When the program gets the card accepted, it reports back with the number that worked. Given the number of possible combinations, it would take 60 or fewer attempts to get the expiration date and 1,000 or less to get the CVV. The team has expressed concern that the payment platform and banks don’t have any system in place to detect this sort of inhumanly rapid usage.
There’s no way a person would be attempting dozens of transactions per second on their credit card. The team also notes that Visa cards are the primary target of this attack. MasterCard, for example, locks a card after 10 failed attempts in a short period of time. There’s nothing you can really do to protect yourself from this one.
It’s up to Visa and payment processors to work it out.
