<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - PCI DSS</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/pci-dss.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2025-02-07T00:00:00+11:00</updated><entry><title>Data-Driven Risk Management</title><link href="https://www.peakhour.io/blog/data-driven-risk-management-contextual-security/" rel="alternate"></link><published>2025-02-07T00:00:00+11:00</published><updated>2025-02-07T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-02-07:/blog/data-driven-risk-management-contextual-security/</id><summary type="html">&lt;p&gt;How Peakhour's contextual security aligns with Visa's data-driven risk management approach in the 2025-2028 Security Roadmap.&lt;/p&gt;</summary><content type="html">&lt;p&gt;After our examination of &lt;a href="/blog/visa-security-roadmap-2025-overview/"&gt;Visa's Security Roadmap&lt;/a&gt;, this article looks at how Peakhour's contextual
security approach supports Visa's third key focus area: shifting to a data-driven, risk-based approach.&lt;/p&gt;
&lt;h2&gt;The Evolution of Risk Management&lt;/h2&gt;
&lt;p&gt;Traditional security controls often rely on static rules and fixed thresholds. Visa's Security Roadmap 2025-2028 emphasises the need for dynamic, data-driven risk management that adapts to emerging threats while keeping operations efficient. That shift is important for attacks like &lt;a href="/blog/credential-stuffing-threat-australian-businesses/"&gt;credential stuffing&lt;/a&gt; and &lt;a href="/blog/preventing-enumeration-attacks-visa-roadmap/"&gt;enumeration
attacks&lt;/a&gt;, which exploit weak points in static defences.&lt;/p&gt;
&lt;h2&gt;Understanding Contextual Security&lt;/h2&gt;
&lt;p&gt;Contextual security moves beyond fixed rules by using real-time data analysis to assess risk and choose a proportionate response. It starts by collecting a broad set of signals for each interaction, including user behaviour patterns, device characteristics, network indicators like &lt;a href="/blog/tls-fingerprinting/"&gt;TLS fingerprints&lt;/a&gt;, geographic patterns, and historical trends.&lt;/p&gt;
&lt;p&gt;Those signals feed a dynamic risk assessment engine with continuous monitoring and adaptive thresholds. Using techniques such as behavioural analysis and &lt;a href="/blog/advanced-anomaly-detection-rrcf-application-security/"&gt;anomaly detection&lt;/a&gt;, the system can identify subtle deviations from normal activity that may signal a threat. The result is a response matched to the risk: triggering risk-based authentication, applying adaptive security measures, or initiating an automated threat response with customised rules.&lt;/p&gt;
&lt;h2&gt;How Peakhour Aligns with Visa's Vision&lt;/h2&gt;
&lt;p&gt;Our &lt;a href="/solutions/use-case/contextual-security/"&gt;Contextual Security&lt;/a&gt; platform supports Visa's data-driven approach by combining multiple layers of defence. At the core is edge intelligence, which uses a global network to process data in real time, close to the user. This supports rapid identification of emerging threats, sharing threat intelligence across the network, and responding to attacks as they happen.&lt;/p&gt;
&lt;p&gt;This is backed by advanced analytics that use machine learning models, behavioural analysis, pattern recognition, and anomaly detection. These tools are essential for identifying sophisticated threats, such as bots using residential proxies or &lt;a href="/blog/anti-detect-browsers-application-security-threat/"&gt;anti-detect browsers&lt;/a&gt;. By analysing connection-level data, we can distinguish malicious automation from legitimate user traffic, a task traditional IP-based methods often fail.&lt;/p&gt;
&lt;p&gt;This analysis supports risk-based decision-making. Instead of applying one-size-fits-all rules, our platform implements dynamic security measures. This includes adaptive authentication, contextual access controls, risk-based policies, and automated responses like advanced rate limiting, which can help stop distributed attacks.&lt;/p&gt;
&lt;h2&gt;Key Benefits of a Data-Driven Approach&lt;/h2&gt;
&lt;p&gt;Adopting a data-driven, contextual security model gives organisations practical advantages. It improves security through earlier threat detection and a reduction in false positives. The broader coverage protects against a wider range of attacks, from automated bots to manual fraud attempts.&lt;/p&gt;
&lt;p&gt;At the same time, it can improve the user experience. By assessing risk more accurately, the system can reduce friction for legitimate users, support faster transactions, and make authentication less intrusive. This personalised security approach strengthens trust without sacrificing usability, a necessary balance for modern businesses.&lt;/p&gt;
&lt;p&gt;Finally, this strategy improves operational efficiency. Automated responses reduce the need for manual review and intervention, optimising resource allocation. The scalable nature of the platform ensures that security can keep pace with business growth, providing a more sustainable way to manage risk.&lt;/p&gt;
&lt;h2&gt;Implementing Contextual Security&lt;/h2&gt;
&lt;p&gt;Organisations can implement contextual security by assessing their current state: reviewing existing controls, identifying data sources, and evaluating current capabilities. A planning phase then defines objectives, selects appropriate solutions, and establishes key performance metrics. Deployment follows, with systems installed, rules configured, staff trained, and performance monitored continuously.&lt;/p&gt;
&lt;p&gt;To maximise effectiveness, teams need high-quality, real-time data collection while maintaining user privacy. They also need a robust analysis framework: well-defined risk models, adaptive thresholds, and clear policies for automation. Finally, response mechanisms should be practical to operate, with automated workflows and controls that can be monitored and refined over time.&lt;/p&gt;
&lt;h2&gt;Real-World Applications and Future Considerations&lt;/h2&gt;
&lt;p&gt;In practice, contextual security applies across several security workflows. For authentication, it enables risk-based multi-factor authentication and adaptive policies. In transaction monitoring, it allows for real-time analysis and fraud prevention. For access control, it supports dynamic permissions based on context-aware rules.&lt;/p&gt;
&lt;p&gt;Looking ahead, organisations should prepare for the increasing role of advanced analytics, including AI and predictive analytics. Integration with other systems through APIs will be important, as will adapting to evolving regulatory requirements and new threat vectors.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;The shift to data-driven risk management is an important change in security strategy. Peakhour's contextual security solutions help organisations align with Visa's vision while improving security, efficiency, and user experience. Moving beyond static rules to an adaptive defence gives businesses a better way to protect themselves and their customers in a more complex digital environment.&lt;/p&gt;
&lt;p&gt;--&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Learn how Peakhour's contextual security solutions can help your organisation implement data-driven risk management aligned with Visa's Security Roadmap 2025-2028. &lt;a href="/contact-sales/"&gt;Contact our team&lt;/a&gt; to improve your security posture.&lt;/em&gt;&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Application Security"></category><category term="Credential Stuffing"></category><category term="API Security"></category><category term="Threat Detection"></category><category term="PCI DSS"></category></entry><entry><title>Preventing Enumeration Attacks</title><link href="https://www.peakhour.io/blog/preventing-enumeration-attacks-visa-roadmap/" rel="alternate"></link><published>2025-01-24T00:00:00+11:00</published><updated>2025-01-24T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-01-24:/blog/preventing-enumeration-attacks-visa-roadmap/</id><summary type="html">&lt;p&gt;An analysis of how Peakhour's solutions help prevent enumeration attacks, aligning with Visa's Security Roadmap 2025-2028 priorities.&lt;/p&gt;</summary><content type="html">&lt;p&gt;After our &lt;a href="/blog/visa-security-roadmap-2025-overview/"&gt;overview of Visa's Security Roadmap 2025-2028&lt;/a&gt;, this article looks at the first focus area: preventing enumeration attacks. Visa reports a 40% increase in enumeration attacks in the first six months of 2023 compared with the previous period, and more than US$1.1 billion in global fraud losses from these attacks over the year to 30 September 2023.&lt;/p&gt;
&lt;p&gt;Visa defines enumeration and account testing as criminal practices where fraudsters use automation to test and guess payment credentials, which can then be used for fraudulent transactions. In card-testing campaigns, attackers send large numbers of low-value authorisation attempts to validate a primary account number, expiry date, or CVV2. They tend to target online merchants with weaker fraud controls because the merchant site becomes the testing ground while issuers, acquirers, and cardholders absorb the downstream damage.&lt;/p&gt;
&lt;p&gt;The volume share can look small. Visa notes that these attacks contribute to less than 1% of global card-not-present volume. That can make the risk easy to underweight until the business sees the operating cost: processor scrutiny, chargeback pressure, support load, infrastructure spikes, blocked genuine customers, and fraud teams trying to reconstruct what happened after the card data has already been validated somewhere else.&lt;/p&gt;
&lt;h2&gt;The Risk Is Operational Before It Is Regulatory&lt;/h2&gt;
&lt;p&gt;Enumeration is not only a payment fraud pattern. It is a production traffic problem. The attack arrives as normal-looking checkout or payment API requests, often distributed across many IPs, accounts, devices, cards, and merchants. If the only defence is a fixed IP threshold, the attacker can slow down, rotate infrastructure, or push attempts through residential proxy networks that look closer to consumer traffic.&lt;/p&gt;
&lt;p&gt;That is why Visa's roadmap points to authentication controls, anomaly detection, real-time monitoring, velocity thresholds, CVV2 for unsecure transactions, and retries with different values as indicators of account testing behaviour. The common thread is evidence. Teams need to see the pattern across attempts, not just one failed authorisation at a time.&lt;/p&gt;
&lt;p&gt;For merchants and acquirers, the first decision is scope. Which routes can submit payment credentials? Which APIs can create checkout sessions, payment intents, or tokenisation requests? Which responses tell an attacker whether the credential is likely valid? Which logs show retries with changed values? Which controls can act before the traffic reaches the processor?&lt;/p&gt;
&lt;h2&gt;VAMP Raises the Need for Cleaner Evidence&lt;/h2&gt;
&lt;p&gt;Visa's updated Visa Acquirer Monitoring Program (VAMP) is effective 1 April 2025. In the roadmap, Visa says VAMP brings more aligned fraud thresholds for domestic and cross-border card-not-present transactions and incorporates new enumeration criteria based on the number of enumerated authorisation transactions and the enumeration rate identified by the VAAI Score.&lt;/p&gt;
&lt;p&gt;That does not mean every merchant needs the same control design. It does mean acquirers and merchants need better visibility into whether a burst of payment activity is genuine demand, a broken integration, friendly fraud, or enumeration. When traffic is distributed, the evidence needs to include more than source IP. Useful signals include route, account state, card-attempt cadence, response codes, device or browser consistency, proxy likelihood, country and ASN changes, header and TLS patterns, and whether retries are changing only the values an attacker is trying to validate.&lt;/p&gt;
&lt;p&gt;Peakhour's role is at the web and API edge. &lt;a href="/products/bot-management/"&gt;Bot Management&lt;/a&gt;, &lt;a href="/products/advanced-rate-limiting/"&gt;Advanced Rate Limiting&lt;/a&gt;, &lt;a href="/products/residential-proxy-detection/"&gt;Residential Proxy Detection&lt;/a&gt;, WAF, and log forwarding can help teams detect automated payment attempts, slow or block abusive routes, identify proxy-backed traffic, and retain decision evidence. Those controls support a payment security program; they do not determine VAMP standing, replace acquirer guidance, or provide legal advice.&lt;/p&gt;
&lt;h2&gt;Rate Limits Need to Follow the Attack Shape&lt;/h2&gt;
&lt;p&gt;Simple rate limits still help, but card testing rarely follows one neat source. A useful rate limit strategy looks at multiple keys: route, payment action, account, session, token, card fingerprint where appropriate, device signal, IP, ASN, country, response result, and time window. The limits should also distinguish between customer actions. A checkout page, card add route, refund path, gift card purchase, and payment authorisation API should not all share one generic threshold.&lt;/p&gt;
&lt;p&gt;Teams also need to decide what the control does. Some traffic should be blocked. Some should be slowed. Some should be challenged before payment. Some should be logged and reviewed because false positives would create more harm than the risk being reduced. The right action depends on business context, fraud exposure, customer value, and the confidence of the signals.&lt;/p&gt;
&lt;p&gt;Residential proxy abuse is a good example. A residential IP does not prove fraud. Many genuine users sit behind shared or mobile networks. But residential proxy use combined with high-cardinality card attempts, changed CVV2 values, first-seen devices, failed authorisations, and unusual checkout cadence is a stronger signal. The value is correlation, not a single magic indicator.&lt;/p&gt;
&lt;h2&gt;A Practical Review Path&lt;/h2&gt;
&lt;p&gt;Teams preparing for enumeration risk should start with the payment routes rather than with a vendor checklist.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Map every route that can create, submit, modify, or retry a payment attempt.&lt;/li&gt;
&lt;li&gt;Review response messages and status codes for accidental validation clues.&lt;/li&gt;
&lt;li&gt;Check whether logs can show velocity, retries with changed values, and route-level concentration without storing sensitive card data.&lt;/li&gt;
&lt;li&gt;Apply route-aware rate limits and bot controls before processor calls where possible.&lt;/li&gt;
&lt;li&gt;Add proxy, device, session, and behaviour signals to separate normal checkout friction from testing behaviour.&lt;/li&gt;
&lt;li&gt;Keep evidence of policy version, action, route, and signal set so fraud and compliance teams can review outcomes.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The caution is important: do not turn payment logging into a second store of cardholder data. Enumeration defence needs enough evidence to detect and investigate abuse, but PCI DSS and privacy expectations still require careful handling of cardholder data, tokens, logs, and support exports.&lt;/p&gt;
&lt;h2&gt;What This Means for Peakhour Customers&lt;/h2&gt;
&lt;p&gt;Enumeration prevention is not a single feature. It is a control path around payment routes: classify the request, evaluate the signals, act proportionately, and keep evidence. Peakhour can help by applying those decisions at the edge before abusive traffic reaches the origin or payment integration.&lt;/p&gt;
&lt;p&gt;The business value is not only fewer bad requests. It is cleaner payment telemetry, faster fraud review, fewer avoidable processor calls, and a better basis for conversations with acquirers when suspicious activity appears. Visa's roadmap makes that direction clear: payment security is moving toward data-driven, evidence-backed controls that can recognise automation abuse without blocking genuine customers by default.&lt;/p&gt;</content><category term="Security"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="PCI DSS"></category><category term="API Security"></category><category term="Fraud Prevention"></category><category term="Threat Detection"></category></entry><entry><title>Visa's Security Roadmap 2025-2028</title><link href="https://www.peakhour.io/blog/visa-security-roadmap-2025-overview/" rel="alternate"></link><published>2025-01-21T00:00:00+11:00</published><updated>2025-01-21T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-01-21:/blog/visa-security-roadmap-2025-overview/</id><summary type="html">&lt;p&gt;An analysis of Visa's Security Roadmap 2025-2028 and how Peakhour's solutions help Australian businesses meet these security objectives.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Visa's Security Roadmap 2025-2028 for Australia is not just a payments strategy document. It is a signal about where fraud, application security, authentication, and compliance work are converging for merchants, acquirers, issuers, gateways, and service providers.&lt;/p&gt;
&lt;p&gt;The timing matters. Visa's roadmap cites Australian card fraud rising 32% to A$762 million in 2023, with unauthorised card-not-present fraud increasing 33% to A$688 million. Scam losses reached A$2.7 billion in 2023, and reported data breaches increased 19% in the second half of 2023 compared with the first half. The pressure is not coming from one direction. Payment teams are dealing with automation abuse, social engineering, compromised credentials, weak merchant onboarding, third-party exposure, and new payment experiences at the same time.&lt;/p&gt;
&lt;p&gt;Visa groups its roadmap into six focus areas: preventing enumeration attacks, continued investment in secure technologies, data-driven risk, resilience against fraud and scams in the era of AI, stronger cyber security posture, and secure digital payment experiences. For Australian businesses, the more useful way to read it is as a set of operational themes.&lt;/p&gt;
&lt;h2&gt;Automation Abuse Has Become a Payment Control Issue&lt;/h2&gt;
&lt;p&gt;Enumeration attacks sit first in the roadmap for a reason. Visa defines enumeration and account testing as automation used to test and guess payment credentials that can later be used in fraudulent transactions. The attacks often appear as high-speed card testing against online merchants, with low-value attempts used to validate PAN, expiry, or CVV2 combinations.&lt;/p&gt;
&lt;p&gt;Visa reports a 40% increase in enumeration attacks in the first six months of 2023 compared with the previous period, and more than US$1.1 billion in global fraud losses from enumeration attacks over the year to 30 September 2023. The updated Visa Acquirer Monitoring Program (VAMP), effective 1 April 2025, adds enumeration criteria alongside broader fraud and dispute monitoring.&lt;/p&gt;
&lt;p&gt;The implication is practical: merchants and acquirers need route-level evidence, anomaly monitoring, velocity controls, and a way to identify distributed automation before it becomes payment fraud. IP-only controls are weak when attacks use residential proxies, first-seen devices, and slow distributed attempts. Peakhour's bot management, residential proxy detection, advanced rate limiting, and edge logging can help support that evidence path, but the business still needs payment-flow ownership and acquirer alignment.&lt;/p&gt;
&lt;h2&gt;Authentication and Tokenisation Are Moving Together&lt;/h2&gt;
&lt;p&gt;Visa's secure technology theme is not simply "add more authentication." The roadmap ties tokenisation, EMV 3DS, biometric or in-app authentication, passkeys, and Click to Pay into the same customer and fraud problem: protect credentials while reducing unnecessary friction.&lt;/p&gt;
&lt;p&gt;Tokenisation reduces the value of exposed card data by replacing a card number with a token. Visa notes that the Visa Token Service has passed one billion tokens in Asia Pacific and that merchants adopting VTS for digital payments saw payment fraud rates reduced by more than half in the cited Asia Pacific analysis. But the roadmap also flags token provisioning fraud, where bad actors illegitimately provision tokens and then monetise them quickly.&lt;/p&gt;
&lt;p&gt;That is why authentication quality matters. Visa says issuers are being mandated to move away from SMS OTP as the sole authentication factor by 2026, toward methods such as biometric, in-app, app-to-app, or passkey-based authentication. For merchants, updated Visa Secure minimum data requirements push more complete authentication data into the decision process.&lt;/p&gt;
&lt;p&gt;For application teams, the lesson is that checkout security is not a single login prompt. It includes account creation, saved-card use, card add, token provisioning, checkout, refund, and support paths. A risk-based challenge should appear where the action justifies it, not everywhere by default.&lt;/p&gt;
&lt;h2&gt;Risk Decisions Need Better Data, Not Just More Data&lt;/h2&gt;
&lt;p&gt;The roadmap's data-driven risk theme is about using available payment and authentication data to reduce fraud and false positives. Visa points to EMV 3DS data elements, Visa Secure requirements, risk-based authentication, and issuer decisioning as examples of how better data quality can change outcomes.&lt;/p&gt;
&lt;p&gt;More data is not automatically better. It has to be accurate, relevant, protected, and available at the moment of decision. A fraud team may need account history, device consistency, proxy likelihood, card-attempt cadence, transaction context, and previous response outcomes. A compliance team may need to know why that data is collected, where it is retained, and who can query it.&lt;/p&gt;
&lt;p&gt;This is where contextual security becomes useful. Peakhour's &lt;a href="/solutions/use-case/contextual-security/"&gt;Contextual Security&lt;/a&gt; approach combines request, route, account, network, device, and behaviour signals so teams can allow, challenge, rate limit, block, or log based on risk. The control is strongest when the decision record stays attached to the event: signal set, policy version, action, and outcome.&lt;/p&gt;
&lt;h2&gt;AI Raises Scam and Fraud Pressure, But It Is Also Part of Detection&lt;/h2&gt;
&lt;p&gt;Visa frames AI in both directions. Generative AI lowers the barrier for phishing, social engineering, deepfakes, and personalised scam content. At the same time, Visa points to its long history using AI and machine learning in payment fraud detection, including around 150 AI and machine learning models in production.&lt;/p&gt;
&lt;p&gt;For businesses outside the payment network, the message is not "buy AI." It is to prepare for more scalable deception and faster abuse cycles. Fraud controls need to watch for account creation abuse, credential stuffing, payment testing, suspicious onboarding, transaction anomalies, and customer manipulation signals. Human review still matters because authorised scams can look different from unauthorised account compromise.&lt;/p&gt;
&lt;p&gt;Peakhour's role is strongest around the request and account edge: identifying automation, proxy-backed traffic, route abuse, credential risk, and abnormal behaviour before fraud reaches sensitive application paths. Those signals can feed fraud review and incident response, but they should be used with privacy, false-positive, and customer-impact controls.&lt;/p&gt;
&lt;h2&gt;Cyber Posture Is Now Part of Payment Ecosystem Resilience&lt;/h2&gt;
&lt;p&gt;Visa's fifth theme connects payment fraud to cyber security posture. PCI DSS remains mandatory for entities storing, processing, or transmitting Visa cardholder data. Visa also highlights third-party agent (TPA) registration, its Account Information Security program, third-party service provider risk, breach trends, and preparation for broader AES support by 2030.&lt;/p&gt;
&lt;p&gt;For Australian businesses, this is a reminder that payment risk is not limited to the payment processor. A breach of a CMS account, a third-party script, a weak checkout plugin, a vulnerable API, a compromised support tool, or an unmanaged service provider can affect the payment environment. PCI scope and third-party oversight need to include the systems that can change or observe checkout, not only systems that store card numbers.&lt;/p&gt;
&lt;p&gt;Peakhour can help with application-layer controls around WAF, API protection, bot management, rate limiting, DDoS mitigation, and log forwarding. Those controls can support evidence for payment security and cyber posture. They do not replace PCI DSS validation, TPA obligations, acquirer requirements, or legal review.&lt;/p&gt;
&lt;h2&gt;New Payment Experiences Need Security Built Into the Flow&lt;/h2&gt;
&lt;p&gt;Visa's final theme covers digital payment experiences such as Click to Pay, passkeys, Flex Credential, and Tap to Everything. These changes are about reducing manual card entry, password dependence, and fragmented checkout experiences while preserving cardholder verification and transaction security.&lt;/p&gt;
&lt;p&gt;The security work for merchants is to keep pace with those flows. New payment methods bring new integration paths, data elements, redirects, APIs, support workflows, and customer education needs. The right question is not only "does the new payment method work?" It is "which systems can affect it, what data is passed, how is the customer verified, what fraud signals are available, and what evidence remains after a dispute or incident?"&lt;/p&gt;
&lt;h2&gt;What Businesses Should Do Next&lt;/h2&gt;
&lt;p&gt;Read the roadmap as an operating agenda. Map payment and account routes. Identify where automation can test credentials or cards. Review SMS OTP dependence. Check whether tokenisation and 3DS data are being used well. Validate which vendors affect checkout and payment security. Confirm that logs can support fraud review without capturing sensitive card data. Tune rate limits and bot controls by route, not only by IP.&lt;/p&gt;
&lt;p&gt;The next few years of payment security will reward teams that can make proportionate, evidence-backed decisions. That is the thread running through Visa's roadmap and through Peakhour's edge security work: see the request in context, choose the right action, and keep enough evidence for fraud, security, and compliance teams to explain what happened.&lt;/p&gt;</content><category term="Fraud"></category><category term="PCI DSS"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Fraud Prevention"></category><category term="Magento"></category><category term="Application Security"></category></entry><entry><title>Application Security for Financial Services Under CPS 234</title><link href="https://www.peakhour.io/blog/credential-stuffing-defence-cps-234-compliance/" rel="alternate"></link><published>2024-07-29T10:00:00+10:00</published><updated>2024-07-29T10:00:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2024-07-29:/blog/credential-stuffing-defence-cps-234-compliance/</id><summary type="html">&lt;p&gt;Comprehensive analysis of credential stuffing threats against Australian financial institutions and how application security platforms help meet CPS 234 disclosure requirements whilst preventing account takeover attacks.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Recent credential stuffing attacks on prominent Australian retailers like &lt;a href="/blog/account-takeover-fraud-theiconic/"&gt;The Iconic&lt;/a&gt; and Dan Murphy's have brought this threat into sharper focus. For APRA-regulated entities, these incidents are a reminder that credential stuffing is not only an account takeover issue. It can also trigger assessment and disclosure obligations under Prudential Standard &lt;a href="https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf"&gt;CPS 234&lt;/a&gt; Information Security.&lt;/p&gt;
&lt;h2&gt;The Rising Tide of Credential Stuffing&lt;/h2&gt;
&lt;p&gt;Credential stuffing is now common in Australia and globally. These attacks exploit password reuse across multiple sites. Cybercriminals use automated tools to test large volumes of stolen username and password combinations against websites, looking for accounts they can access without authorisation.&lt;/p&gt;
&lt;p&gt;The scale is large. According to recent studies, there are over 15 billion stolen credentials circulating on the internet. In 2020 alone, one large content delivery network reported more than 193 billion credential &lt;a href="/learning/security/credential-stuffing-defence/"&gt;stuffing attacks&lt;/a&gt; globally. For Australian businesses, the risk is significant and growing.&lt;/p&gt;
&lt;h2&gt;The Compounding Threat of Residential Proxies&lt;/h2&gt;
&lt;p&gt;The use of &lt;a href="/products/residential-proxy-detection/"&gt;residential proxies&lt;/a&gt; has increased the sophistication and effectiveness of &lt;a href="/learning/bots/anatomy-of-credential-stuffing-attack/"&gt;credential stuffing&lt;/a&gt; attacks. Residential proxies allow attackers to route their traffic through legitimate residential IP addresses, making automated activity look more like normal user behaviour.&lt;/p&gt;
&lt;p&gt;This technique poses several challenges:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Bypassing Traditional Defences&lt;/strong&gt;: Standard IP-based rate limiting and geo-blocking become ineffective when attacks come from diverse, legitimate-looking IP addresses.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Evading Detection&lt;/strong&gt;: Traffic from residential proxies is harder to distinguish from genuine user activity, complicating detection efforts.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Scalability&lt;/strong&gt;: Attackers can distribute their attempts across a large network of proxies, allowing for larger-scale attacks without triggering typical alarm thresholds.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Improved Success Rates&lt;/strong&gt;: By appearing to come from the same geographic area as legitimate users, these attacks are more likely to bypass location-based security measures.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;The Crabby Phenomenon&lt;/h2&gt;
&lt;p&gt;The emergence of sites like &lt;a href="/blog/credential-stuffing-threat-australian-businesses/"&gt;Crabby Cash&lt;/a&gt; shows how credential stuffing fits into a broader cybercrime market. These platforms serve as marketplaces for compromised accounts, making it easier for criminals to monetise successful credential stuffing attacks.&lt;/p&gt;
&lt;p&gt;Key points about Crabby Cash and similar sites:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Ease of Access&lt;/strong&gt;: These sites lower the barrier to entry for cybercriminals, providing ready access to compromised accounts.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Rapid Exploitation&lt;/strong&gt;: Once credentials are verified and listed on these sites, the window for detection and mitigation narrows significantly.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Diverse Targets&lt;/strong&gt;: The range of compromised accounts often spans multiple industries, including retail, financial services, and entertainment.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Ongoing Threat&lt;/strong&gt;: The existence of these marketplaces incentivises continuous credential stuffing attempts, creating a persistent threat landscape.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;The CPS 234 Disclosure Imperative&lt;/h2&gt;
&lt;p&gt;The prevalence of credential stuffing attacks, compounded by residential proxies and platforms like Crabby Cash, makes the disclosure requirements in CPS 234 directly relevant.&lt;/p&gt;
&lt;p&gt;Paragraph 35 of CPS 234 states:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident that:&lt;/p&gt;
&lt;p&gt;(a) materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or&lt;/p&gt;
&lt;p&gt;(b) has been notified to other regulators, either in Australia or other jurisdictions.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The existence of sites like Crabby Cash can increase the potential impact of credential stuffing attacks, making them more likely to meet the materiality threshold for disclosure.&lt;/p&gt;
&lt;h2&gt;A Risk-Based Approach to Disclosure&lt;/h2&gt;
&lt;p&gt;To manage credential stuffing risk and meet CPS 234 obligations, organisations should take a risk-based approach to detection, mitigation, and disclosure. This involves:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Working with Specialised Providers&lt;/strong&gt;: Engage with cybersecurity providers who can offer insights into your organisation's exposure and risk levels based on:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Network fingerprinting&lt;/li&gt;
&lt;li&gt;Levels of breached credential login attempts&lt;/li&gt;
&lt;li&gt;Prevalence of residential proxy traffic as a high-correlating signal of attack&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Continuous Risk Assessment&lt;/strong&gt;: Regularly evaluate the risk posed by credential stuffing attacks, considering factors such as:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The volume and sophistication of attempts&lt;/li&gt;
&lt;li&gt;The success rate of attacks&lt;/li&gt;
&lt;li&gt;The potential impact on customers and the organisation&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Inadequate Defences as a Risk Signal&lt;/strong&gt;: Recognise that the absence of robust defences against credential stuffing is itself a risk signal. Organisations without advanced bot detection, multi-factor authentication, and behavioural analysis capabilities may face higher risk and should consider this in their disclosure decisions.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Adaptive Disclosure Thresholds&lt;/strong&gt;: Develop flexible, risk-based thresholds for APRA notification that take into account:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The current threat landscape&lt;/li&gt;
&lt;li&gt;The organisation's defensive capabilities&lt;/li&gt;
&lt;li&gt;The potential impact of a successful attack&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Assessing Materiality in Light of These Threats&lt;/h2&gt;
&lt;p&gt;When assessing whether a credential stuffing incident meets the materiality threshold for APRA notification, entities should consider:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Scale of the Attack&lt;/strong&gt;: The number of accounts targeted or compromised.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Success Rate&lt;/strong&gt;: Whether any accounts were actually breached.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Exposure on Dark Web Markets&lt;/strong&gt;: If compromised credentials appear on sites like Crabby Cash.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Potential Financial Impact&lt;/strong&gt;: Both immediate losses and potential future exploitation.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Non-Financial Impacts&lt;/strong&gt;: Including reputational damage and loss of customer trust.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Broader Systemic Risk&lt;/strong&gt;: Whether the attack could impact the wider financial system.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Defensive Posture&lt;/strong&gt;: The adequacy of existing controls and the organisation's ability to detect and mitigate attacks.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Proactive Measures and Controls&lt;/h2&gt;
&lt;p&gt;To mitigate the risks of credential stuffing attacks, particularly those leveraging residential proxies, APRA-regulated entities should implement robust controls as outlined in CPS 234 and &lt;a href="https://www.apra.gov.au/sites/default/files/cpg_234_information_security_june_2019_0.pdf"&gt;CPG 234&lt;/a&gt;:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Contextual Security Approach&lt;/strong&gt;: Implement a contextual security strategy that considers multiple factors to assess the risk of each login attempt, including device characteristics, user behaviour patterns, and network attributes.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Advanced Bot Detection&lt;/strong&gt;: Deploy bot management systems capable of identifying automated attempts, even when they come from diverse IP addresses.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Residential Proxy Detection&lt;/strong&gt;: Utilise specialised residential proxy detection tools to identify and mitigate threats from this increasingly common attack vector.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Multi-Factor Authentication&lt;/strong&gt;: As suggested in CPG 234, implement MFA for high-risk activities to provide an additional layer of security beyond passwords.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Behavioural Analysis&lt;/strong&gt;: Use analytics to detect anomalous login patterns that may indicate credential stuffing attempts.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Continuous Monitoring&lt;/strong&gt;: Implement real-time monitoring systems to quickly identify and respond to potential attacks.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Password Policies&lt;/strong&gt;: Encourage or enforce the use of unique, strong passwords to mitigate the impact of credential stuffing.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Customer Education&lt;/strong&gt;: Proactively inform customers about the risks of password reuse and the importance of strong, unique passwords.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Collaboration and Information Sharing&lt;/strong&gt;: Engage with industry peers and law enforcement to share threat intelligence and effective practices.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Adaptive Authentication&lt;/strong&gt;: Implement risk-based authentication that adjusts security requirements based on the perceived threat level of each login attempt.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;By adopting these measures, particularly a contextual security approach incorporating &lt;a href="/learning/threat-detection/what-is-residential-proxy-detection/"&gt;residential proxy&lt;/a&gt; detection, organisations can improve their resilience against credential stuffing attacks and better protect their customers' accounts.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Credential stuffing, residential proxies, and platforms like Crabby Cash make account takeover risk harder to assess and harder to contain. APRA-regulated entities need a proactive, risk-based approach to information security and regulatory compliance.&lt;/p&gt;
&lt;p&gt;APRA-regulated entities should treat credential stuffing attacks as more than a technical control problem. They are business risks that may require Board-level attention and, depending on materiality, regulatory disclosure under CPS 234. By implementing preventative measures, maintaining effective incident response capabilities, and keeping clear processes for assessing and reporting incidents, organisations can better protect themselves and their customers from this growing threat.&lt;/p&gt;
&lt;p&gt;In this environment, CPS 234 compliance is not only a reporting exercise. It depends on information security controls that protect the organisation, its customers, and the broader financial system before credential stuffing becomes a material incident.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Fraud Prevention"></category><category term="Application Security"></category><category term="DevSecOps"></category><category term="PCI DSS"></category></entry><entry><title>APRA Cybersecurity Guidelines</title><link href="https://www.peakhour.io/blog/apra-cybersecurity-application-security-financial-services/" rel="alternate"></link><published>2023-10-12T12:31:00+11:00</published><updated>2024-12-01T13:00:00+11:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2023-10-12:/blog/apra-cybersecurity-application-security-financial-services/</id><summary type="html">&lt;p&gt;Comprehensive guide to APRA cybersecurity requirements for Australian financial institutions. Learn how application security platforms help meet CPS 234 compliance and Information Security Manual guidelines for protecting financial services infrastructure.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Website cybersecurity is a practical requirement, and Australian organisations have a substantial body of guidance to work from.
While the Australian Government's "Essential 8" focuses broadly on workplace security, the Australian Prudential Regulation Authority (APRA) offers a more specific
&lt;a href="https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism"&gt;Information Security Manual (ISM)&lt;/a&gt;
with recommendations that apply to business websites.&lt;/p&gt;
&lt;h2&gt;Why Website Security Matters&lt;/h2&gt;
&lt;p&gt;When your business operates a website or web application, you are not just managing content; you are responsible for protecting data.
Inadequate security controls expose you to risks such as data breaches, malware, &lt;a href="/products/ddos-protection/"&gt;DDoS attacks&lt;/a&gt;, and reputational damage. Company executives and operational staff need to implement relevant recommendations to minimise risk and liability
if a security breach occurs.&lt;/p&gt;
&lt;h2&gt;APRA’s ISM: Tailored for Websites&lt;/h2&gt;
&lt;p&gt;APRA's ISM guidelines are practical for website owners. These are the key recommendations for websites and why they matter:&lt;/p&gt;
&lt;h3&gt;Network Traffic and Anonymity (ISM-1627, ISM-1628)&lt;/h3&gt;
&lt;p&gt;Blocking anonymity network traffic reduces the ability of malicious actors to hide their identity. This improves
accountability when investigating suspicious requests and reduces security threats.&lt;/p&gt;
&lt;h3&gt;Cloud Service Providers (ISM-1437)&lt;/h3&gt;
&lt;p&gt;APRA advises the use of cloud service providers for hosting online services. A well-managed cloud platform can
provide security controls and operational maturity that are difficult to match on premises.&lt;/p&gt;
&lt;h3&gt;Content Delivery Network (ISM-1438)&lt;/h3&gt;
&lt;p&gt;A CDN is not only a performance tool. It can filter malicious traffic before it reaches the origin and provide an additional
layer of security.&lt;/p&gt;
&lt;h3&gt;Origin Exposure and DDoS Mitigation (ISM-1439)&lt;/h3&gt;
&lt;p&gt;Hiding the origin IP and using cloud providers for DDoS mitigation helps protect your primary server by dispersing traffic
across a distributed network.&lt;/p&gt;
&lt;h3&gt;Data Encryption (ISM-1781, ISM-1139)&lt;/h3&gt;
&lt;p&gt;Encrypt all data over the network and use only the latest version of TLS to protect data in transit.&lt;/p&gt;
&lt;h3&gt;Logging and Auditing (ISM-261, ISM-580, ISM-0585, ISM-1661)&lt;/h3&gt;
&lt;p&gt;Comprehensive audit logging is vital for tracking activity and identifying irregular patterns. Logs should be
detailed and reviewed periodically.&lt;/p&gt;
&lt;h3&gt;Web Application Firewall (WAF) (ISM-1240, ISM-1490, ISM-1509, ISM-1657)&lt;/h3&gt;
&lt;p&gt;A WAF provides a control point for monitoring and filtering incoming traffic, enabling you to block harmful requests.&lt;/p&gt;
&lt;h3&gt;Backup and Configuration (ISM-1511)&lt;/h3&gt;
&lt;p&gt;Back up your data, website, and configurations, and store them securely, preferably in a version-controlled environment such as Git.&lt;/p&gt;
&lt;h3&gt;HTTPS and SSL (ISM-1277, ISM-1552)&lt;/h3&gt;
&lt;p&gt;SSL certificates and HTTPS should be standard for all web content. This helps safeguard data integrity and user
confidentiality.&lt;/p&gt;
&lt;h3&gt;Scaling and Monitoring (ISM-1579, ISM-1581)&lt;/h3&gt;
&lt;p&gt;Ensure &lt;a href="/learning/performance/how-to-pass-core-web-vitals/"&gt;your website&lt;/a&gt; can scale during demand spikes and that you have real-time monitoring for capacity and availability.&lt;/p&gt;
&lt;h3&gt;Virtual Patching and Antivirus Scanning (ISM-1690, ISM-1288, ISM-1694)&lt;/h3&gt;
&lt;p&gt;Virtual patching and antivirus scanning help protect your website against new vulnerabilities and malware.&lt;/p&gt;
&lt;h3&gt;Content Types (ISM-0649)&lt;/h3&gt;
&lt;p&gt;Only allow the specific content types your website needs to run. Restricting this reduces the risk of malicious content affecting your website.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Incorporating APRA’s ISM recommendations into your cybersecurity strategy makes your website more resilient against
cyberattacks. Treat them as essential operating practices for
website security, not as guidance to skim once and set aside.&lt;/p&gt;</content><category term="Financial Services Security"></category><category term="Compliance"></category><category term="Account Protection"></category><category term="Application Security"></category><category term="Threat Detection"></category><category term="GDPR"></category><category term="PCI DSS"></category></entry></feed>