Visa has finalised its 2021-2023 security roadmap, mandating ecommerce payment providers in Australia to have botnet detection capabilities to identify and prevent enumeration attacks by October 2022.

Australia is the first country in the world in which Visa is mandating the capabilities, following a significant rise in attacks over the past 12 to 18 months.

Enumeration attacks involve using retailers’ ecommerce platforms to mass-test combinations of credit card numbers, expiry dates, and CVV numbers until a payment is approved. These are done using ‘botnets’ or networks of other hacked computers, operated remotely through a single computer.

Fraudsters — generally organised crime — then either sell the numbers on the dark web or use them to make their own purchases.

Retail businesses being hit with enumeration attacks will often have to temporarily shut their websites when being hit by them. One indication of an enumeration attack may be a small business which generally gets 10,000 transactions per year suddenly getting 10,000 in a single month.

Visa estimates that cost at least 13,000 lost hours of trading between July 2020 and June 2021 in Australia. While the onus will be on a retailer’s payment processing partner to provide the protection measures, retailers concerned with lost hours in trading before the October 2022 date can start that conversation with their partners immediately.

Visa chief risk officer for Australia, New Zealand & South Pacific, Carolina Gallegos tells RetailBiz, “I would recommend that they reach out proactively to their payment processing partners, whether that’s directly through an acquiring bank, or if that’s a payment gateway, or whoever it is that’s providing the payment processing on their ecommerce site.”

While some botnet protections are already common — CAPTCHA codes for example — Gallegos says there are other methods that create less friction for your customers. That includes tactical throttling, where multiple attempts in a short time period from the same IP address — or computer — will trigger a two to three second pause between them.

Other controls for botnet detection include restricting the number of transactions that can be processed by the merchant from a single card per minute, scanning for anomalies in shopping cart data, and blocking accounts after a certain number of login attempts.

Visa’s new Security Roadmap highlights the steps Visa will be taking across six key areas for digital payments, including:

  • Preventing enumeration attacks through new ecommerce requirements
  • Driving adoption of secure technologies
  • Securing digital first payment experiences, including contactless ATM access
  • Enhancing the cybersecurity posture of ecosystem participants
  • Preventing Australian consumers and businesses from becoming victims of scams
  • Ensuring ecosystem resilience through real-time artificial intelligence solutions