The world of digital payments is evolving, and Visa has taken a decisive step to outpace the fraudsters. Announcing its new Security Roadmap for Australia (2025–2028), Visa will require Australian financial institutions to phase out SMS One-Time Passwords (OTPs) as the sole method of payment authentication by October 2026. The mandate aims to protect consumers from a rising tide of sophisticated scams powered by artificial intelligence (AI) and machine learning.
Australia's scam epidemic has reached staggering proportions, with $2.7 billion in reported losses last year alone, spread across more than 601,000 incidents. While SMS OTPs have long been a frontline defence for payment authentication, cybercriminals are exploiting their vulnerabilities with alarming precision.
Visa’s Head of Risk for Australia, New Zealand, and South Pacific, Martyna Lazar, explained the critical weaknesses in SMS-based security.
"Scammers prey on fundamental human needs and heightened emotions — whether that’s companionship, job security, or by creating a sense of urgency, panic, or concern. There’s no IT patch for human behaviour," Lazar said.
Generative AI and advanced phishing techniques have made it easier for fraudsters to trick users into divulging OTPs. Once obtained, these codes can be used to authenticate fraudulent payments or gain access to sensitive accounts, leaving victims grappling with financial and emotional distress.
Under Visa's new requirements, Australian financial institutions must implement more advanced authentication methods, such as:
These measures are part of Visa’s broader effort to strengthen the payment ecosystem’s resilience against fraud. Lazar emphasised that fighting AI-driven scams requires collaborative investment across institutions, merchants, and consumers:
"The threat landscape is rapidly evolving, and it takes continuous investment to stay ahead of these fraudsters."
Visa’s 2025–2028 Security Roadmap sets out a six-pillar strategy to bolster Australia’s payment ecosystem:
The holiday season is prime time for scammers, with the surge in online shopping and travel bookings creating fertile ground for fraudulent schemes. Lazar urged consumers to remain vigilant:
"Scammers often create a false sense of urgency to get you to act without thinking. Remember, your bank won’t ask for passwords or payment details via SMS. Don’t click on links or provide personal information. If you think you’ve been targeted, contact your financial institution immediately."
Visa’s push to move beyond SMS OTPs signals a broader shift in how financial institutions approach security in the face of AI-driven fraud. By adopting advanced, multi-layered authentication systems, Visa is not only raising the bar for payment security but also setting a global precedent.
As the lines between convenience and security blur, the onus is on the industry to strike a balance that protects users without compromising their experience. The clock is ticking, and with October 2026 as the deadline, Australian banks and consumers alike have a clear roadmap to a safer digital future.