handling currency conversion. After cardholders make cross-border purchases, transaction information is transmitted between issuing banks and acquiring parties through card organization networks.

In November 2023, with People's Bank of China approval, MasterCard partnered with NetsUnion to establish Wanglian, China's third licensed bank card clearing business institution, which officially began operations in May 2024. After Wanglian's launch, it gradually established cooperation with multiple domestic payment institutions, enabling comprehensive acceptance of MasterCard cards issued domestically and internationally through partner payment institutions' acquiring systems.

On September 16, a payment institution representative explained that as the acquiring side, they primarily obtain merchant information and normally cannot access consumers' complete card information, especially card numbers, expiration dates, and CVV2 codes. Risk control systems focus more on telecommunications fraud and money laundering. For unreasonable transactions, acquiring sides request issuing bank verification when risks are identified, typically through SMS verification processes.

Behind fraud incidents are actually missing risk control reviews across multiple stages. Other cross-border payment industry professionals noted that in cross-border scenarios, theoretically, card organizations should conduct risk assessments for each transaction and push overseas transaction data to issuing banks in real-time, while banks need to synchronize user account status and credit limit changes to card organization systems. High-risk transactions should be rejected at the card organization level. In related fraud incidents, collaborative mechanisms between card organizations and issuing banks first experienced breakdowns.

Furthermore, industry professionals indicated that besides issuing banks, card organizations, acquiring institutions, and merchants, cross-border consumption chains include information processors ensuring information conversion and transmission. In regular transactions, a transaction from initiation to completion requires multiple risk control system reviews including card organizations, information processors, issuing banks, and acquiring institutions. Fraud implies either complete risk control system failure or weak capabilities in certain stages with over-reliance on other stages' review abilities, ultimately causing fraud.

Attempts to reach SPDB, CITIC Bank, and MasterCard for comments on main fraud causes and specific preventive measures were unsuccessful by publication time. Regarding specific responsibility allocation, multiple interviewees indicated that specifics depend on officially announced fraud causes.

**Reconstructing Cross-Border Payment Security Rules**

According to industry practices, fraud transaction responsibility determination requires examining transaction time, location, verification methods, and numerous other factors, but overseas fraud adds complexity to such accountability.

After discovering fraud, Zhang Tian repeatedly sought solutions from CITIC Bank but received no effective response. "The bank determined that I bound overseas payments leading to charges. I'm still waiting for the bank's solution. Small loss amounts shouldn't ignore our reasonable demands, as no one can guarantee whose bank card will be fraudulently used next," Zhang Tian stated.

Zhang Tian's anxiety reflects long-standing information asymmetries in cross-border payments, where users cannot know how their card information flows or where leakage risks exist in various stages, only passively relying on issuing institutions' and card organizations' security promises.

Twenty years ago, a major hacker attack on CardSystems Solutions, a financial transaction data processing vendor cooperating with MasterCard, led to massive user account information leaks, greatly promoting payment card industry data security standard compliance and strengthening. Currently, while financial institutions' intelligent prevention and control technologies have significantly upgraded, cross-border payment complexity still provides opportunities for fraudsters.

Behind fraud incidents, conflicts persist between global payment network technical uniformity and regional regulatory differences. As early as 2016, the People's Bank of China issued "Notice on Further Strengthening Bank Card Risk Management," requiring comprehensive application of payment tokenization technology to desensitize transaction information and establish emergency payment suspension and rapid freezing mechanisms. However industry professionals mentioned that overseas merchant-side verification execution standards vary widely in some regions, adding difficulty to fraud prevention.

Since 2014, MasterCard began promoting payment tokenization services within its global payment network. With Wanglian's business development in China, this service has also landed domestically. According to introductions, payment tokenization services apply payment tokenization technology to replace sensitive information like bank card numbers, card verification codes, and payment institution payment accounts. By setting constraint rules for payment tokens including transaction frequency, amounts, validity periods, and payment channels, information leakage and fraud transaction risks are controlled at the source.

According to Botong Consulting Chief Analyst Wang Pengbo, cross-border payment security weak points mainly manifest in cross-border risk control gaps, delayed emergency responses, and untimely risk data sharing between banks and card organizations. As settlement parties, card organizations must fulfill technical risk control obligations through system vulnerability tracing, cross-border risk interception to prevent fraud, and assisting banks in completing fund compensation processes.

Regarding coordination between issuing banks and card organizations, Wang Pengbo noted that first, both parties need to break information barriers and establish real-time data sharing mechanisms. For example, issuing banks can share customer daily consumption scenarios and regional preference behavioral data, while settlement parties can synchronize cross-border high-risk region transaction dynamics and merchant compliance information to promptly intercept abnormal transactions. Second, joint technology upgrades should be promoted, accelerating comprehensive chip card adoption and jointly developing intelligent risk control systems to strengthen proactive warning capabilities for abnormal transactions. Finally, responsibility allocation and emergency processes should be clarified through agreements defining issuing banks' advance compensation responsibilities and settlement parties' risk tracing and vulnerability prevention obligations in fraud incidents.

Beijing Academy of Social Sciences Associate Researcher Wang Peng suggested that cross-border payment fraud problems require constructing closed-loop systems through "technical defense strengthening—responsibility boundary clarification—regulatory coordination upgrading." Technically, dynamic encryption and AI risk control adoption should be accelerated, with international organizations leading cross-border payment security framework development, clarifying responsibility boundaries and collaboration processes among issuing banks, card organizations, and merchants. Simultaneously, consumer protection should be strengthened, reminding consumers to disable unnecessary overseas payment functions, ultimately achieving security and efficiency balance.