Visa will require Australian financial institutions to move away from SMS one-time passwords (OTPs) as the sole factor for payment authentication to address the threat of AI-driven fraud and scams. 

In Australia last year, scam losses reached $2.7 billion with over 601,000 scam reports, and attacks typically increase in frequency during the peak holiday shopping and travel season. The rise of AI and ML technologies, combined with the continued growth in e-commerce, has created new opportunities for cyber criminals.

Visa head of risk for Australia, New Zealand and South Pacific, Martyna Lazar said, “Scammers prey on fundamental human needs and heightened emotions – whether that’s companionship, job security or by creating a sense of urgency, panic or concern, and there’s no IT patch that can be deployed for that.”

In its new Security Roadmap for Australia 2025-2028, Visa is mandating that financial institutions must provide customers with safer and more advanced authentication options beyond SMS OTP by October 2026. These include biometric authentication, in-app authentication, app-to-app flows, or passkeys.

“Cyber criminals are more organised, more sophisticated and using new technology to target Australians at scale with effective social engineering and phishing tactics. By tricking consumers into divulging their unique OTPs, they are then able to authenticate fraudulent payments or gain access to accounts, which can lead to substantial financial and emotional stress,” Lazar added.

“The threat landscape is rapidly evolving, and it takes continuous investment from Visa, together with financial institutions, merchants and consumers, to drive adoption of new secure technologies and stay ahead of these fraudsters.”

Visa’s Security Roadmap 2025-2028 sets out the steps Visa will be taking across six key areas to strengthen resilience in Australia’s payment ecosystem:

  • Preventing enumeration attacks, where fraudsters use automation to test and guess payment credentials
  • Continued investment in secure technologies to balance fraud management and improved customer experience
  • Shifting to a data-driven risk-based approach, which enhances security and supports sustainable growth
  • Ensuring ecosystem resilience against unauthorised payments fraud and scams (authorised fraud) in the era of AI
  • Enhancing the cyber security posture of ecosystem participants
  • Securing digital payment experiences by integrating best-in-class security protocols