Visa pilots enumeration attack prevention requirement in Australia

Visa has chosen Australia as the first country worldwide where all "e-commerce payment providers" must have botnet detection capabilities in place by October to mitigate the threat posed by enumeration attacks.

The payments giant said it could not fight a rise in enumeration attacks alone and needed the assistance of the entire payments ecosystem.

Enumeration attacks typically target online retailers and use a script to “send thousands of low value transaction attempts with the aim to get an approval on a valid account number, expiry and CVV2 combination,” Visa said.

Botnets are often used “to carry out and scale these attacks”, which can lead to fraudulent transactions, account compromise or takeover.

Visa unveiled a new Australian security roadmap on Tuesday covering the period 2021-23, which contains the new enumeration prevention requirements.

“Australia is the first country in which we are making botnet detection capabilities a requirement, owing to the growth in attacks we’ve seen in the past 12-18 months,” Visa’s head of risk for Asia Pacific Joe Cunningham said in a statement.

“Botnet detection is now critical in protecting sellers from malicious cyber attacks and we will work together with a seller’s acquiring bank or payments gateway to ensure that whichever entity is closest to their online checkout page has the right controls in place.

"It’s a whole-of-ecosystem effort.”

In the security roadmap [pdf], Visa said that acquirers - essentially the e-commerce merchant’s bank - “will need to be aware of the new rule and ensure that if they are the closest to the seller’s payment page, they have the appropriate controls in place to identify, prevent and disrupt these attacks.”

“If they work with payment gateways or independent solution vendors, acquirers will need to ensure that these entities  closest to the seller’s payment page have the appropriate controls that meet Visa’s requirements,” it said. 

“Acceptable solutions include anomaly detection on authorisations, IP addresses, log ins or sessions, throttling or random pause on account checking and the ability to lock accounts after a certain number of login attempts.”

Visa said it had a team of “over 850 cyber security specialists” and used artificial Intelligence, among other techniques, to “identify enumeration patterns and alert affected financial institutions and merchants before fraudulent transactions begin.”

The company added that it “may implement a compliance program” to identify any parties that did not invest in systems to meet the October 2022 deadline.