How to Decrease Your Enumeration Fraud Before Visa’s New Rules Take Effect

Enumeration fraud isn’t just a security concern anymore, it’s a business liability. Starting in April 2025, Visa will begin enforcing new fraud and enumeration thresholds that could directly impact your bottom line. If you’re not actively detecting and blocking card testing attacks today, you could be facing penalties, higher dispute fees, and even restrictions on your merchant account.

What is enumeration fraud?

Enumeration fraud—also known as card cracking—is a type of bot-driven attack where threat actors rapidly test large volumes of stolen or generated card numbers to identify which ones are valid. These attacks typically involve:

• Small, low-value transactions to avoid detection

• Use of bots, scripts, or botnets to scale quickly

• Obfuscation techniques like residential proxies and device emulation

Once a working card is found, it’s either used for larger fraudulent purchases or sold on underground markets. Enumeration fraud increases chargebacks, inflates operational costs, and now—under Visa’s new rules—can put merchants at risk of penalties and VAMP enrollment.

Visa’s new enumeration & fraud standards, explained

Visa’s Acquirer Monitoring Program (VAMP) is introducing several new thresholds for merchants and acquirers:

• Merchants: 1.5% fraud threshold starting April 2025, dropping to 0.9% in January 2026

• Acquirers: 0.3% monthly fraud threshold

• High-risk merchants: Reduced from 1.8% to 1.5%

But one of the most significant changes is the introduction of an enumeration ratio. If more than 20% of your submitted transactions are flagged as card testing attempts, you could be enrolled in the Visa Acquirer Monitoring Program (VAMP) and subject to additional scrutiny and fees. Specifically, merchants classified as “Excessive” under the Visa Acquirer Monitoring Program (VAMP) may incur fines of $10 per fraudulent or disputed transaction. These enforcement fees are designed to encourage merchants to proactively manage and reduce enumeration fraud to remain compliant with Visa’s standards.

Why enumeration attacks are so damaging—and so often missed

Enumeration fraud happens when attackers use bots, scripts, or botnets to test lists of stolen card numbers until they find a valid one. These attacks are:

• Automated
• High-volume
• Often indistinguishable from legitimate traffic

Threat actors often mask these attacks using residential proxies, random user agents, or even real device emulators to bypass basic defenses. Because the attempted transactions are usually low value, they may not raise red flags—until your chargeback rate spikes.

The true cost of enumeration fraud

Beyond disputes and chargebacks, enumeration attacks bring operational, financial, and reputational costs:

• Inflated traffic that stresses infrastructure and skews analytics
• Fees and penalties from exceeding fraud thresholds
• Risk of being added to VAMP, which can jeopardize your merchant status
• Customer trust issues if attackers succeed in using real customer data

4 steps to reduce enumeration fraud

1. Detect the signs of card testing

Keep an eye out for:

• Sudden traffic spikes to your checkout or payment endpoints
• Multiple failed payment attempts from similar device fingerprints
• Anomalies in geolocation, card type, or user behavior

2. Stop bots before they reach the checkout flow

Detection alone isn’t enough. To stay ahead of enumeration fraud—and below Visa’s thresholds—you need to block automation in real time without disrupting legitimate users. That’s where DataDome’s Cyberfraud Protection Platform comes in.

The platform brings together multiple layers of defense to stop enumeration attacks at every stage of the customer journey:

• Bot Protect: Detects and mitigates enumeration attempts using behavioral fingerprinting, real-time traffic analysis, and stealth mitigation to avoid tipping off attackers.

• Page Protect: Secures your client-side scripts and payment pages, ensuring attackers can’t tamper with checkout elements or skim sensitive data during enumeration campaigns.

• Account Protect: Defends login and account creation endpoints from automation, helping block attackers from testing stored payment methods after gaining unauthorized access.

You can also configure custom policies and rules to align with Visa’s enumeration detection thresholds—giving you full control to respond quickly and keep fraud ratios in check.

3. Monitor your enumeration and fraud ratios

Track your key metrics and monitor for:

• Sudden increases in failed transactions

• Enumeration ratios approaching the 20% VAMP threshold

• Dispute rates creeping toward 1.5% (or 0.9% for 2026)
  

DataDome’s dashboard and alerting capabilities help security and fraud teams stay below these thresholds—and take proactive action before enrollment into VAMP becomes a risk.

4. Secure your login and account flows

If your platform stores payment methods, attackers may target logins before enumeration. Protecting login endpoints with DataDome Account Protect helps prevent credential stuffing and ensures that only legitimate users reach sensitive areas.

The bottom line: Visa’s new standards demand proactive defense

Enumeration fraud is no longer a “back office” security issue—it’s a key metric Visa uses to assess merchant risk. With new thresholds taking effect in this month, merchants and acquirers need a real-time, layered defense strategy.

DataDome’s Cyberfraud Protection Platform provides exactly that—stopping enumeration attacks before they impact your fraud ratios or trigger costly VAMP penalties. The platform combines:

• Bot Protect to detect and block automated card testing
• Page Protect to secure checkout scripts and prevent client-side abuse
• Account Protect to defend login and account flows from credential-based fraud
  

Together, these solutions help businesses stay compliant, protect infrastructure, and preserve trust.

Want to assess your exposure to enumeration fraud?
Learn how DataDome helps organizations stay below Visa’s thresholds and one step ahead of attackers. Request a demo now to get started.