The evolution of PAN enumeration attacks: Tackling a growing threat to payment security

By exploiting automated processes, fraudsters can bypass payment security measures at a faster, subtler rate. The authors explain how payment-processing companies can increase their defenses and better protect their customers against this growing threat to their security.

Last April, a California-based payment-processing company successfully foiled fraudsters’ repeated attempts to use its clients’ credit card numbers for illegal transactions. The fraudsters used brute-force methods to guess bank information numbers (BIN), the first six digits of a payment card that identify the issuing financial institution.

In this case, the attack on the company’s network of merchants strayed from conventional BIN-testing methods where attackers concentrate only on a small number of merchants. Instead, fraudsters attempted transactions with the payment card information at a few hundred small merchants, using each merchant for two authorization attempts before abandoning them, making the attack difficult to detect. Because each merchant processed such a low volume of fraudulent transactions, fraud detection measures that traditionally flag spikes in activity were ineffective.

But the payment-processor’s BIN-wide fraud analytics, which monitored the overall authorization volume in the BIN range, and high-risk scoring method exposed the fraudulent activity. The payment processor’s fraud-monitoring team identified an unusual increase in declined transactions within the same BIN range; its fraud-scoring model flagged most of the transactions as high risk and returned fraud-related decline codes such as “suspected fraud,” “closed account,” “CVV failed” and “Do Not Honor.” These decline codes are strong indicators of card-number testing rather than legitimate, failed transactions.

Once it confirmed the attack pattern, the company acted quickly to block further fraudulent attempts and prevent card compromise with BIN-level controls and risk-scoring adjustments. It deployed real-time transaction monitoring at the BIN level, rather than just merchant-specific alerts, and increased fraud risk weighting for newly onboarded merchants without history in the company’s payment ecosystem.

This case is based on a real incident involving the client of Dustin Eaton, CFE, co-author of this article. It demonstrates how fraudsters have evolved their tactics to evade detection in attacks on payment cards, in this instance shifting from high-volume testing of a few merchants to low-volume, dispersed BIN testing across many merchants. By leveraging BIN-level fraud monitoring, network fraud scoring and targeted response strategies, financial services companies can successfully identify and contain attacks before customers suffer significant losses.

In the early days of credit card fraud, attackers used a simple, but time-consuming method: They attempted to identify valid card numbers by manually entering combinations into a system, such as a payment gateway or form, to see which ones were accepted or rejected. However, with advanced cybercrime tools, including web-based platforms and tools that automate browser interactions, a once labor-intensive method is transformed into a fully automated, large-scale operation. In this article, the authors explain the mechanics of this fraud scheme and the preventive measures companies can take to thwart threats to payment-card security.

Behind the attacks

The primary account number (PAN) uniquely identifies a card issuer and cardholder account. It’s usually embossed or printed on a debit or credit card and is made up of 16 digits, the first six of which comprise the BIN.

Understanding the difference between BIN attacks and PAN enumeration attacks is crucial for developing effective awareness and prevention countermeasures. A BIN attack usually focuses on the first six to eight digits of a card number that corresponds to the issuer, although that count can vary. Attackers use these digits to generate plausible card numbers and systematically test them across e-commerce platforms to identify valid combinations, following a methodical, organized process.

A PAN enumeration attack involves similar testing activity, but involves testing the full PAN, expiration date and CVV/CVC code (the three- or four-digit security code on the back of a payment card) to validate complete card details for fraudulent use. BIN attacks serve as an initial reconnaissance stage, and PAN enumeration represents a more advanced and resource-intensive operation. Addressing both requires tailored strategies, with BIN attacks often mitigated at the network or issuer level and PAN enumeration at the merchant and processor levels.

Rather than manually testing different card number combinations, attackers now employ automated bots that send multiple requests with different card number combinations, often accompanied by expiration dates and CVV codes. The card number’s final digit is the Luhn check digit, which validates the number’s authenticity. Attackers exploit the Luhn algorithm, which governs the structure of card numbers. They perform fraudulent transactions undetected while the bots identify a valid combination by trial and error. Through automation, thousands of card numbers can be tested rapidly across various platforms.

Businesses, particularly those with weak security measures, face a significant risk from PAN enumeration attacks. Fraudsters typically target e-commerce sites that lack adequate protections. According to Visa’s 2024 Biannual Threats Report, enumeration attacks have become a prevalent method for fraudsters to validate and compromise payment credentials, leading to substantial follow-on fraud in which fraudsters use the credentials for subsequent attacks. The report notes that between January and June of 2024, the U.S. accounted for 58% of total issuer enumeration attacks.

Although PAN enumeration primarily targets card-not-present (CNP) transactions, it can indirectly facilitate card-present fraud by allowing fraudsters to encode stolen details onto cloned physical cards. Once a valid card number and its accompanying data are identified, attackers can write this information onto blank magnetic stripe cards using readily available encoding devices. These cloned cards can then be used at physical point-of-sale terminals or ATMs, effectively turning digital theft into in-person fraud.

Mechanics and broader impacts

The primary objective of PAN enumeration attacks is for fraudsters to gather valid payment card numbers they can use for other fraudulent activities. Attackers exploit weaknesses in payment systems, particularly those without adequate security controls, to bypass card verification processes. By systematically testing different combinations of card numbers, expiration dates and CVV codes, cyber criminals identify valid card details to use for unauthorized transactions, online purchases and cash withdrawals. They also often package stolen card information and sell it to other fraudsters to use for identity theft, money laundering and other financial crimes.

Enumeration attacks have a predictable life cycle: reconnaissance, enumeration, exploitation and monetization. Attackers begin by identifying vulnerable systems, including online payment gateways, e-commerce platforms and merchant websites with insufficient security. They then use automated tools to test large volumes of card numbers, exploit valid combinations for fraudulent transactions, and finally, monetize stolen data through resale or direct misuse. BIN attacks are often the initial reconnaissance stage, identifying the most vulnerable issuers, before attackers escalate to full PAN enumeration. The growing sophistication of these often automated attacks has increased their success rates and posed significant challenges to merchants and financial institutions.

In March 2025, retail behemoth Walmart issued refunds after scammers used BIN attacks to steal customers’ card information for fraudulent purchases. Alabama-based Redstone Federal Credit Union, whose members were affected by the fraudulent Walmart purchases, stated that large retailers are especially vulnerable to BIN attacks because they process many transactions every day.

The intent behind BIN attacks extends beyond simple theft. In many cases, attackers use valid card information as forerunners to larger schemes, such as creating fake merchant accounts or enabling large-scale money laundering operations. These schemes can be lucrative, with valid card numbers fetching high prices on dark web marketplaces.

The following is a hypothetical case to further illustrate attacks on payment cards. A digital payments company detected a surge in fraudulent activity targeting a specific nine-digit BIN range assigned to one of its issuing clients. The attack manifested through a wave of low-dollar online transactions attempted across numerous small and unfamiliar merchants. The merchants involved had no prior transaction history within the targeted BIN range or across the company’s broader payments ecosystem. The sudden appearance of these merchants, combined with low approval rates, raised immediate suspicion. The merchants themselves weren’t perpetrators in the fraud scheme. Instead, fraudsters deliberately chose businesses with weak checkout security, such as those not requiring CVV2 or address verification. This allowed them to test card credentials with minimal friction.

Once they’d identified a valid card with a successful small transaction, fraudsters quickly reused the credentials at a legitimate online marketplace, where they purchased digital credits, likely with the intent to resell and launder the proceeds. Despite the systematic nature of the attack, the digital payment company’s fraud prevention measures limited the financial impact by applying rules at the processor level that blocked the fraudulent attempts and deactivated compromised cards to prevent further misuse.

This hypothetical case underscores the evolving tactics that fraudsters use, particularly in exploiting small, low-security merchants as entry points for BIN testing. By enhancing fraud monitoring, enforcing merchant security standards and responding quickly to emerging threats, companies can successfully contain similar attacks and reinforce their defenses against future fraud attempts.

The risks and consequences of PAN enumeration fraud

The consequences of PAN enumeration attacks are wide-ranging. Victim businesses suffer financial losses due to fraudulent transactions, chargeback costs and the operational burden of addressing compromised accounts. Beyond monetary impact, businesses also face reputational damage and erosion of customer trust, as consumers expect robust security measures for their sensitive payment data. For merchants, payment processors and financial institutions, security breaches can disrupt operations and diminish confidence in their security measures.

Compared to other fraud techniques, PAN enumeration stands out for its scalability and subtlety. Unlike other forms of CNP fraud, which rely on existing compromised data, PAN enumeration attacks actively test payment systems, making detection more challenging as the activity can mimic legitimate behavior. Similarly, while traditional card skimming happens in a specific physical location, where the skimmer only captures data from cards used at one payment location, PAN enumeration operates entirely online, allowing attackers to target thousands or even millions of accounts globally within a short time frame and from virtually anywhere. These characteristics make PAN enumeration a highly sophisticated threat that’s difficult to detect.

Attackers are increasingly combining PAN enumeration with other fraud techniques, including phishing, account takeover and social engineering. This cross-channel approach enhances criminals’ chances of success and complicates detection and prevention efforts. As these tactics evolve, adherence to frameworks and compliance with global privacy laws is critical for stakeholders to protect cardholders’ data.

Liabilities and compliance requirements

PAN enumeration fraud poses significant challenges to stakeholders in the payments industry, including merchants, payment processors and financial institutions. To mitigate these risks, a robust regulatory framework governs the protection of cardholder data, with clear responsibilities for all parties. Understanding and adhering to these regulations is critical to maintaining compliance and avoiding legal repercussions.

The Payment Card Industry Data Security Standard (PCI DSS) is a cornerstone for safeguarding payment card data against threats like PAN enumeration. PCI DSS mandates data encryption, tokenization (replacing sensitive data with identification symbols) and secure authentication mechanisms to reduce the risk of enumeration attacks. Controls such as limiting repeated authorization attempts and masking PANs in transaction logs are essential to protecting against unauthorized access. Compliance with PCI DSS reduces vulnerability and demonstrates proactive efforts to meet industry security benchmarks, which is critical in regulatory audits and breach investigations.

Regional regulatory frameworks, such as the California Consumer Privacy Act (CCPA) in the U.S., introduce additional compliance requirements. The General Data Protection Regulation (GDPR) is a comprehensive European Union (EU) law that governs the collection, processing and storage of personal data, including payment card information. The Revised Payment Services Directive (PSD2) mandates stronger authentication and greater transparency for electronic payments in the EU, directly impacting how companies must handle and protect cardholder data. These laws introduce legal complexities, such as stricter consent requirements, enhanced breach notification obligations and limitations on cross-border data transfers. For example, under GDPR, organizations must notify regulators within 72 hours of detecting a data breach involving personal information — including PANs — potentially uncovered through enumeration attacks. Meanwhile, PSD2 requires businesses to implement multifactor authentication, which complicates how payments are processed and may affect customer experience if not executed properly. As a result, businesses must not only invest in advanced fraud detection technologies but also ensure that their practices align with legal standards across jurisdictions.

Legal liabilities stemming from PAN enumeration fraud can be significant, with responsibilities distributed across merchants, payment processors and banks. Merchants are often held accountable for failing to implement adequate transaction monitoring and fraud prevention measures. Payment processors, tasked with ensuring secure transaction routing for their customers, face scrutiny for vulnerabilities in their systems that enable enumeration attempts. Banks, as card issuers, bear liability for reimbursing customers and ensuring the integrity of their cardholder databases. This shared responsibility requires collaborative compliance strategies and clear contracts to detail roles and reduce potential disputes, even in the face of the legal complexities mentioned previously. For all stakeholders, balancing security and privacy-regulations compliance with effective fraud prevention measures is essential to mitigating legal exposure and maintaining consumer trust.

Building better security

Visa, Mastercard and other industry players recommend a layered security approach, including anomaly detection and robust validation practices, to reduce vulnerabilities. Without these defenses, merchants risk financial loss, reputational damage and being used as channels for criminal activities.

Preventing PAN enumeration requires defenses such as velocity checks, Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA), and rate-limiting at the merchant and processor levels. Velocity checks monitor how frequently certain actions, such as payment attempts or card number entries, occur within a set time frame, flagging unusual patterns that might indicate enumeration. CAPTCHA is a security measure designed to distinguish between human users and automated bots, often by requiring users to solve puzzles or identify objects in images. Rate-limiting restricts the number of requests a user or IP address can make over a defined period, effectively slowing down or blocking automated attacks before they can spread.

In another hypothetical case study, a leading neobank (a digital-only bank), notices an unusual pattern of high-risk authorization attempts associated with Facebook transactions. Over two months, the volume of attempted $999 transactions steadily increases, triggering red flags in the neobank’s fraud-monitoring systems. Transactions appear with varying merchant descriptors but originate from a single address in California.

A credit card company’s risk model flags approximately 87,000 authorization attempts across 800+ accounts with high fraud risk scores, resulting in automatic declines based on the neobank’s fraud rules. Analysts identify that nearly all declined transactions were within the same BINs, confirming targeted enumeration. The fraud team blocks the BIN ranges temporarily, pending an investigation. Responding to a recommended course of action, the fraud team implements real-time velocity checks on high-risk BINs to detect excessive authorization attempts.

This hypothetical highlights the importance of proactive fraud detection. By leveraging real-time analytics, merchant partnerships and dynamic risk controls, neobanks can successfully mitigate large-scale fraud attempts and strengthen their defenses against future attacks.

Harnessing AI and machine learning to prevent PAN enumeration fraud

Artificial intelligence (AI)-driven fraud detection systems analyze transaction data in real time to identify patterns that indicate enumeration attempts, including repetitive failed transactions or high-frequency testing of card details. For instance, machine learning (ML) models, such as those demonstrated in the “PAN Card Fraud Detection Using Machine Learning” case study, employ advanced techniques such as convolutional neural networks (artificial neural networks that can process images) to classify and detect anomalies effectively. By leveraging adaptive algorithms, these systems can distinguish between legitimate user behavior and malicious activities, even as attackers evolve their methods. This ability to continuously learn and improve accuracy makes ML models essential to combating the dynamic nature of enumeration fraud.

Predictive analytics enhance fraud prevention efforts by enabling organizations to anticipate risks before they materialize. By analyzing historical transaction data, behavioral patterns and known fraud indicators, predictive models can flag potentially vulnerable accounts or systems. These insights allow businesses to proactively implement targeted defenses, such as additional verification layers for high-risk transactions or adjusting thresholds for suspicious activity alerts. Predictive capabilities strengthen security measures and help allocate resources more efficiently by focusing on the likeliest points of attack.

Despite its potential, implementing AI or machine learning (ML) for fraud detection comes with challenges. False positives, where legitimate transactions are flagged as fraudulent, remain a significant challenge that can disrupt user experiences and erode trust. Maintaining accuracy while minimizing disruptions is critical for successful AI/ML adoption.

Ensuring data accuracy and managing biases in training datasets are essential to maintaining the effectiveness of AI systems. To avoid biases in training datasets, it’s best to use a variety of data sources and regularly audit datasets to ensure they represent different demographics, behaviors and scenarios. Additionally, overreliance on automated systems without human oversight can lead to blind spots, particularly in sophisticated cross-channel fraud schemes (such as combining phishing emails with fake call center scams or using stolen online credentials to make in-person purchases). To maximize the benefits of AI, businesses must adopt a balanced approach, combining advanced technology with human expertise to maintain robust and adaptive fraud prevention strategies.

Emerging trends and threat vectors

Fraudsters’ use of automation and botnet-driven attacks increases their efficiency in committing PAN enumeration fraud. Setting up a botnet typically involves infecting a large number of devices, such as computers, servers or internet of things (IoT) devices, with malicious software that allows an attacker to control them remotely. Attackers often spread this malware through phishing emails, malicious downloads or by exploiting unpatched software vulnerabilities. Once established, the botnet can be programmed to systematically test thousands of card combinations across merchant websites, mimicking legitimate user behavior and avoiding detection. This automation allows attackers to launch coordinated and high-speed enumeration campaigns, amplifying their impact and bypassing traditional fraud detection methods. Businesses must counter these sophisticated operations with advanced defenses such as real-time traffic monitoring and device fingerprinting to identify and disrupt malicious activity at its source.

Although cryptocurrency and blockchain technologies promise greater transparency and security, they also introduce new risks that could impact the traditional payments landscape. Emerging threats include enumeration-like attacks that target cryptocurrency wallet addresses (wallets provide access to cryptocurrency) by exploiting weak randomness in wallet generation and leveraging blockchain analytics to infer sensitive transactional information. Exploiting weak randomness means attackers take advantage of poorly generated private keys or predictable wallet seed phrases (recovery phrases), allowing them to recreate or guess wallet addresses. By using blockchain analytics, attackers can trace transaction patterns, identify high-value wallets and link seemingly anonymous activity to real-world identities based on behavioral patterns or interactions with known services.

Notable cases such as vulnerabilities in bitcoin wallets created in the 2010s demonstrate how attackers have exploited poorly secured wallet infrastructures. Although this is less common than traditional PAN enumeration, it has the potential to disrupt payment ecosystems as cryptocurrencies become more integrated into mainstream commerce.

Future innovations in payment security hold the keys to mitigating the next wave of enumeration and related fraud risks. Technologies such as quantum cryptography promise unbreakable encryption by leveraging the principles of quantum mechanics to secure data transmission. Unlike traditional encryption methods, quantum cryptography uses particles of light (photons) to transmit encryption keys, making any attempt to intercept or measure the data immediately detectable due to the quantum property of superposition and entanglement. This ensures that cardholder data remains secure, as any eavesdropping attempt would alter the key and alert both sender and receiver to the breach. Similarly, biometric authentication — such as fingerprint, facial recognition or behavioral biometrics — can introduce a layer of security inherently tied to the individual, making enumeration attacks effectively obsolete. Early adoption of these technologies, combined with regulatory support and industry-wide collaboration, could redefine payment security and provide a robust defense against increasingly sophisticated fraud tactics.

Collaboration is key

Strong collaboration between private industries, government entities and cybersecurity firms is crucial in the fight against PAN enumeration fraud. Public-private partnerships strengthen their defenses when they pool resources and expertise from diverse stakeholders. For instance, financial institutions and payment processors can work closely with government agencies and cybersecurity experts to develop shared strategies for identifying and mitigating enumeration attacks. Initiatives such as the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) information-sharing platforms enable companies to access real-time threat intelligence and coordinate responses to emerging threats. These partnerships not only improve detection and prevention but also establish a unified front against increasingly sophisticated fraud operations.

Global cooperation is essential for addressing the transnational nature of payment fraud schemes and PAN enumeration. International organizations such as Europol and Interpol facilitate cross-border collaboration by providing a platform for law enforcement and industry leaders to share intelligence and investigate global fraud networks. Europol’s European Cybercrime Centre (EC3) has led numerous operations targeting financial fraud, and their partnerships with national agencies and private companies have dismantled botnets and other enumeration tools. These efforts highlight the importance of harmonizing international strategies to address fraud schemes that transcend national borders. Their success depends on mutual trust, efficient communication and standardized procedures for data exchange.

Sharing fraud data among financial institutions, governments and industry consortia is fundamental to effective collaboration. Data-sharing initiatives, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), enable stakeholders to recognize and respond to fraud patterns more effectively. By analyzing shared data, financial institutions can identify trends in enumeration tactics, strengthen defenses and enhance early detection capabilities. However, successful data sharing requires robust privacy protections, clear regulations and strong partnerships to ensure that sensitive customer information remains secure. Fostering a culture of collaboration and transparency is vital to staying ahead of emerging threats.

Securing payment systems against future attacks

Fully automated, botnet-driven operations pose financial, reputational and regulatory challenges to all stakeholders in the payments ecosystem. Addressing this threat demands a multifaceted approach with advanced technologies, robust security measures and collaboration across industries and borders.

In summary, here are some best practices to protect payment systems against PAN enumeration attacks:

• Enhance security controls: Implement CAPTCHA, velocity checks and rate-limiting to deter automated enumeration attempts.
• Adopt AI and ML solutions: Utilize real-time fraud detection systems to identify and prevent enumeration attacks by analyzing behavioral patterns and transaction anomalies.
• Strengthen compliance efforts: Ensure adherence to PCI DSS, regional regulations including GDPR, and other relevant frameworks to mitigate liabilities and enhance security posture.
• Foster collaboration: Engage in public-private partnerships, and participate in information-sharing initiatives including FS-ISAC and Europol’s EC3 to strengthen defenses and combat fraud globally.
• Prepare for emerging threats: Invest in future-proof technologies such as quantum cryptography and biometric authentication to stay ahead of evolving fraud tactics.

Combining technological innovation with regulatory compliance and collaborative strategies will mitigate the risks of PAN enumeration and fortify the broader payment ecosystem against future threats. The growing threats to payment security can be better disrupted when those in the financial industry join forces to fight against them.

Dustin Eaton, CFE, is a risk and compliance professional. Contact him at djenzwm@yahoo.com.

Marcus Vinson is a risk and compliance leader at Lithic. Contact him at marcus.k.vinson@gmail.com.