Ecommerce payments providers in New Zealand will be asked to implement a range of new security requirements to stop cyber criminals from applying automated enumeration attacks, Visa said.
The digital transactions giant said that New Zealand retailers face a growing risk of fraudsters using automation to guess primary account numbers (PANs), card verification values (CVV2s) and expiration dates, by using botnets to carry out and scale the enumeration attacks.
Visa introduced similar measures in Australia, as the first country in the world to enforce botnet detection capabilities by October this year.
New Zealand retailers will have to introduce countermeasures against enumeration attacks, with advanced controls, by October 2023.
Providers must implement scanning features to spot anomalies in shopping cart data, and block account logins after a specified number of attempts.
Limiting the number of transactions on a single card that a merchant can process per minute will also be required.
Merchants have to use completely automated public Turing tests to tell computers and humans apart - CAPTCHA - from October next year as well.
Visa's head of risk for Asia-Pacific, Joe Cunningham, said new research that more than half of Kiwis have abandoned online purchases, with the top reason that they were concerned about security, drove the tighter transaction requirements for merchants.
The digital payments provider has issued a security roadmap [pdf] for the growing e-commerce ecosystem in New Zealand, asking merchants to use tokenisation, the EMV 3-D Secure messaging protocol, and to work on their cybersecurity postures.
For the future, Visa said it is rethinking static authentication data such as personal identity numbers and CVV2, to adapt to a changing threat landscape with credentials harvesting by cyber criminals being increasingly common.
The company is mulling over whether credit cards will shift to digital-only offerings in the next five years, or physical ones will be maintained to ensure interoperability and access.
Removing key entry at the point of sale as a legacy mechanism to make mail or telephone orders (MOTOs) is under consideration, as sellers adopt mobile technology for secure payments acceptance.
