Visa’s new requirement to fight enumeration attacks

  • By Zilla Efrat

Australia will become the first country in the world where Visa will require e-commerce payment providers to invest in botnet detection capabilities by October 2022.

Visa announced the news yesterday in a bid to the growing threat of enumeration attacks, where fraudsters use automation to test and guess payment credentials such as primary account number (PAN), card verification value (CVV2), expiration date and postcode, and then use these in fraudulent transactions.

Visa says botnets – which are networks of hijacked computer devices – are being used to carry out and scale these attacks.

"Australia is the first country in which we are making botnet detection capabilities a requirement, owing to the growth in attacks we've seen in the past 12-18 months," says Joe Cunningham, Visa's head of risk for Asia Pacific.

"Botnet detection is now critical in protecting sellers from malicious cyber-attacks and we will work together with a seller's acquiring bank or payments gateway to ensure that whichever entity is closest to their online checkout page has the right controls in place. It's a whole-of-ecosystem effort."

Controls for botnet detection include restricting the number of transactions that can be processed by the merchant from a single card per minute, scanning for anomalies in shopping cart data, blocking accounts after a certain number of login attempts and CAPTCHAs, which are tasks that are designed to be easy for humans and difficult for bots.

According to new research commissioned by Visa and conducted by YouGov, while nearly half (45 per cent) of Australian consumers find CAPTCHA-style tools annoying when they shop online, over three quarters (76 per cent) are supportive of merchants using the technology if it means keeping their online payments secure. More than half (53 per cent) of Australian consumers have abandoned their shopping cart due to concerns their payments were not secure.

"The way Australians choose to shop is changing, and so is the nature of fraud, which means it's vital sellers are ready,” says Julian Potter, Visa's group country manager, Australia, New Zealand and South Pacific.

“Investing in online security capabilities is the best way for businesses to protect against attacks that could damage their brand and customer experience, or even take them offline."