ISO 8583 and the Hidden Challenge of AML and Sanctions Screening in Credit, Debit, ATM, POS and Prepaid Card Payments
- Mayank Sharma
- 3 hours ago
- 4 min read
In the voluminous world of card-based payments, compliance teams face a quiet but growing dilemma. Despite advances in compliance monitoring technology, one foundational standard—ISO 8583, the decades-old messaging format for card transactions—remains a stubborn obstacle to effective anti-money laundering (AML) and risk screening.
Designed in 1987 and last updated in 2003, ISO 8583 remains the backbone of card-based payment systems. However, its rigid, bitmap-based structure has limited its evolution. Its inability to support flexible XML or JSON schemas, like those used in ISO 20022, has made it less suitable for broader payment modernization and data-rich regulatory environments. When rich contextual data such as purpose codes, structured remittance info, or regulatory identifiers simply isn’t there, enforcing precise AML and sanctions compliance becomes challenging.
Understanding the ISO 8583 limitation
In a world where regulatory expectations continue to rise, particularly around real-time sanctions detection, these are blind spots compliance teams cannot afford to have.
ISO 8583 is the global standard for exchanging transaction data for credit, debit, ATM, POS and prepaid cards. Each transaction carries up to 128 potential fields, from merchant category codes (MCCs) to account IDs, but the information available to banks is often fragmented, inconsistent, or incomplete.
Each card network (Visa, Mastercard, Amex, Discover, and others globally) uses its own proprietary variant of ISO 8583. Some fields are overloaded with custom data, while others are omitted entirely – or not shared with financial institutions using these rails. Even within the same network, two transactions can look different from an AML and sanctions screening perspective.
In a world where regulatory expectations continue to rise, particularly around real-time sanctions detection, these are blind spots compliance teams cannot afford to have.
Card transactions: limited visibility, higher risk
When banks process card transactions from a point-of-sale (POS) terminal, ATM, or e-commerce platform, they receive only a limited subset of information about the counterparties involved. Crucial Know Your Customer (KYC) data about merchants or cardholders may be missing or incomplete.
That means a bank often must trust the due diligence of the opposing institution and the card networks, even when the transaction involves regions with weak or inconsistent AML or sanctions enforcement.
Partner and company cards compound the problem. These can obscure the true beneficial owner of the account behind the card, making it difficult to determine whether the funds are tied to a sanctioned individual or entity. Even something as simple as a card issued in a restricted country can pose challenges. While bank identification numbers (BINs) can help flag some high-risk regions, they offer only partial protection.
Card-to-card transfers: the gray area of screening
Card-to-card (C2C) transfers, where one cardholder sends funds directly to another, blur the line between retail payments and cross-border remittances. While networks provide complete name data for these transactions, the data is far more limited than that included in traditional wire transfer messages, posing challenges for AML and sanctions screening.
While the functionality is similar to remittances, most C2C transfers are not classified as cross-border remittances under AML regimes unless funds leave the originating jurisdiction. However, regulators are increasingly treating high-volume C2C corridors like remittance flows for monitoring purposes. For this reason, compliance teams should demand the same rigor as standard payment transfers, as counterparties may not adhere to similar sanctions frameworks or supervisory standards.
Residual risk remains, particularly when partner or corporate cards are used to disguise the ultimate beneficiary. Without reliable, transparent counterparty data, even the most diligent sanctions screening system will struggle to catch every red flag.
The power imbalance: banks vs. card networks
One of the uncomfortable truths about payments compliance in card transactions is that banks do not control the data they receive. The major card networks dictate the structure and content of ISO 8583 messages and provide few assurances regarding their own internal screening practices.
While networks may state that they perform sanctions checks on their end, they do not disclose the details, accuracy, or completeness of those screenings. Meanwhile, no retail bank can simply opt out, since card issuance is indispensable for serving both retail and corporate customers.
In this ecosystem, financial institutions are effectively responsible for risk they can’t fully see—a challenge that grows as regulators demand real-time, auditable controls over every transaction.
Moving toward smarter screening
While the industry’s migration toward account-to-account (A2A) payments and the ISO 20022 data standard offers new promise in achieving greater transparency and control across payment compliance, ISO 8583 will continue to underpin global card networks for the foreseeable future. Opening up these networks to share data will require major policy and network-rule changes, which will likely take years to standardize. Until then, financial institutions must make the most of what data is available within existing card transactions and setup controls around those elements intelligently.
For example, below are some risks that can be configured to uncover risk from ISO 8583 messages:
Merchant identity and location: Fields like DE43 (Name/City/Country), DE18 (MCC), DE19 (Acquirer Country), DE41 (Terminal ID), and DE49 (Currency) can be screened for merchant names, locations, high-risk MCCs, or sanctioned corridors.
Counterparty institutions: Fields such as DE32, DE33, and DE100 identify the acquiring, forwarding, or receiving institutions, which can be matched against sanctioned BIC/IIN lists.
BIN intelligence: DE2 (PAN) enables extraction of issuer BIN/IIN, helping detect high-risk or sanctioned issuer countries.
Country and corridor controls: Combining issuer (BIN), acquirer (DE19), merchant (DE43), and settlement currency (DE49) enables creation of dynamic corridor-based rules. For example, flagging or auto-blocking Ru to EU e-commerce flows with certain MCCs.
By screening what is available today and layering conditional rules around country, corridor, and merchant risk, institutions can achieve meaningful coverage despite the inherent limitations of ISO 8583.
Solutions like FinScan Payments are built precisely for this moment. By enabling risk-based configuration, advanced field mapping, and intelligent alert management, the solution helps financial institutions apply the same precision to card payments that they do to other transaction types, even when data is limited.
Milliseconds matter, and effective compliance shouldn’t have to wait for perfect data. It requires tools that see beyond the format, adapt to the context, and help institutions detect risk before it becomes exposure.
The future of compliance in a fragmented payments world
Card-based payments aren’t going away, and neither are the compliance expectations surrounding them. The firms that succeed will treat the limitations of ISO 8583 as engineering challenges to be solved through more innovative data use, configurable screening, and transparency across the payments chain.
Adopting a best-practice approach to transaction screening is rooted in the notion that compliance doesn’t slow innovation—it enables it by giving institutions the clarity and control they need to move fast without overlooking risk.