How Businesses Can Fight the Newest Wave of Card Fraud: PAN Enumeration Attacks

Maybe the thought has crossed your mind before: “It’s probably possible to guess someone’s credit card number, if you tried for a while.” At first, it sounds plausible enough. But once you consider the number of combinations between a 16-digit card number, 3-digit CVV, and expiration date, the odds become almost impossible to comprehend; there are quadrillions of potential permutations.

Those odds haven’t stopped fraudsters from trying anyway. New technological advancements have created more sophisticated ways to brute force credit card information, and attackers are becoming increasingly skilled at it.

We’re seeing this in a relatively new form of credit card fraud known as PAN (Primary Account Number) enumeration attacks. With PAN attacks, fraudsters try to acquire credit card numbers with brute-force guesses often executed by botnets, which are networks of infected devices controlled by a single attacker. Instead of targeting a single cardholder, number combinations are attempted until an unlucky victim gets matched.

According to Visa’s 2025 Biannual Threats Report, PAN attacks increased 22% over a 6-month period in 2025, and the total value defrauded using the fraud technique was $1.1 billion. Without new protections from card issuers, this number may continue to rise.

The standard in finance

Slash goes above with better controls, better rewards, and better support for your business.

Get Started

How a PAN Enumeration Attack Works

In order to guess credit card numbers, fraudsters need a place to input them. In theory, any online merchant or POS system should work, as they can keep trying to authorize different numbers until one gets accepted. However, many businesses use payment processors that carry rate limits that prevent this. Rate limits are a type of fraud protection system that blocks multiple rapid login requests from a single IP or application. So, if an attacker tries 3-5 card combinations, they’ll often receive an “HTTP 429: Too Many Requests” error and be locked out for a lengthy period of time.

The problem is that not every merchant carries these limits, and it’s rather easy for attackers to identify stores and websites that allow hundreds of attempts without setting off alarms. They may even find some merchants that don’t verify extra card information like the CVV or expiration. Once they pick out a target, they get to work.

Even with brute-force guessing botnets, though, don’t attackers still have to go through trillions of guesses? Isn’t that a bit of a tall order? Unfortunately no, as fraudsters have whittled down the process and engineered consistent ways to correctly identify active credit card numbers. As long as they can find merchants with weak rate limiting restrictions, they’ll be able to guess their way to someone’s private information.

Here’s what their process looks like:

Using a Bank Identification Number

Fraudsters can get a head start on guessing a 16 digit code by acquiring the first several digits for free. Card networks use Bank Identification Numbers (BINs) to identify details like cardholder currency, location, and issuing bank. For example, checkout systems know a card number that begins with 4 is a Visa, and the following three digits often point to the bank that issued the card. BINs make up either the first six digits of a credit card number or the first eight, depending on the provider.

With their short length and concrete rules, BINs are simple to either brute-force guess or acquire through a BIN database. From there, attackers can start zeroing in on the thousands of cardholders with that BIN, only guessing 8-10 digits instead of 16.

Selecting a Merchant

As mentioned before, some storefronts open themselves up to high volumes of payment attempts because they use payment processors that come without rate limits. However, if an attacker’s having trouble finding a vulnerable merchant that will accept 300 numerical guesses, they can instead find 100 merchants that will accept 3 guesses.

PAN attack botnets can sprint around to different websites and merchants, trying a few logins at a time before turning to the next one. Since there’s nothing inherently suspicious about a handful of login attempts, the attack goes undetected by any of the storefronts involved. Along the way, the bots will receive hundreds of “invalid card number” responses, but the first time they receive any other response, the number is forwarded to the person behind the PAN attack for further investigation.

Believe it or not, these attempts don’t need to come with a 3-digit CVV or expiration date. Systems typically send a different decline code for an invalid card number than they do for a valid card number with incorrect CVV/date. So, they can get the 16 digit code correct without having to pair the extra digits with it.

Cashing Out

The attacker will likely have a pre-selected cash-out target, such as a peer-to-peer payment service or gift card program, that allows users to withdraw funds without strong rate limit restrictions. Some of these merchants actually allow withdrawal without a CVV, meaning all they have to do is guess the expiration date to finish the job. With or without the CVV, botnets can brute-force these numbers alongside the valid 16 digit code to finally land on a full set of card data. From there, they withdraw their cash.

What This Means For Businesses

Americans lost $6.1 billion to credit card fraud in 2025, according to Security.org. An untold amount of this fraud hit corporate cards, which are like jackpots in the world of PAN attacks. Since corporate cards typically connect to business banking accounts, fraudsters can instantly gain access to a larger pool of money than they’d get with the average person. If that business isn’t on top of their finances, a moderate withdrawal could even go unnoticed.

From the merchant’s side, protecting against PAN attacks is simple: just adopt tighter rate-limiting restrictions so users can’t send dozens of login requests. As straightforward as that is, though, there will always be POS systems that come without these protections. That’s why Slash stepped up.

With the help of dedicated fraud monitoring tools, the Slash Visa® Platinum Card is designed to detect patterns consistent with brute-force PAN-enumeration attacks, including suspicious authorization declines across merchants/cards.¹ If a card appears to have been exposed through that activity, Slash can flag the transaction and take protective action such as blocking the merchant and disabling affected cards.

Here are some warning signs that Slash can identify:

Prior failed attempts on the same card or similar cards: We begin by looking for repeated card declines that use the same BIN but consistently get everything else wrong.
A leaked response pattern: As the attacker guesses numbers, different response codes can tell them they’re getting closer. They might try random details and get “card not found,” then change something and get “wrong expiration,” then fiddle with that and get “wrong CVV”. We can identify this pattern and flag it.
Merchant-level attack pattern: Instead of looking at just one card, we also look at the merchant where the attempts are happening. If one checkout page suddenly has tons of failed payments across lots of different cards, that merchant may be where attackers are testing stolen card details.
Card-level exposure: Once we know a certain merchant is being used for this kind of attack, we can see if any Slash Cards were recently used there. If a Slash Card does appear in traffic at that merchant, we may treat that card as exposed, even before it’s used or stolen from. From there, Slash can take protective action like deactivating or closing the vulnerable card.

If a PAN attacker guesses a credit card’s information with brute-force botnets, they’ve succeeded right there on the spot. If a PAN attacker happens to guess a Slash Card’s information, they have to survive another advanced level of fraud control.

Corporate card fraud comes in many forms beyond enumeration attacks, however. It’s often executed by the very employees trusted with the cards in the first place. The median business loses approximately $145,000 annually to employee theft, according to the Association of Certified Fraud Examiners.

The Slash Visa® Platinum Card comes with granular spend controls to limit card spend for certain vendors, thresholds, and categories. Even within those guardrails, Slash is capable of surfacing suspicious transaction patterns, such as consistent max-level purchases or rapid-fire small purchases.

With Slash, your business can be better protected from corporate card fraud, whether its a PAN enumeration attack or in-person embezzlement from an employee. Reach out today to see how Slash can help protect your accounts against bad actors.