How Visa's New Security Requirement Challenges E-commerce | GBAF

How Visa's New Security Requirement Challenges E-commerce | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Technology > Visa’s anti-bot play means it’s time to think beyond the CAPTCHA

Visa’s anti-bot play means it’s time to think beyond the CAPTCHA

Published by Jessica Weisman-Pitts

Posted on February 15, 2022

4 min read

Last updated: January 20, 2026

Illustration of CAPTCHA technology used to prevent online bot fraud - Global Banking & Finance Review — The image illustrates CAPTCHA technology, highlighting its role in preventing online bot fraud as discussed in Visa's new e-commerce security measures. This is crucial for enhancing customer experience while combating enumeration attacks.

By Marc Brown, APJC Director, Sales and Solutions Engineering for multi-cloud security and application delivery company F5.

Most of us are familiar with the experience of having to tick a box and evaluate a few images or write out distorted letters to prove ‘I am not a robot’ when shopping online.

CAPTCHA’s challenge-response technology has become a popular defence for online retailers to separate the bots from the humans, but an unpopular pain point for customers. Research from Stanford University indicates CAPTCHAs can reduce form conversions by up to 40 per cent.

Visa Australia’s new e-commerce anti-bot security requirement in Australia, which mandates that payment processors put in place anti-bot technology to prevent enumeration attacks by October 2022, risks CAPTCHA become a much more common feature in our lives. This is a challenge for payment processors and e-commerce companies to meet Visa’s requirements without damaging the customer experience.

Enumeration attacks involve the use of bots to test payment details such as a primary account number (PAN), card verification value (CVV2 – or – the number on the back), and expiration date. Validated details can be used in fraudulent transactions, against the organisation being attacked, or against a third-party organisation. These attacks are a major contributor to card-not-present (CNP) fraud, which, according to the Australian Payments Network, rose by 12.3 per cent in FY21 to the tune of $442 million.

Visa wants to combat the large increase in enumeration attack fraud it has detected in the past 18 months. Its Security Roadmap states: “These attacks generally lead to compromised accounts and account takeovers. However, the residual aspects of these schemes, while not always conspicuous, have additional negative effects on various ecosystem parties. These impacts include fees, operational inefficiencies, fraud and reputational risk for all parties involved.”

Security versus simplicity

While I applaud Visa’s intention with this regulation, payment processors – such as Eway, SecurePay and recently ASX-listed Block – may struggle to meet this requirement without broad support from e-commerce organisations – such as Woolworths, JB Hi-Fi, and Officeworks – which will be hesitant to further aggravate consumers.

When we send our credit card details online, they are usually collected and processed via one of two model – a payment gateway hosted card form, or an e-commerce company hosted card form sent to a payment gateway via an API. In the first model, the payment processor has visibility of the entire transaction and can use programming language JavaScript to collect various signals to identify bots. In the second, the processor has less visibility as it relies on data sent to them via the e-commerce company’s API, making it harder to detect bots.

CAPTCHA has served as a quick and easy stopgap across these corelated industries to prevent enumeration attacks from taking place. But as attackers become more sophisticated, so too do the puzzles the real humans need to solve to prove their real, building on the already potent frustration they experience.

The unpopularity of these systems will only increase as our need for instant digital gratification rises. Visa even acknowledged users’ discontent with CAPTCHA in its anti-bot requirement announcement. Further, according to a former ‘human CAPTCHA solver’, they are merely a speedbump for motivated attackers anyway.

Visa’s mandate in Australia – likely to be a testing ground for other regions and other financial services giants to follow – marks an opportunity to get more creative and user-friendly about how we screen for humans.

There are many ways in which we act differently to bots. For example, if a human enters incorrect credit card details, they will likely take a few seconds and re-enter correctly, mostly getting it right on the second go for fear of blocking the card. A bot might send tens of thousands of attempts in a matter of seconds.

Modern bot defence needs to incorporate automation and AI tools to identify these anomalies, not force customers to justify their own humanity. Modern consumers won’t tolerate disruption to their security or simplicity – if you want to sell, you’ll have to satisfy both.

This is a Sponsored Feature.