Secure Payments Processing in the Age of Mobile Wallets and CNP Transactions

Visa Employee

Cardholders today have a growing list of options when it comes to how they want to make payments. In recent years, there has been a rapid increase in the use of mobile payments and digital wallets, a trend that is expected to continue with a projection of 4.8 billion mobile wallet users by 2025 [1].  FIS global expects that by 2024, digital wallets will become the most popular method for online payment [2].


Although mobile payments can utilize security measures such as tokenization, device-specific cryptograms and two-factor authentication, they still can pose unique risks in the early stages of payment processing.  Mobile wallet payments can either be in-person and contactless or can take place entirely on the device.  A contactless payment uses NFC (a close-proximity radio frequency) to transfer tokenized data between your mobile device and a Point-of-Sale (POS) terminal.  Because the sensitive information is encrypted during the process, many of the security concerns for these types of payments are based on the potential for sophisticated cyber-attacks. However, there are actions that mobile wallet users can take to protect their devices, such as setting up strong passwords, being vigilant of phishing attacks, and using VPNs when connecting to unfamiliar Wi-Fi.


Meeting Compliance Requirements PCI DSS

For all types of cardholder payments--whether they be mobile, card-not-present, or a classic in-person swipe--issuers, merchants and acquirers are responsible for ensuring security along the payment process journey. The payment industry has developed requirements known as the Payment Card Industry Data Security Standard (PCI DSS).  Meeting this standard, on an ongoing basis is required of all Visa entities that store, process or transmit Visa cardholder data whether they are financial institutions, merchants or service providers. In order to be compliant, entities must meet standards in these six categories: 

  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

These rigorous security standards are intended to protect customer information and deter credit card-based fraud, but they offer entities some flexibility in how exactly they want to meet the requirements.


Protecting Sensitive Data

Making a payment involves transfer of cardholder data across networks and data stores.  If sensitive or protected data is revealed about a customer or transaction, a data breach has occurred.  Bad actors use many tactics to target this information including automation of these attacks. Commonly referred to as Privacy-Enhancing Technologies (PETs), a combination of machine learning and artificial intelligence has advanced to analyze these threats in real-time. Because Visa is committed to research and developing partnerships that secure payments, Visa Research and Visa Crypto Product teams authored a whitepaper, Privacy-Enhancing Technologies for Financial Data Sharing, which you can check out to learn more.

Tokenization is widely used in the payments industry to prevent data breaches. Visa offers the Visa Token Service (VTS), a security technology that replaces sensitive account information such as the primary account number with a unique digital identifier, a token.  Using a token to replace the account number allows the transaction to process through networks and data stores without exposing account information.


Detecting Fraudulent Transactions

One might not always be aware that their sensitive data has been compromised. Bad actors can make unauthorized payments using false or stolen payment information to obtain money or goods, threatening businesses, and customers alike. Using real-time authorization and risk management methods and tools can help prevent loss to customers and businesses. Visa

offers two tools (Visa Advanced Authorization and Visa Risk Manager) that use artificial intelligence to help minimize fraudulent transactions.


The Visa Advanced Authorization (VAA) tool allows issuers to make more informed decisions in real time by using stores of information such as risk score, VisaNet global data, 2-year customer data profile and cloud-based fraud risk modeling with machine learning (Visa AI platform).

Visa Risk Manager (VRM) is a web-based suite of tools that allows issuers to control and manage both their risk strategies and risk tolerance. When used in combination with VAA, issuer can adjust their risk strategies in VRM tools based on VAA’s real-time insights.


With these tools, issuers have greater confidence to decline the highest risk transactions automatically.  The key components of VRM are:

  • Rules manager – Create, test and publish customer strategies using a web interface
  • Case manager – Flag transactions for further review and analysis
  • Account management – Create rules for specific card accounts, manage both white and black lists
  • Report generation – Track account activity, learn from previous transactions and manage performance of rule

These tools can be used separately or together as an integrated solution to help reduce fraud risk.


In Summary

As cyber-attacks and fraud tactics have become more complex, security and risk management systems have evolved in response. Financial technology companies such as Visa have contributed greatly to the development of these cutting-edge technologies by investing resources into researching best practices and introducing new solutions to protect consumers.


Blog Written by guest contributor Carolyn Darity



[1] “Half of the world’s population will use mobile wallets by 2025,” 2022,

[2] “The Future of Payments in Five Charts,” 2023,





Recent blogs