In the mid‑1990s, putting your credit card on a website felt like handing it to a stranger in a dark alley. Consumers feared stolen cards, unauthorized charges, and the unknown party on the other end of the connection. Over the next decade, encryption, security innovation, trusted brands and millions of uneventful purchases turned that shady alley into a brightly lit shopping mall consumers could trust.
Fraud is not standing still, though. In the cat-and-mouse game of cybersecurity, hardened defenses spurred the bad guys to invent new technologies, schemes and scams to steal your money. Criminal networks now leverage AI and automation to probe for weaknesses across borders and across payment channels.¹ Recent demonstrations of “relay attacks” have highlighted how individual transaction signals can be manipulated by sophisticated criminals. And fraudsters exploit gaps — between channels, devices, and stages of the payment lifecycle.
But real-world payment security is not built on a single dimension. It is built on layers — credentials, device authentication, real-time risk scoring, network controls and post-transaction monitoring — with each layer designed to catch what another might miss.
Multi-layered security lowers fraud rates
Visa’s defense model spans every payment mode and every stage of the payment lifecycle — from authorization through dispute resolution — operating not as isolated tools but as an integrated system. While individual institutions see activity within their own portfolios, Visa sees how attacks move across channels and markets. That network-level perspective allows us to detect emerging threats in one region and deploy protections globally — often within hours. As we often say: detect once, defend globally.
Despite growing advances in online fraud, our holistic approach to security has lowered fraud rates as a percentage of total transaction volumes across Visa’s network. In 2025, we blocked nearly twice as many fraudulent ecommerce transactions as the prior year, and reduced ecommerce fraud rates across our ecosystem by eight percent.² Through last year’s launch of Visa Scam Disruption, we have worked with clients and law enforcement to dismantle more than 25,000 scam merchants representing more than $1 billion in fraud attempts.³ This progress reflects the impact of $13 billion invested in technology and infrastructure over the past five years.⁴
Looking under the hood of network defense
Security is invisible when it works. Truth be told, security is often taken for granted because the modern internet is designed to feel safe and seamless on the surface, while most of the real danger lurks in its underbelly users rarely see. To appreciate modern payment security, you have to look beneath the hood of the Internet’s payment infrastructure.
1. Secure credentials
Tokens bring in-store confidence to online payments and enable future innovation by replacing sensitive credit card numbers with more secure unique digital identifiers that can be tied to a specific merchant, device, or use case. That ensures that even if a token is stolen, it carries no value for a fraudster beyond the one-time grift. Tokenization has led to a 35% reduction in e-commerce fraud rates, compared to non-tokenized transactions, as well as a nearly 5 percentage point increase in authorization rates compared to using traditional 16-digit card information.⁵
2. Verify identity
Fraudsters must defeat not just the card data, but the user identity layer — a harder barrier. Consumer Device Cardholder Verification Method (CDCVM) — including biometrics, PINs and device unlock controls – along with chip cards, cryptograms and other encryption technologies strengthen authentication in e-commerce environments. These controls ensure that even if payment credentials are present, the person initiating the transaction must prove they are the legitimate user.
3. Score risk
Even if earlier layers are bypassed, anomalous behavior is detected at the network level before authorization. A central defense is Visa Advanced Authorization, an AI-based risk management tool that evaluates payment transactions on Visa's network in real time, and is enriched by global fraud intelligence signals from issuers and merchants worldwide. The system analyzes billions of individual transactions every year against more than 400 unique risk factors within milliseconds.³ By using machine learning algorithms to find anomalies, VAA is designed to identify and prevent fraud at the most important point – before it happens.
4. Enforce network safeguards
Visa’s networked defense protects not just one bank, but the entire ecosystem through a combination of network-wide risk rules, transaction thresholds, merchant category monitoring and compliance standards enforced across issuers and acquirers. These structural safeguards operate at scale, and limit exposure, allowing Visa to intervene systemically when abnormal patterns emerge — not just at the level of a single institution.
5. Empower issuers
The best defense is a team sport. Even if network controls fail, issuer controls provide another defense layer. Proprietary bank fraud models layered on top of Visa’s risk signals, customer transaction alerts, account monitoring systems and in-app card controls allow cardholders to freeze or manage cards instantly. This distributed layer ensures that institutions and consumers retain real-time visibility and control.
6. Learn, adapt and contain
The system also learns from successful attacks. This last layer bolsters security by focusing on post-transaction monitoring and dispute management, and includes chargeback monitoring, fraud reporting, recovery processes and continuous model retraining informed by confirmed fraud events. Every incident becomes new intelligence, strengthening detection models and enhancing protections across the ecosystem. Global threat alerts are sent to clients to contain attacks, reflecting our “detect once, protect everywhere” mantra.
Online shopping may be entering its most innovative era to date. AI, cryptocurrency and decentralized finance are reshaping the future of commerce — and how criminals attempt to exploit it. But layered, network-level defense is built for adaptation. In collaboration with our worldwide partners, we are not just defending against today’s scams. We’re building the trust framework that allows tomorrow’s commerce to scale securely.
- ACFE Insights Blog
- 2025 CEO Letter
- Q4 2025 Earnings Transcript
- Ibid
- Calendar year 2024, via Annual Report 2025