AWS re:Invent 2025 - Secure in milliseconds: Visa's AI-powered fraud defense on AWS (IND3313)

Securing Account-to-Account Payments with Visa Protect on AWS

The Growing Payments Landscape

• Account-to-account (A2A) payments are a secure, reliable, and instant payment method that moves funds directly between bank accounts without intermediaries.
• A2A payments include push payments (sender-initiated) and pull payments (recipient-initiated), used for various use cases like person-to-person, person-to-business, and business-to-person.
• A2A payments are seeing rapid growth, with Juniper Research forecasting 83% growth in annual transactions by 2029, reaching 1 trillion, and 113% growth in annual transaction value by 2030, reaching $195 trillion.
• However, this growth also brings increased fraud risk, with the annual value of fraud-related losses expected to grow by 153%, reaching $58 billion in the banking segment.

Visa Protect for Account-to-Account Payments

• Visa built the Visa Protect A2A solution to enhance the security of non-card payments and address the demand for greater security in the A2A payments landscape.
• Visa Protect A2A is designed to work with the A2A payment flow, providing a fraud score to the sending financial institution to help them decide whether to allow the payment to proceed through the real-time payment network.
• If the sending institution cannot make the call to Visa Protect A2A or the score is not high enough, the receiving financial institution also has the opportunity to make a call to Visa Protect A2A and reject the payment from the real-time payment network.

Key Requirements and Challenges

1. Stringent Cybersecurity Guidelines:

   • Visa had to adhere to strict cybersecurity requirements, including protecting against in-memory data exposure threats like core dumps, swap files, exposed data endpoints, and memory scraping hardware.
   • The solution adopted a zero-trust architecture and leveraged AWS Nitro Enclaves to create a secure vault for processing sensitive data.

2. Regional Data Localization:

   • For the European market, the solution had to meet GDPR requirements and localize data within the EU region.
   • This also helped address low-latency requirements by co-locating the solution components within the same AWS region.

3. Stringent Latency Requirements:

   • The solution had to provide a fraud score in less than 250 milliseconds to avoid disrupting the seamless A2A payment experience.
   • Strategies included co-locating components, using Amazon MemoryDB with VPC-enabled for faster reads, and leveraging TLS connection pooling.

4. High Availability and Resilience:

   • The solution had to meet Visa's 99.99% uptime requirement for tier-0 applications, with redundancy across dual AWS regions more than 60 miles apart.
   • This was achieved through a multi-region, active-active architecture with load balancing, data replication, and failover mechanisms.

Technical Architecture and Optimizations

1. Real-time Scoring API:

   • Incoming requests are processed through a secure DMZ VPC, authenticated using mutual TLS, and routed to the A2A gateway application running in AWS Nitro Enclaves.
   • The gateway application performs data validation, encryption, and transformation before sending the request to the decision service running on Amazon EKS.
   • The decision service performs enrichment, duplicate checking, and calls the model inferencing platform on Ray cluster, also on EKS.
   • The response is then sent back through the gateway, converting the gRPC protocol to REST.

2. Offline Data Processing:

   • Clients upload daily files (entitlements, fraud data, etc.) to an S3 bucket via AWS Transfer Family.
   • The data is scanned for malware, decrypted, and processed within Nitro Enclaves before being written to Kafka and used for feature engineering and model retraining.

3. AWS Nitro Enclaves:

   • Nitro Enclaves provide a secure, isolated environment for processing sensitive data, with no external connectivity or persistent storage.
   • The A2A gateway application runs inside the Nitro Enclaves, fetching encryption keys from Secrets Manager and KMS, and encrypting PII data before sending it to downstream services.

4. Performance and Latency Optimizations:

   • Use of TLS 1.3, HTTP/2, VPC endpoints, and load balancer affinity settings to achieve low-latency performance.
   • Careful tuning of proxies and health check endpoints to maximize throughput within the Nitro Enclaves.
   • Caching of encryption keys and background key refreshing to avoid repeated fetch latencies.

5. EKS Optimizations:

   • Use of node affinity, pod affinity/anti-affinity, and topology spread constraints to control pod scheduling and distribution for high availability.
   • Leveraging topology-aware routing to keep network traffic within the same availability zone.

Key Takeaways and Impact

1. Hybrid Cloud Transformation:

   • Visa successfully took an internally-developed application to the cloud, leveraging a hybrid cloud solution and adhering to Visa's stringent operational and cybersecurity guidelines.

2. Global Expansion:

   • The solution architecture and learnings are being used as a blueprint to expand Visa Protect A2A to other regions, such as the South American market in Brazil.

3. AWS Partnership:

   • Visa's close partnership with the AWS team was crucial in overcoming challenges and evolving the solution to meet Visa's requirements around security, latency, resilience, and scalability.

4. Tangible Results:

   • Visa Protect A2A is now a fully functional service, used by clients in the UK market, with plans to expand to other regions.
   • The solution has achieved the target latency of less than 250 milliseconds and has been tested to handle bursts of up to 10,000 transactions per second.

Overall, the Visa Protect A2A solution on AWS demonstrates Visa's commitment to securing the rapidly growing account-to-account payments landscape, while meeting stringent requirements around security, performance, and resilience. The technical innovations and learnings from this partnership can serve as a blueprint for other financial institutions looking to build secure and scalable payment fraud solutions.