Visa has mandated that Australian financial institutions provide their customers with safer and more advanced authentication options beyond SMS One-Time Passwords by October 2026.
These include biometric authentication, in-app authentication, app-to-app flows, or passkeys, which use multiple channels or devices to strengthen the identification and verification process.
The new requirement has been introduced as part of Visa’s Security Roadmap 2025-2028, which sets out the steps Visa will be taking across several "key areas" to strengthen resilience in Australia’s payment ecosystem.
The payments giant said these changes are needed to address the threat posed by the rise of generative artificial intelligence and machine learning technologies.
In a preview of the document, Visa explained that AI, combined with the rise of e-commerce, offers new opportunities for cyber criminals to exploit the most vulnerable point in the payments’ ecosystem: humans.
Martyna Lazar, head of risk for Visa Australia, New Zealand and South Pacific said, “Scammers prey on fundamental human needs and heightened emotions – whether that’s companionship, job security or by creating a sense of urgency, panic or concern, and there’s no IT patch that can be deployed for that.”
Visa has not yet outlined how it plans to convince the banking sector to make the required changes, nor how the inevitable costs of its required security upgrades and new protocols will be met.