Australia first to adopt new e-commerce security requirement to combat cybercrime, says Visa

Visa, the world’s leader in digital payments, has today announced a new ecommerce security requirement to help Australian businesses combat a growing form of cybercrime and gain over 13,000 hours a year in otherwise lost time trading.^[1]

As commerce rapidly moves online, more businesses are being targeted with enumeration attacks, the criminal practice where fraudsters use automation to test and guess payment credentials such as Primary Account Number (PAN), card verification value (CVV2), expiration date and post code, which can then be used in fraudulent transactions. It is the rising use of botnets – which are networks of hijacked computer devices – that are being used to carry out and scale these attacks.

In response to the size of the threat, and as part of its new Australian Security Roadmap 2021-2023 launched today, Visa has introduced a new requirement for ecommerce payment providers in Australia to ensure they invest in botnet detection capabilities to identify and prevent enumeration attacks, by October 2022.

“Australia is the first country in which we are making botnet detection capabilities a requirement, owing to the growth in attacks we’ve seen in the past 12-18 months,” said Joe Cunningham, Visa’s Head of Risk for Asia Pacific.

“Botnet detection is now critical in protecting sellers from malicious cyber-attacks and we will work together with a seller’s acquiring bank or payments gateway to ensure that whichever entity is closest to their online checkout page has the right controls in place. It’s a whole-of-ecosystem effort,” he said.

Controls for botnet detection include restricting the number of transactions that can be processed by the merchant from a single card per minute, scanning for anomalies in shopping cart data, blocking accounts after a certain number of login attempts and CAPTCHAs^[2] , which are tasks that are designed to be easy for humans and difficult for bots.

According to new research commissioned by Visa and conducted by YouGov, while nearly half (45%) of Australian consumers find CAPTCHA-style tools annoying when they shop online, over three quarters (76%) are supportive of merchants using the technology if it means keeping their online payments secure. In fact, more than half (53%) of Australian consumers have abandoned their shopping cart due to concerns their payments were not secure.

“The way Australians choose to shop is changing, and so is the nature of fraud, which means it’s vital sellers are ready. Investing in online security capabilities is the best way for businesses to protect against attacks that could damage their brand and customer experience, or even take them offline,” added Julian Potter, Visa’s Group Country Manager, Australia, New Zealand and South Pacific.

With a team of over 850 cybersecurity specialists, Visa provides 24/7, real-time fraud detection and mitigation, analysing millions of transactions everyday for known and emerging threats. Visa’s artificial Intelligence (AI) powered technology is able to spot patterns in data otherwise undetectable by humans to identify enumeration patterns and alert affected financial institutions and merchants before fraudulent transactions begin.

Visa’s new Security Roadmap highlights the steps Visa will be taking across six key areas to continue to secure digital payments in Australia, including:

• Preventing enumeration attacks through new ecommerce requirements
• Driving adoption of secure technologies
• Securing digital first payment experiences, including contactless ATM access
• Enhancing the cybersecurity posture of ecosystem participants
• Preventing Australian consumers and businesses from becoming victims of scams
• Ensuring ecosystem resilience through real-time artificial intelligence solutions

Visa continues to publish up to date best practices for merchants on what they can do to guard against cybercrime, as well as some guidance on what issuers of Visa credentials can do to reduce the impact of enumeration.