New Visa and Mastercard security standards in the context of the fight against carding
Carding is a type of fraud in which criminals use stolen bank card information for unauthorized transactions, most often online. Visa and Mastercard, as leaders in the payment industry, are actively developing and implementing security standards to minimize the risks of carding. These standards incorporate new technologies such as Secure Remote Commerce (SRC), tokenization, biometric authentication, artificial intelligence (AI), and updated protocols such as PCI DSS 4.0.1 and 3D Secure. In this answer, I will examine in detail how these initiatives combat carding, focusing on educational context to demonstrate how they work in practice and why they are effective.What is carding and why does it remain a problem?
Carding is the use of stolen card information (number, CVV, name, expiration date) for purchases, cash withdrawals, or other transactions. The main methods used by carders are:- Phishing and skimming: Obtaining data through fake websites, malicious scripts, or ATM devices.
- Data interception: Attacks on vulnerable merchant systems or database leaks.
- Card testing: Checking the validity of cards through small transactions (card-not-present, CNP).
- Account takeover (ATO): Hacking user accounts to use saved cards.
By 2025, carding losses will reach billions of dollars annually (according to Mastercard, global cybercrime damages are projected to reach $15.6 trillion by 2029). The primary vulnerability is online transactions (CNP), which do not involve physical card interaction. New Visa and Mastercard standards aim to eliminate these vulnerabilities, making carding more difficult and less profitable.
Key standards and technologies for combating carding
1. Secure Remote Commerce (SRC): Unifying and Protecting Online Payments
Secure Remote Commerce (SRC) is a standard developed by EMVCo (with participation from Visa, Mastercard, AmEx, and others) that creates a unified online payment process that minimizes the risks of carding.- How SRC works:
- The user registers the card in the SRC system (for example, via Visa Click to Pay or Mastercard Agent Pay), creating a "digital wallet".
- Instead of entering card details on the merchant's website, a token (a unique digital identifier) linked to a specific card is used.
- 3D Secure (3DS) and/or biometrics (fingerprint, facial recognition) are used for authentication.
- The payment process is simplified to a single click, reducing the risk of phishing since card details are not entered manually.
- How SRC combats carding:
- Tokenization: Tokens are useless outside the context of a specific transaction or device. Even if a carder intercepts a token, they won't be able to use it on another website or for another transaction.
- Reduced Leaks: Since card data is not stored by the merchant, database leaks (the main source of carding) become less dangerous.
- 3D Secure 2.0: Requires additional verification (such as a one-time password or biometrics), making it impossible to use stolen data without access to the owner's phone or biometric data.
- Anti-phishing: SRC uses Subresource Integrity (SRI) to protect checkout pages from malicious scripts that carders use to intercept data.
- Status in 2025:
- Visa has completed the migration from Visa Checkout to Visa Click to Pay (powered by SRC), resulting in a 60-80% reduction in fraud in regions with full integration.
- Mastercard is implementing SRC through Mastercard Agent Pay, adding support for AI agents for automated payments (e.g., subscriptions, IoT devices).
- Problem: Not all merchants have switched to SRC due to the need to update their payment gateways. This creates temporary vulnerabilities that carders can exploit.
- Example: A carder purchases stolen card details (number, CVV) on the darknet. Without SRC, they can enter them on a merchant website with poor security. With SRC, the website requires a token and 3DS authentication, rendering the data useless without access to the owner's phone or biometrics.
2. Tokenization: The Main Barrier for Carders
Tokenization is the replacement of real card data (PAN, Primary Account Number) with a unique digital token that is valid only in a specific context (device, merchant, transaction).- Visa Token Service (VTS):
- Generates tokens for each card, linking them to a device or merchant.
- Used in Visa Click to Pay, Apple Pay, Google Pay and other services.
- In 2025, VTS expands to support AI agents and IoT (e.g., smart refrigerators that order groceries).
- Mastercard Digital Enablement Service (MDES):
- A similar tokenization system integrated with Mastercard Agent Pay.
- In 2025, Agentic Tokens will be introduced —tokens for AI agents that automate purchases (for example, Netflix subscriptions via a voice assistant).
- How tokenization combats carding:
- Stolen card data (PAN, CVV) is useless without a token, which is dynamically generated and linked to a specific device.
- Tokens are not stored by merchants, which reduces the risk of leaks.
- When a carder attempts to use stolen data in a tokenized environment, the transaction is rejected due to the lack of a valid token.
- Example: A carder attempts to use a stolen card number on the Amazon website. If Amazon uses tokenization (for example, through VTS), the transaction requires a token, which the carder does not have. Even if the Amazon database is successfully leaked, the data will be tokens, not actual card numbers.
3. Biometric Authentication: A New Level of Security
Visa and Mastercard are actively implementing biometrics (facial, fingerprint, and voice recognition) as part of SRC and 3D Secure.- Visa:
- Partnership with QNB (Qatar) in 2025 – the world's first implementation of biometrics in Click to Pay.
- AI is used to analyze biometric data taking into account privacy (GDPR, CCPA).
- Example: A user confirms a purchase by scanning their face on a smartphone.
- Mastercard:
- Integration of biometrics into Mastercard Identity Check (part of 3DS 2.0).
- Pilot projects with the FIDO Alliance for a verifiable credentials standard, where biometrics confirm not only identity but also transaction details.
- How biometrics combat carding:
- Carders cannot forge biometric data (such as a fingerprint), even if they have the card number.
- Reduces the risk of account takeover, as account access requires biometric verification.
- Reduces reliance on passwords that are vulnerable to phishing.
- Example: A carder gains access to a user's account using a stolen password. The payment attempt is rejected because biometric verification is required, which the carder does not have.
4. PCI DSS 4.0.1: Protecting Merchants' Infrastructure
PCI DSS 4.0.1 is an updated card data security standard that will be mandatory starting in March 2025 (replaces v3.2.1).- Key changes:
- Subresource Integrity (SRI): Protects checkout pages from malicious script injection (the primary method used by carders to intercept data).
- Enhanced monitorin: Merchants are required to implement real-time fraud detection systems.
- Flexibility: The new "customized approach" allows us to adapt the requirements of different businesses, while maintaining strict standards for online payments.
- How PCI DSS 4.0.1 combats carding:
- Prevents skimming through web resource protection.
- Requires data encryption at all stages of the transaction, which reduces the risk of interception.
- Strengthens merchant auditing, reducing the likelihood of leaks exploited by carders.
- Example: A carder installs a skimmer on a merchant's website to collect card data. PCI DSS 4.0.1 requires SRI, which blocks the malicious script, rendering the attack ineffective.
5. 3D Secure 2.0: Dynamic Authentication
3DS 2.0 is a protocol that requires additional verification for online transactions.- How it works:
- Analyzes 100+ transaction parameters (device, geolocation, user behavior) in real time.
- If a transaction appears suspicious, it requests additional confirmation (OTP, biometrics).
- Supports "frictionless flow"—secure transactions without unnecessary steps for legitimate users.
- How to combat carding:
- Carders cannot pass 3DS verification without access to the owner's phone or biometric data.
- AI analysis identifies anomalies (such as purchases from another country) and blocks transactions.
- Reduces chargeback rate by 70% (Visa data, 2024).
- Example: A carder attempts to purchase electronics using stolen data. 3DS 2.0 detects a geolocation discrepancy and requests an OTP sent to the owner's phone. The transaction is rejected.
6. AI and Machine Learning in Fraud Detection
Visa and Mastercard are investing billions in AI to combat carding (Visa: $3 billion over 10 years).- Visa Advanced Authorization:
- Analyzes billions of transactions in real time to identify carding patterns.
- Uses geolocation, behavioral analysis, and device data to assess risk.
- Mastercard Decision Intelligence:
- The AI model, updated in 2025, integrates with Agent Pay to secure AI-agent transactions.
- Partnership with Recorded Future (acquisition in 2025) for threat intelligence.
- How AI fights carding:
- Detects card testing (small transactions to check validity).
- Blocks mass attacks (for example, brute force on checkout pages).
- Adapts to new carding methods, including AI-generated fake accounts.
- Example: A carder tests stolen cards using microtransactions. Visa's AI detects an anomaly (multiple attempts from the same IP address) and blocks the account.
7. Agentic Commerce и Agentic Tokens
Mastercard is actively developing Agent Pay and Agentic Tokens for automated payments performed by AI agents (e.g., voice assistants, smart devices).- How it works:
- AI agents (such as Alexa) receive tokens to perform transactions on behalf of the user.
- Verification through the Verifiable Credential Standard (FIDO Alliance) confirms the legitimacy of the agent and the transaction.
- How to combat carding:
- Tokens are tied to a specific agent and transaction, making them useless to carders.
- AI monitoring identifies suspicious agent activity (e.g., attempted unauthorized purchases).
- Example: A carder hacks a smart refrigerator to order goods. The Agentic Token requires verification via Mastercard, blocking the transaction if the agent is not authorized.
8. Visa Acquirer Monitoring Program (VAMP)
VAMP is a new Visa program (effective April 1, 2025) that combines five previous acquirer monitoring programs.- How it works:
- Acquirers are required to monitor fraud in real time using strict thresholds (e.g. 0.9% fraud rate).
- Fines for exceeding fraud limits.
- How to combat carding:
- Forces acquirers to implement anti-fraud measures, reducing the likelihood of successful attacks.
- Focus on CNP transactions, where carding is most common.
- Example: An acquirer ignores suspicious transactions, allowing carders to make a series of purchases. VAMP detects this and imposes fines, motivating them to strengthen their security.
Practical examples and educational context
For better understanding, I will give two scenarios illustrating how the new standards prevent carding:- Scenario 1: Phishing attack
- The carder creates a fake website that imitates the checkout page of a major retailer and collects card data.
- Without new standards: The user enters card details, which are sent to the carder and used for purchases.
- With new standards:
- SRC (Visa Click to Pay): The user does not enter card details, but uses a token and biometrics.
- PCI DSS 4.0.1 (SRI): Malicious script is blocked because the checkout page is secure.
- 3DS 2.0: Even if the data is intercepted, the transaction requires OTP or biometrics that are not available to the carder.
- Scenario 2: Database Leak
- A carder buys a database of card numbers on the darknet.
- Without new standards: Carder uses data for purchases on sites with poor security.
- With new standards:
- Tokenization (VTS/MDES): The database stores tokens instead of actual card numbers, making the data useless.
- AI monitoring: Visa/Mastercard detects mass transaction attempts from a single IP and blocks them.
- VAMP: The acquirer that allowed the leak receives fines and tightens its protection.
Future Challenges and Limitations
Despite progress, carding remains a challenging issue:- Slow migration: Not all merchants have migrated to SRC or PCI DSS 4.0.1 due to high integration costs (especially small businesses).
- New threats: Carders use AI to create fake accounts and bypass biometrics (e.g. deepfakes).
- Regional differences: In regions with low levels of digitalization (e.g. some African countries), the adoption of SRC and 3DS is slow, leaving vulnerabilities.
Visa and Mastercard solve these problems through:
- Merchants support programs (Visa Trusted Integration Program, Mastercard Start Path).
- Partnerships with local banks to accelerate implementation.
- Investing in AI to combat new carding methods.
Recommendations for merchants and users
- For merchants:
- Integrate SRC via SDK (Visa Click to Pay, Mastercard Agent Pay).
- Achieve PCI DSS 4.0.1 certification by March 2025.
- Implement 3DS 2.0 and AI monitoring to detect fraud.
- Use tokenization to store card data.
- For users:
- Use digital wallets (Apple Pay, Google Pay) or Click to Pay for secure purchases.
- Enable two-factor authentication and biometrics in banking apps.
- Avoid entering card details on unverified websites.
Conclusion
In 2025, Visa and Mastercard are focusing on SRC, tokenization, biometrics, AI, and PCI DSS 4.0.1 to minimize carding. These technologies complicate carders' work, rendering stolen data useless without additional verification. SRC, as a unified standard, plays a key role in replacing legacy systems and ensuring security in the era of AI payments. However, success depends on global adoption and merchant adoption. For in-depth study, I recommend referring to the official resources of EMVCo, Visa Developer Portal, and Mastercard Rules.If you need more details or examples (for example, technical aspects of SRC or fraud statistics), let me know!
