Paul Paolucci, the top cop for one of the world’s biggest credit card companies, sure had some interesting friends.
One made a fortune fronting for pornography websites that needed access to Mastercard’s and Visa’s payment networks. Paolucci, who oversaw Mastercard’s merchant fraud control, was photographed cavorting around the Las Vegas Hard Rock Hotel with him and a group of women in white corset minidresses.
A second was a Lamborghini-driving e-commerce mogul with whom Paolucci used to celebrate family holidays. The mogul ended up in prison for a financial crime he committed, in part, using Mastercard’s network.
An executive at a famously corrupt European bank claimed to have dined with Paolucci and gotten his help evading Mastercard’s regulations.
It was Paolucci’s job to make sure that the banks and companies using Mastercard’s network were playing by the rules. He bent those rules himself by getting close to the very kinds of high-risk businesses he was supposed to be watching like a hawk — so close, in fact, that they sometimes seemed to be working together. Eventually, one of those friendships led him to break the rules entirely, and it cost him his job. But though Paolucci crossed a line, for Mastercard — and its global rival, Visa — a permissive relationship with fraudulent, exploitative, or in some cases even criminal enterprises is no exception. It’s the norm.
A yearlong BuzzFeed News investigation reveals that both Mastercard and Visa, which together process three-quarters of all US credit card payments, move money for businesses with extensive records of fraud — making it possible for them to keep swindling customers, sometimes for years. The credit card giants collect a percentage of every sale, legitimate or not.
BuzzFeed News’ review, based on tens of thousands of pages of court records, confidential investigative reports, secret recordings, internal company records, and more than 120 interviews, shows how Mastercard and Visa continue to accommodate thousands of businesses that have been flagged for issues including lying to customers, lying to banks, and breaking the law.
As credit cards have become an essential part of global commerce, they have also become a common tool for fraud, with scammers on every continent using the card networks to sell fake miracle cures, multilevel marketing schemes, bogus educational opportunities, and pump-and-dump investment scams on a massive scale.
Both credit card giants have the prerogative to kick scammers off their grids, effectively blocking them from a huge share of potential customers. Mastercard even maintains an extensive database of companies that have gotten in trouble at other financial institutions. Yet both companies say that locking out crooks and other bad actors simply isn’t their job. A Visa executive testified that the card company doesn’t think it’s worthwhile, since it would be possible to circumvent. Mastercard has locked companies out on occasion, but typically after intense public scrutiny.
The card companies also have the prerogative to cut off banks that handle fraudulent transactions, but they almost never choose to do so. Mastercard told BuzzFeed News it “does levy financial penalties and has suspended or terminated the license” of banks “based on specific incidents.” It declined to say what they were. As for those fines, the banks typically pass them along to the offending companies, which may simply shrug them off as a cost of doing business.
And the public isn’t warned about any of it.
This might come as a surprise to anyone who has received a notice about a suspicious credit card transaction, perhaps a charge made in a city one has never been to. Those notifications, and the assurance that the cardholder is not on the hook, burnish the card companies’ reputation as tireless watchdogs, committed to protecting consumers. Mastercard and Visa promise customers “zero liability.”
In fact, those card companies have no liability. When consumers get scammed, it’s a bank that has to pay them back. Mastercard and Visa — unlike its competitors American Express and Discover, which operate on a different model — suffer no consequences. They have no direct financial incentive to stop fraud, and they bear no responsibility when it continues under their banner.
“Essentially they created a system whereby risk and fraud is actually being tolerated because it generates additional revenues,” said René Pelegero, the former head of global payments for Amazon and founder of the Retail Payments Global Consulting Group. “As long as risk and fraud remains within a certain percentage, it is tolerated.”
Mastercard and Visa both declined to be interviewed by BuzzFeed News.
In response to questions about these issues, Mastercard issued a series of statements. “Our goal at the end of the day is to reduce and eliminate fraud from the system,” one of them says in part. “That’s why our teams are continually developing new technologies.” Mastercard provides banks “with incentives to adopt the most secure technologies to protect consumers/cardholders, their data and the information that flows across our network.”A Visa spokesperson said, “Visa does not tolerate the use of our network and products for illegal activity. We are vigilant in our efforts to deter fraudulent and illegal activity on our network, and we require banks who are members of the Visa network to enforce their merchants’ compliance with our standards.”
In 2020, credit card fraud accounted for an estimated $10 billion in the US alone. Those billions break down into countless individual stories of loss, like that of a semiretired trucker in Fort Myers Beach, Florida, who saw an ad for a company called My Own Business Education, also known as My Online Business Education, or MOBE. It promised financial security but delivered increasingly high-pressure sales pitches. He ended up spending $70,000, with almost nothing to show for it. A woman in Salt Lake City who was looking to supplement her family’s income spent $60,000, or most of her retirement account, on MOBE courses before she got wise to them.
Sharon Seckinger, 68, of Rome, Georgia, had already retired when she saw MOBE’s ad about starting an online business. In September 2017, she used her credit card to sign up for a $49 online class. Within nine months of what she said was intense sales pressure, her life savings were depleted.
Stories like hers are familiar, as is the rejoinder that people should take responsibility for their own bad decisions. Let the buyer beware.
But what Seckinger and thousands of other MOBE customers didn’t know — and Mastercard did — was that before she ever made her first purchase, six banks on four continents had flagged MOBE for hundreds of allegedly fraudulent transactions. Visa, too, was aware that irate customers had begun demanding their money back.
Instead of forcing the company off their networks, Mastercard and Visa kept facilitating its business as it and other dubious merchants found new bank accounts — and new customers to prey on.
A NEW FRONTIER
At the end of 1996, Paolucci, a blunt New Yorker in his 20s who had spent a year attending veterinary school and a stint flying a Fuji blimp, took a posting in Mastercard’s security and risk management department. Within a decade he was a corporate vice president, leading a team of watchdogs monitoring what banks and businesses were doing on the card network.
Paolucci became a respected authority in his field and an invited speaker in locations as far-flung as Croatia and Beijing. More than a half a dozen people who worked closely with him told BuzzFeed News he had a reputation for being tough on compliance, with a special dedication to rooting out payments for child sexual abuse images. Reached by phone, Paolucci declined to comment for this article.
When he joined Mastercard, the credit card companies were beginning their own rapid ascent. As people began using credit cards to shop online — for books and clothes and, of course, porn — Mastercard and Visa took on an outsize role in US commerce. They went from being unassuming card services owned by collectives of banks to being huge independent corporations, with billions in annual revenues, and vast digital networks along which the majority of the US’s 40 billion annual card transactions are processed.
With all those new ways to buy and sell things, however, came a universe of new ways to rip people off. It was a land of opportunity for those who knew how to find it.
A chiropractor named Ron Cadwell was looking. He had started by selling juicers online and then moved into web hosting — until he attended an industry trade show, where someone told him the really big money was in credit cards.
In 1998, he started a company called CCBill, with a novel mission: to process credit card transactions for the adult industry.
Porn was a huge market, but it was rife with billing scams and customer complaints. Many banks refused to go near it. Cadwell invited a roster of adult businesses to process their credit card payments through CCBill’s accounts, offering a shortcut to banking services and to Mastercard’s and Visa’s networks.
It was completely legal. And wildly profitable. Cadwell, who did not respond to calls and letters from BuzzFeed News, charged 11% to 15% of the clients’ transactions, several times what more conventional payment processors do. For Cadwell, that margin helped fund expensive watches, sports cars, a private jet, a boat, and, perhaps most memorably of all, some really astounding parties. The naked volleyball games, the “Rontourage” of women who traveled with him, and the freely flowing champagne are in some circles practically a matter of legend.
Pictures posted to social media show guests reveling in the fun or sleeping it off afterward. “Stripper pole in our suite … for real!” one partygoer wrote in 2008. One of the photos from that same gathering shows two men — Cadwell, who was ushering risky or disreputable businesses onto the Mastercard network, and Paolucci, who was policing that network — leaning in for the camera, with big smiles on their faces.
Mastercard said it does not comment on former staff, but its code of conduct tells employees, “Avoid any situation that could make someone question your intentions, judgment, honesty or objectivity. The appearance of a conflict of interest can be just as damaging to your reputation and to Mastercard’s reputation as an actual conflict.”
Today, Cadwell’s company claims to process payments for more than 30,000 websites, and services like his have become essential parts of daily commerce.
If you open your wallet, you are likely to see at least one card emblazoned with a Visa or Mastercard logo. It is not the card company, however, but rather a bank that has issued that piece of plastic, and which gives you credit when you make a purchase. When you swipe your card at a clothing store, for example, Visa and Mastercard provide the technology for your bank to connect with the store’s bank and then authorize or deny the transaction almost instantaneously. Out of that purchase, usually 1% to 3% goes to the bank that issued the card, and about a 10th of a percent goes to Visa or Mastercard for facilitating the transaction.For the card companies, it’s a volume business.
“Their interest is for as many transactions to happen as fast as possible, with as little scrutiny as possible because they really do make their money on a transaction happening. That’s it,” said Doug Kantor, general counsel for the National Association of Convenience Stores and a longtime advocate of reforms on the card networks.
By acting as a middle step between clients and banks, payment service providers added a new link in the chain of a financial transaction, as did several other new types of intermediaries. The longer these chains grew, the more complex it became to monitor them and to protect consumers.
Mastercard and Visa introduced new rules to promote transparency, such as requiring payment processors to disclose their high-risk clients. Mastercard built a database, known as MATCH, of businesses whose banks have cut them off for problems including fraud and illegal transactions. Paolucci shared a patent on technology to find merchants who were using deceptive practices. Both card networks promoted vendors whose fraud detection software could help banks monitor their accounts. And both continued to impose fines when companies violated their rules.
But unlike banks, card companies are not the specific responsibility of any one federal agency, leaving them wide discretion in how strictly they enforce their rules.
“There’s this crack in the sidewalk, like, there’s this gap where no one really regulates the networks,” said Stephanie Martz, the chief administrative officer and general counsel for the National Retail Foundation, who has been involved in litigation against the card brands on behalf of large retailers.
“The problem is that we really have just let the fox guard the henhouse for a really long time,” she added.
Asked to name instances in which their policies have succeeded in booting bad actors off their network, neither card company obliged. Mastercard told BuzzFeed News, “It is the banks – those that issue the line of credit to a consumer or connect a merchant to our network – that have a direct relationship with their customers. As a result, they are in a much better position to determine if a transaction is fraudulent based on a wide range of factors and analysis.” As for the database of disgraced companies, Mastercard emphasized that it is not a “blacklist” but rather just a tool for those banks to use when making their own decisions.
“At Mastercard, they don’t really check for fraud,” said Tom Harkins, a former vice president of security and risk management who was with the company from 1985 to 2005. It’s not the card company’s job, he explained. The banks, on the other hand, “have all the liability” and better visibility into individual accounts. The networks “just facilitate the transaction.”
Yet, when the heat is on, the two card companies have shown that they can act decisively — and take credit for doing so. In 2004, following a House committee inquiry, a Mastercard executive testified to Congress that the company had forced banks to remove 370 websites that sold illegal pharmaceutical drugs. (Visa said in the same hearing that it had reminded banks that illegal activity is not allowed on its network but did not remove any sites.) They both dumped WikiLeaks in 2010 after its explosive release of State Department documents.
And in December 2020, they both dropped Pornhub, which allegedly had been hosting child sexual abuse videos, “revenge porn,” and images involving victims of human trafficking. “Our investigation confirmed violations of our standards prohibiting unlawful content,” Mastercard told BuzzFeed News. “As a result, we instructed the acquirers to terminate Mastercard acceptance.”
But that decision, along with Visa’s announcement, came only after a New York Times exposé of Pornhub brought an enormous amount of negative publicity.
SCHEMES AND DREAMS
In 2000, Jeremy Johnson, a Utah native with a round face and a shock of red hair, launched a company called iWorks. Within a few years, according to court records, it had grown into a network of more than 50 shell companies, dozens of sites, and about 900 employees, all to peddle diet plans and quick ways to get government cash. Prosecutors alleged that the sites were also billing customers for things they had never agreed to buy.
Johnson’s eventual conviction for eight counts of lying to banks made national headlines. What has never been reported is how much Visa and Mastercard knew about what he was doing — and how long he was able to continue doing it.
Company documents included in court records show that both card networks knew that an exceptionally high number of iWorks customers were demanding refunds, or “chargebacks” — a red flag for possible fraud. The credit card companies knew that banks were shutting down iWorks accounts as a result. Martin Elliott, Visa’s head of compliance, even spoke to Johnson about these problems on at least two occasions.
One administrative assistant from Tuscon, Arizona, along with her husband, struggled to make ends meet after adopting two children with extensive medical needs. She found a Johnson site called federalgovernmentgrantsolutions.com that for $2.99 sent her a CD with information about how to apply for government help. But for months afterward, she received credit card charges totaling hundreds of dollars for memberships in programs she did not sign up for.
A woman in Puyallup, Washington, was also charged $2.99, in her case for a pack of acai berries she spotted on a Johnson site. She was then charged $359.50 in total from a host of companies that she said she didn’t recognize. These women were two of thousands who say they were scammed after shopping on iWorks’ sites.
By the time federal investigators got involved, Johnson and his companies had been added to the MATCH list 29 times. Neither Mastercard nor Visa forced the company off their networks. Elliott, who did not respond to questions from BuzzFeed News, testified that Visa had not terminated a merchant in at least 16 years. It didn’t seem like an effective way to fight fraud, he said, because “some of these merchants that are eCommerce merchants will simply rename themselves.” A banned company could “essentially conceal their true identities and hide from our merchant programs.”
Instead, Mastercard and Visa use fines as their primary enforcement tool. Tim Buckingham, a payments consultant based in London, told BuzzFeed News that that approach makes sense in a business context. “It is a system geared towards a monetary fine as opposed to sort of doing what’s right,” he said. “It’s a money game.”
iWorks racked up about $5 million in fines in a single year, court records show, and then went right on taking people’s money.
So did Matthew Lloyd McPhee, who went by Matt Lloyd, the boyish son of an Australian sheep farmer. In 2013, he started My Own Business Education, or MOBE. Marketed across more than 400 different sites the company operated, MOBE promised an easy way to build a more secure financial future.
“Do you ever feel overworked and underpaid?” Lloyd asked in one of his online pitches. “Have you ever wondered what it would be like to start an online business and make more money in a month than you would in a year?” It sounded good, but federal investigators found that what MOBE customers got for their money was mostly just the chance to sign up more customers. A MOBE director would later testify that most people who enrolled in the program made less than $100.
The scheme paid Lloyd handsomely, however, driving $125 million into the company’s coffers. He bought apartments in Kuala Lumpur, a beachfront resort in Costa Rica, and a 60% ownership stake in a resort on a Fiji island. Lloyd did not respond to emails and phone calls from BuzzFeed News.
Mastercard was first warned about Matt Lloyd in 2015, when a bank closed his account and added him to the MATCH list, according to Mastercard’s records. After that, internal company documents show that six banks on four continents warned Mastercard that Lloyd’s company was conducting hundreds of fraudulent transactions.
Sharon Seckinger, the retired human resources administrator living on a modest fixed income, didn’t know about any of that when she saw Lloyd’s offer and signed up. The first course she paid for was inexpensive, just $49. “Sales coaches” soon started calling, however, pressuring her to buy memberships in evermore expensive tiers of the MOBE program.
By June 2018, she had spent $70,000. She still thought she was investing in her future and that she would be able to build a profitable business. That month, the Federal Trade Commission shut MOBE down, alleging it had “defrauded thousands of customers.”
When she heard about what happened, Seckinger had a sinking feeling. “Oh my god. I have spent all this money. And it’s my last savings. What am I going to do?”
Theo Monroe, a lawyer whose firm specializes in the payments industry, described scams as “endemic to internet commerce.” The great majority, however, go unpunished. The FTC is the primary agency that investigates consumer fraud, “but its resources are extraordinarily limited,” he said. “It can only bring a few actions a year to make an example out of them.” The FTC said it could not comment on individual cases.
Lloyd, like Johnson, had been penalized by his banks for violating the credit card companies’ rules. Lloyd, like Johnson, nevertheless managed to find new banks, and new customers. The banks collected fees, and Mastercard and Visa took a sliver of each additional sale.
Everyone seemed to be making money from their association with Johnson and Lloyd — everyone but their customers.
BETTER CALL PAUL
Porn baron Hamid “Ray” Akhavan does not do subtle. He ran a vast network of sites with names like fuckswipe.com and beaverlicking.com and tooled around in private jets and a purple Lamborghini.
He’s also tough and determined. An Iranian who made his home in Agoura Hills, a wealthy enclave near Los Angeles, he endured painful operations to overcome a degenerative spine condition. He was never going to let something like the chargeback police stop him.
In the early aughts he met Paul Paolucci at a business conference. Over the next 17 years, Paolucci would socialize with Akhavan, spend holidays with his family, and occasionally stay in his home, according to people familiar with the pair’s relationship.
By 2010, Akhavan’s sites were proliferating into an uncountable blur. Using internet tracking tools, BuzzFeed found over 1,000 of them, whose names marry esoteric sexual interests with an array of races and ethnic groups. Dating sites like millionairelovesearch.com were not shy about what they promised, but some left to the fine print stipulations that their users might be chatting up a bot rather than a real person.
It was a risky business, and US banks were wary. So Akhavan flew to Cyprus to meet the owners of the Federal Bank of the Middle East. FBME would become notorious as one of the dirtiest banks in the world, allegedly moving money for drug traffickers, organized crime groups, and repressive dictators.
He and the owners hit it off. Akhavan did not reply to BuzzFeed News’ detailed questions, sent to him via his lawyer, about his businesses. An investigative report would later find that one FBME executive flew on Akhavan’s jet, spent time on his boat, and dined with him at Nobu in Los Angeles. Akhavan was a high roller, and the bank welcomed him as a client.
The bank had welcomed so many high-risk clients, in fact, that Visa Europe ordered an audit.
In May 2012, the corporate investigation firm Kroll issued a damning report stating that high-risk accounts at the bank appeared to be hiding aspects of their business to trick the credit card companies.
Visa cut the bank off, terminating its ability to process payments on the card network.
A few months later, in October 2012, a senior FBME executive emailed Akhavan to say that the bank was again coming under unwelcome scrutiny, with chargebacks reaching 14 times what the networks allowed. “Mastercard International is looking at our performance,” the executive warned.
But Mastercard rarely cut a bank off entirely. In 2016, Paolucci testified that he knew of only one instance when his employer had even restricted a bank’s access to the card network. Unlike its rival, Visa, Mastercard allowed FBME to carry on. “Our review indicated that past problems have been successfully remediated,” Mastercard’s internal report read.
The government, however, took a dimmer view. In 2014, the US Treasury Department came after FBME, calling it a “primary money laundering concern” that aided terrorists and criminals. The government shut off the bank’s access to the US dollar, a rare and drastic measure that it has applied to rogue states like North Korea.
While preparing a counteroffensive, FBME conducted an internal investigation. One of the names that kept coming up was Paul Paolucci.
According to documents from the investigation reviewed by BuzzFeed News, three FBME executives said that Paolucci had told them about a scheme he designed to hide chargebacks and avoid triggering card company fines. One called it Paolucci’s “brainchild.”
The private investigators were skeptical. “I found it very difficult to believe that a man with such a high respectable profile would put his entire reputation at risk for such an operation,” one wrote in the report.
Paolucci was not charged with any crime, and he stayed on as a vice president at Mastercard — but his close relationship with Akhavan would lead to the downfall of both men.
UP IN SMOKE
On Jan. 13, 2019, a resident of San Francisco logged on to a website to buy a couple of orange cream–flavored vape cartridges. It was one of several purchases he made over an eight-month period from Eaze, a West Coast cannabis delivery company. The merchandise was unremarkable, but there was something strange about the website: It accepted Mastercard.
California laws permit cannabis sales, but federal law bans them, so Mastercard and Visa don’t allow it on their networks. Why, then, did the Eaze website feature the Mastercard logo?
The question might not have occurred to most people, but this particular customer, Meysam Moradpour, happened to be a vice president at Mastercard. He emailed his employer’s compliance department, along with screenshots of his billing statements. The email made its way up the line to Paolucci.
Mastercard investigated and, according to court documents, found that Eaze had been routing its customers through fake websites with innocuous billing descriptors to fool banks about the nature of the transaction.
Federal agents investigated too. When the whole story came into view, prosecutors alleged the deceptive billing scheme had been set into motion by none other than Ray Akhavan.
In March 2020, Akhavan was arrested in California and charged, along with an associate, with conspiracy to commit bank fraud.
In court a year later, the then-CEO of Eaze revealed that Akhavan had been tipped off about Mastercard’s investigation into Eaze. “Ray said that he had someone who worked at MasterCard who forwarded him the email, the compliance email,” the CEO testified. To be safe, he added, Akhavan decided he “was proactively going to shut down Mastercard processing.”
The card company insider was not named. A senior Mastercard vice president, however, testified that Paolucci had been terminated because he had “mishandled confidential information.”
It was a small moment, one that barely went noticed as prosecutors painted a portrait of Akhavan as a brazen con artist who traveled the world “creating fake companies and fake websites, and ginning up fake web traffic to those fake websites, all in the service of fraudulently moving money through the United States financial system.”
Akhavan wasn’t the only one prosecutors pointed a finger at. They questioned the founder of a fraud detection company called Web Shield. It was one of a small number of vendors that Mastercard encouraged banks to use. His texts, however, suggest that instead of sounding the alarm on Akhavan’s fraudulent websites, he was offering advice on how to make them seem legitimate.
The founder of Web Shield, Christian Chmiel, did not respond to questions from BuzzFeed News, and the Department of Justice declined to comment.
Confidential court records held an even bigger surprise. Prosecutors named Paul Paolucci as an unindicted co-conspirator — meaning that even though they did not pursue a case against him, they allege he took part in Akhavan’s conspiracy to commit bank fraud.
THE HOUSE ALWAYS WINS
Akhavan, convicted last year of conspiracy to commit bank fraud, is serving a two-and-a-half-year sentence. Many of the domain names in the sprawling empire he once ran are now up for sale.
After being sacked by Mastercard, Paolucci has not been seen much by his former associates.
At Mastercard, a new CEO is in place and profits are booming. In 2021, the company earned about $19 billion in revenue, up 23% from the year before. Visa earned $24 billion in revenue in 2021, up 10% from the previous year.
In that same year, the FTC recorded 88,354 cases of fraud in which a credit card was used. That figure is widely understood to be only a small fraction of the actual number.
For countless victims, the wounds remain raw.
Sharon Seckinger, who lost her retirement savings to MOBE, now picks up rides to and from Atlanta’s Hartsfield-Jackson Airport to make a little extra money. Some banks waived her outstanding balances. Others refused. Now 68, she’s still making payments after filing for bankruptcy in January 2019.
Johnson, who ran iWorks, was convicted of multiple charges of lying to a bank and sentenced to more than 11 years in prison, which was later reduced to seven years, though he was granted early release in 2020 because of the pandemic. Reached by BuzzFeed News, he said that according to the terms of his release, he was not permitted to comment.
Lloyd, the founder of MOBE, never faced criminal charges. The FTC, however, barred him from ever again selling or marketing business coaching and investment opportunities. It took possession of his business accounts and his properties in Kuala Lumpur, Costa Rica, and Fiji. In a later settlement he was ordered to pay more than $323,000 in restitution. He neither denied nor admitted guilt.
Last month, the government returned $23 million to people who were identified as victims of MOBE. Seckinger received what she described as a “small amount of money.”
Lloyd’s Costa Rica property, a waterfront resort called Sunset del Mar, was seized and sold, with the proceeds earmarked for MOBE’s customers. The property’s new owner was Lloyd himself, who bought it back for $225,000.
He booted back up his YouTube page in April 2020. A few months later, from the safety of his Costa Rica complex, he started promoting Strive Courses, his new business. It offered the secrets to a healthy and wealthy life, all major credit cards accepted. ●