Modern e-commerce merchants face an expanding scale and complexity of payment processing attacks. Fraud has become increasingly automated and more difficult to detect. Enumeration attacks, also referred to as brute force attacks, have become a significant and growing threat in the payment processing space for issuers, merchants, and acquirers. These attacks can result in fraud exposure, as well as improperly assessed processing fees, monitoring program penalties, and withheld funds.
In some cases, enumeration activity generates authorization volumes that are orders of magnitude beyond a merchant’s historical transaction levels, resulting in fee exposure that bears little relationship to ordinary processing levels. At that scale, the resulting activity may fall outside the range of transaction volume reasonably contemplated by the parties in entering into the merchant agreement. In more severe cases, sustained enumeration activity may result in account suspension or termination and, in certain circumstances, placement on the MATCH list, significantly impairing a merchant’s ability to obtain payment processing services.
This article provides a practical overview of how enumeration attacks operate, how they affect merchants, and the legal and operational considerations relevant to recovering losses and mitigating risk. The scenarios described reflect common patterns observed across the payments industry.
What Is an Enumeration Attack
Enumeration attacks involve the automated testing of payment credentials in card-not-present transactions. Attackers use scripts or bot-driven systems to submit high volumes of authorization attempts while varying common payment data fields, including Primary Account Number (PAN), card verification value (CVV2), and expiration date. By analyzing issuer response codes, attackers can systematically identify valid combinations of card credentials. With modern automation, thousands of variations can be tested within minutes.
Advances in machine learning and agentic AI have significantly increased the scale and sophistication of these attacks. Visa’s biannual threat reports continue to identify enumeration activity as a persistent and material risk across the payments ecosystem.
How Enumeration Attacks Work
Enumeration attacks typically follow a structured progression. Attackers first identify a vulnerable payment gateway or merchant environment, often targeting systems with weak security controls, limited rate limiting, or insufficient bot detection. Automated scripts are then deployed to run high-volume authorization attempts. Each response is used as a data point to confirm or eliminate potential credential combinations. Once valid card credentials are identified, they may be used for fraudulent transactions or sold for downstream use in identity fraud or money laundering schemes. Because many processing agreements assess fees on a per-authorization or per-message basis, these attacks can generate substantial charges even where the underlying activity does not represent legitimate commerce.
Which Merchants Are Most Exposed
Several structural factors increase a merchant’s exposure to enumeration attacks. Small to mid-sized businesses are frequent targets because they often have gaps in both technical and operational defenses compared to larger enterprises. However, exposure is not limited by size.
Merchants are particularly vulnerable where payment gateways lack adequate rate limiting or bot detection, where transaction monitoring is not performed in real time, or where full card verification data is not consistently required. Fraud actors can deploy bots, scripts, or headless browsers to test large volumes of credentials through these environments with limited resistance.
Detecting Enumeration Activity
Enumeration attacks are well recognized within the payments industry but remain difficult to detect in practice. One reason is that monitoring responsibility is fragmented across merchants, processors, and acquirers, each operating distinct systems with limited visibility into end-to-end transaction activity.
Common indicators include:
- High-velocity authorization attempts that deviate from normal user behavior;
- Repeated CVV2 failures across sequential transactions;
- Sequential or patterned testing of account identifiers; and
- Abnormal authorization-to-settlement ratios, often with high decline rates.
In extreme cases, these patterns may include near-total authorization failure rates across sustained volumes of transaction attempts. Processors and acquirers often maintain transaction-level visibility and monitoring capabilities that merchants may not have access to in real time. In high-velocity attack scenarios, delays in implementing mitigation measures, including where blocking actions require merchant authorization or coordination across multiple parties, can allow activity to escalate rapidly.
Breakdowns in communication or reliance on outdated contact channels can further delay coordinated mitigation efforts and increase exposure during an active event.
Allocation of Liability: Merchant, Processor, or Acquirer
Following an enumeration attack, merchants may face chargebacks, increased processing fees, monitoring program penalties, and withheld or reserved funds. Liability depends on the specific facts of the incident and the contractual allocation of responsibility among the merchant, processor, and acquirer. At extreme levels, authorization activity generated by enumeration attacks may no longer reasonably be characterized as merchant-driven transaction flow, but instead as externally generated automated traffic processed within the processor’s environment.
In practice, responsibility is often shared. Merchants may be responsible for certain configurations and fraud controls at the application level. At the same time, key functions such as authorization routing, response handling, transaction monitoring, and anomaly detection frequently occur within processor and acquirer infrastructure. This dynamic is particularly pronounced in hosted gateway environments, where payment data is entered directly into processor-controlled systems, increasing the processor’s visibility into and practical control over authorization activity. In some cases, significant volumes of clearly anomalous authorization traffic continue to be processed without effective mitigation, escalation, or intervention.
Processors and acquirers often maintain real-time visibility into authorization volumes, velocity patterns, and failure rates through their monitoring and alert systems. At scale, these systems reflect sustained, high-velocity authorization activity in real time, including extreme deviations from historical transaction patterns, and are designed to detect significant spikes in authorization volume and velocity. Many merchants do not have direct access to, or control over, these systems at the time authorization activity occurs. By contrast, many merchants rely on periodic reporting and may lack the ability to implement real-time controls such as gateway-level blocking, velocity thresholds, or automated mitigation measures. Where merchants lack visibility into, or control over, these systems, the basis for imposing fees, penalties, or reserve holds warrants careful evaluation.
Card Network Monitoring Requirements
Card network rules underscore the importance of real-time monitoring and acquirer responsibility. Visa’s Acceptance Risk Standards and the Visa Acquirer Monitoring Program establish monitoring obligations requiring acquirers to detect anomalous activity, monitor transaction velocity, and respond to deviations in merchant behavior. These standards incorporate defined thresholds for excessive enumeration activity and impose corresponding obligations on acquirers.
Mastercard’s Security Rules and Procedures similarly require real-time or near real-time monitoring of authorization activity. These requirements include detection of abnormal authorization volumes, declining approval rates, repeated authorization attempts, and other out-of-pattern behavior. These frameworks contemplate active monitoring and response, not passive observation.
Recovering Improper Fees and Withheld Funds
Merchants may be able to challenge monitoring program penalties, excessive processing fees, and reserve or fund holds arising from enumeration activity. Whether recovery is available depends on the governing merchant agreement, the allocation of monitoring responsibilities, and whether required controls were implemented and effective. In particular, where the disputed charges arise from anomalous, non-commercial traffic that could not reasonably have been anticipated or controlled by the merchant, the basis for shifting those costs to the merchant may be subject to challenge. These issues can be compounded where enumeration activity leads to account restrictions or termination.
Where contractual obligations place responsibility for transaction monitoring and anomaly detection on processors or acquirers, merchants may have grounds to dispute the financial consequences of an enumeration event. These issues are highly fact-specific and should be evaluated in light of the applicable agreements and network rules. In many cases, the central issue is not the recovery of damages, but whether the disputed fees are contractually owed in the first instance.
Practical Risk Mitigation
Merchants should implement layered controls to reduce exposure to enumeration activity. Effective measures may include velocity filtering, bot detection and CAPTCHA enforcement, pattern-based blocking, transaction amount controls, and careful configuration of authorization and decline responses. At the same time, merchants should review contractual provisions governing monitoring responsibilities, liability allocation, and reserve practices. In some cases, these controls are available within gateway or processor systems but are not enabled or properly configured, which can materially increase exposure to sustained attack activity.
Managing risk requires alignment between technical safeguards and contractual rights. Merchants that understand both are better positioned to reduce exposure and respond effectively when incidents occur.
Conclusion
Enumeration attacks continue to evolve in scale and sophistication, driven by automation and advances in AI. For merchants, the resulting financial impact often extends beyond fraud losses to include fees, penalties, and withheld funds. Understanding how these attacks operate and how responsibility is allocated across the payments ecosystem is critical. Merchants that evaluate both their technical controls and contractual rights are better positioned to mitigate risk and, where appropriate, challenge improper financial consequences.
About Rome LLP
Rome LLP represents merchants and other participants in the payments ecosystem in disputes involving reserve holds, billing practices, card network rules, and related payments disputes. For questions regarding enumeration attacks, liability, or recovery options, contact Rome LLP at (310) 282-0690 or [email protected].
Contacts
Rome LLP
Eugene Rome, Esquire
[email protected]
(310) 282-0690
https://romellp.com/
Bradley O. Cebeci, Esquire
[email protected]
