Facial Recognition Bans Spread Globally

A ruling last week in Australia makes using facial recognition to combat fraud almost impossible and is the latest example of global regulators’ growing disapproval of biometric technology in retail environments.

The Office of the Australian Information Commissioner (OAIC) determined that Kmart Australia Limited had violated the country’s Privacy Act 1988 when it used facial recognition to prevent return fraud and theft.

Kmart stores in Australia had used facial recognition technology to catch fraudsters. Image: Wesfarmers.

Kmart and Bunnings

At question was a Kmart pilot program that had placed facial recognition technology (FRT) in 28 of the company’s retail locations from June 2020 through July 2022.

The company created a face print, if you will, of every shopper entering one of the pilot program stores. When a customer returned an item, Kmart’s system would compare that person’s face print to a list of known thieves and fraudsters.

Kmart argued that the technology aimed to thwart return fraud and protect its employees, which thieves had frequently threatened. Biometrics, however, represent a special category of privacy protection in Australia.

The case was similar to a November 2024 OAIC determination against Bunnings, a home-improvement retailer, for using FRT to identify criminals. Australian conglomerate Wesfarmers Limited owns Kmart Australia, Bunnings, and other retail chains, including Target Australia.

FRT Challenges

The OAIC stated that its finding is not a ban on FRT, but its conditions make using the technology challenging, if not impossible.

For example, an Australian retailer would need consent before employing FRT, and the thieves stealing items to attempt return fraud would almost certainly refuse.

Kmart had disclosed FRT in a sign at the front of each pilot store, which read, “This store has 24-hour CCTV coverage, which includes facial recognition technology.” But this notice did not establish consent according to the OAIC.

Asking would-be criminals for permission to use facial recognition has the same effect as banning it, given the current state of the technology.

GDPR

The OAIC’s Kmart decision regarding explicit consent aligns with other privacy regulations and rulings.

For example, many privacy experts note that Article 9 of the European Union’s General Data Privacy Regulation, which covers the processing of special categories of personal data, requires explicit consent for the use of FRT.

FTC vs. Rite Aid

In the United States, there are instances of rulings against FRT and the use of biometric data.

In a 2023 determination, the U.S. Federal Trade Commission prohibited Rite Aid Pharmacy from using FRT and other automated biometric systems for five years.

The agency argued that Rite Aid had not taken sufficient measures to prevent false positives and algorithmic racial profiling.

Illinois BIPA

The Illinois Biometric Information Privacy Act was enacted in 2008 and is, perhaps, the most stringent biometric privacy law in the nation.

The BIPA requires businesses to provide written notification of the use of biometric data and obtain shoppers’ written consent. The law permits individuals to sue for violations, and has resulted in many cases against retailers, such as:

• A 2022 lawsuit alleges that Walmart’s in-store “cameras and advanced video surveillance systems” secretly collect shoppers’ biometric data without notice or consent.

• A March 2024 class-action lawsuit against Target alleges the retailer used FRT to identify shoplifters without proper consent.

• A class-action lawsuit filed in August 2025 alleges that Home Depot is illegally using FRT at its self-checkout kiosks.

M•A•C Cosmetics

From the retail and ecommerce perspective, the most concerning BIPA lawsuit may be Fiza Javid v. M.A.C. Cosmetics Inc. The class-action suit, filed in August 2025, is not concerned with crime fighting but with virtual try-on technology.

The complaint notes that M•A•C’s website asks shoppers to upload a photo or enable live video so that it can detect someone’s facial structure and skin color. Plaintiff Fiza Javid asserts the feature would require BIPA’s written consent and is therefore in violation of the Illinois law.

M•A•C Cosmetics offers tools for virtual try-on and skin color identification.

M•A•C’s virtual makeup try-on tools enhance the experience for shoppers and almost certainly improve ecommerce conversion rates.

The merits of the case are pending, yet BIPA has already spawned virtual try-on cases, including:

• Kukovec v. Estée Lauder Companies, Inc. (2022).
• Theriot v. Louis Vuitton North America, Inc. (2022).
• Gielow v. Pandora Jewelry LLC (2022).
• Shores v. Wella Operations US LLC (2022).

Engagement and Enforcement

AI-driven facial recognition and biometric technology are among the most promising trends in retail and ecommerce.

The technology has the potential to reduce fraud, deter theft, and support criminal prosecutions. A 2023 article in the International Security Journal estimated that facial biometrics could reduce retail shoplifting by between 50% and 90% depending on location and use.

Moreover, biometrics can improve online and in-store shopping with virtual try-on tools. Some merchants have reported a 35% increase in sales conversions when virtual shopping is available.

The question is how privacy regulations and rulings, such as last week’s Kmart decision, ultimately impact its use.

Visa’s VAMP Could Cost Banks and Merchants

Visa’s new fraud monitoring framework gets its teeth on October 1, 2025, when merchants’ acquiring banks are held to a new chargeback and fraud standard and a new fee structure.

The Visa Acquirer Monitoring Program replaced two Visa fraud and chargeback programs in April 2025, introducing a combined measure called the VAMP ratio.

Visa granted acquiring banks and, indirectly, merchants six months to prepare for VAMP ratio enforcement and its potential fees. The “advisory” period ends September 30, 2025, and some acquirers could incur a $10 fee (or more) per chargeback. VAMP enforcement, however, rolls out in phases through 2026.

Visa estimates the new VAMP framework could help acquirers detect four times more fraud than the old system, potentially saving more than $2.5 billion in annual losses.

Visa’s VAMP framework aims to reduce credit card fraud.

Indirect Impact

The VAMP targets acquirers — the banks, processors, and payment facilitators that provide merchants with access to the Visa network. Visa imposes penalties on these acquirers since it contracts with those companies, not merchants directly.

For enterprise-level ecommerce or omnichannel retail businesses, this acquirer distinction could matter less than one might think.

Acquirers are responsible for their merchant portfolios and are likely to hold them to VAMP standards. Thus, if a merchant’s dispute or fraud rates climb, the acquirer may respond with higher fees, stricter rules, or even account termination as a last resort. (As an aside, Shopify Payments is an acquirer and thus subject to VAMP.)

VAMP Ratio

The VAMP ratio is the program’s key metric. Visa calculates the ratio by adding reported fraud cases (known as TC40s) and chargeback cases (TC15s), then dividing by the number of settled Visa transactions.

Visa issues TC40 reports when a shopper reports an unauthorized charge, regardless of whether the claim evolves into a full-blown dispute.

Conversely, a TC15 or chargeback is a transaction dispute that may or may not be related to a fraud claim.

One wrinkle is that VAMP counts fraud-related chargebacks twice — once as fraud (TC40) and once as a dispute (TC15).

This double-counting makes VAMP ratios relatively more strict than the old system. Visa’s reported rationale is that fraud, which escalates into a chargeback, is doubly damaging and should carry more weight.

So-called friendly fraud, when a customer lies about not receiving goods, would also, unfortunately, be counted twice.

Thresholds

VAMP has three primary thresholds at the time of writing.

• Acquirer Above Standard includes processors with a portfolio-wide VAMP ratio of 0.50% or higher. Acquiring banks in this category will be subject to a Visa penalty of $5 per fraudulent or disputed transaction, effective January 1, 2026.

• Acquirer Excessive describes processors with a portfolio VAMP ratio of 0.70% or higher. These acquirers will pay $10 per dispute, effective on October 1, 2025.

• Merchant Excessive is the VAMP threshold for individual merchants within the acquirer’s portfolio that have a ratio of 2.20% or higher, with at least 1,500 fraud and dispute transactions in a month. Acquirers must pay an additional $10 per disputed transaction for these sellers.

In short, Visa wants acquirers to take chargebacks and payment card fraud much more seriously.

Enumeration Attacks

VAMP also monitors and penalizes acquirers for merchants that fail to prevent large-scale “enumeration” or card number testing attacks, where fraudsters run thousands of authorization attempts to guess card details.

Acquirers are subject to fines or other actions when a merchant’s enumeration attempts exceed 300,000 per month or when 20% of total authorization requests come from fraudsters.

Relatively simple steps, such as CAPTCHA tests or limits on authorization attempts, should thwart most attacks.

Impact

VAMP applies only to sellers with 1,500 or more disputed charges (TC40 plus TC15) per month. Thus most ecommerce SMBs will continue to pay $15 to $30 for a chargeback but will not incur further Visa monitoring.

Large retailers, however, may want to monitor their VAMP ratios to avoid warnings, reserve requirements, or even offboarding from their acquirer.

In general, merchants with no significant issues under Visa’s fraud and chargeback programs are likely to experience minimal impact from VAMP.

Passkeys Gain Traction with Ecommerce Shoppers

Passkeys allow users to log in to their secure accounts without passwords. Ecommerce businesses were first in line when the FIDO Alliance introduced passkeys in 2022. The trade association, which stands for Fast ID Online, launched in 2012 with a mission to reduce the world’s password reliance.

Andrew Shikiar, executive director of FIDO, said the past two years have been momentous for members and ecommerce businesses. “You want to attract customers to your site and protect them from account takeover, credential stuffing, and phishing attacks,” he said. “That’s why PayPal, eBay, Amazon, Walmart, Best Buy, and other ecommerce companies were the earliest adopters of passkey payments.”

Shikiar noted that passkey awareness has risen from 39% in 2022 to 57% in 2024, according to a FIDO survey of 10,000 consumers in the U.S., U.K., France, Germany, Australia, Singapore, Japan, South Korea, India, and China.

Dual Protection

Passkeys protect sign-ins and payments, Shikiar explained, adding, “How do I know that it’s really my customer or a legitimate guest who is signing in or making the purchase and not a fraudster? I want my customers to sign into my site as easily and securely as possible.”

Passkeys leverage public key cryptography, an encryption system involving a public “key” — a large string of numbers used to encrypt data — available to anyone and a private key known only to the user and stored on that user’s device, such as a phone or computer. Only a private key can decrypt a public one. The passkey sign-in process is quick and secure coming from the device storing the private key. Hence a fraudster must have access to a user’s device to sign in to her accounts.

Shikiar stated that sign-in success rates were a hot topic at FIDO’s October 2024 Authenticate conference in California, where Amazon reported a 15% sign-in success increase. Even a 5% sign-in increase is significant for merchants, and higher success rates typically mean sign-ins are faster than passwords and legacy two-factor authentication.

Passkey Readiness

Emily Baxter, a security consultant at RPY Innovations, a payments consultancy, advised merchants to consider internal and external factors when evaluating passkeys. “Merchant readiness could be viewed from two perspectives: the readiness of users and passkey providers,” she said. Essential questions for merchants include how they utilize passwords today, what integrations and vendors are required to enable passkeys, and how customers will experience the change.”

As always, ensure your security team is engaged in assessing your organizational readiness, Baxter added, noting that the best solutions are driven by a clear “why,” which she called the North Star of implementation.

“Your North Star may be a reputation as a safe and trusted merchant or providing an excellent user experience (especially increasing cart abandonment or addressing user frustrations), meeting provider requirements, or it could be something else entirely,” she said.

Baxter pointed out that passwords, despite their shortcomings, can be used anywhere, on any device, and at any time. Merchants must assess the passkey’s potential impact on the user experience by considering:

• Do shoppers typically sign in from their own devices or from, perhaps, public computers?
• Will user adoption of passkeys be voluntary or mandated?
• Will initial implementation require a dual password and passkey solution?
• What customer and employee training and education is necessary?

In addition to referencing FIDO’s Passkey Central, an education portal, Baxter advised merchants to consider how passkeys fit into an overall cybersecurity strategy.

She added that passkeys are configured and shared in different ways. A merchant could implement passkeys directly or via a third-party provider. A user’s private key could reside in, say, an iPhone’s operating system or even a password protection app. And vendors can facilitate any or all of the setup, with varying prices, scalability, and implementation support.

FIDO Certified Vendors

Shikiar agreed, stating that FIDO’s ecosystem has hundreds of certified solution providers that can help ecommerce and other companies implement passkeys quickly.

“We don’t dictate how to develop passkeys or promote vendor-specific solutions,” Shikiar added. “We advise companies to go into vendor discussions with their eyes wide open. Become informed before meeting with a vendor. While these are all FIDO-certified vendors, speaking the same language, having a strategy and clear objectives will help a vendor be more responsive to you and your passkey rollout.”

Combat AI-powered Fraud with AI, Experts Say

Fraudulent payments are 40% more likely to occur in ecommerce than physical stores, according to LexisNexis Risk Solutions’ “True Cost of Fraud Study: Ecommerce and Retail Report.” Published March 27, 2024, the 14th annual study found digital wallets, payment apps, buy-now-pay-later plans, and cryptocurrencies account for one-fifth of all payment fraud.

Based on a survey of 346 risk and fraud executives in the U.S. (272) and Canada (74), the study revealed a 60% increase in attacks in 2023 compared to the previous year, led by fraudulent chargebacks and identity theft. Researchers advised that AI technologies are the best defense against these attacks.

“Advanced real-time transaction verification solutions using artificial intelligence and machine learning are especially crucial as they work in the background to help prevent fraudulent transactions with minimal impact on customers,” researchers wrote, emphasizing that these advanced technologies are the best defense against widescale, automated attempts.

High Cost, High Volume

Researchers noted that fraud is expensive. Fees, fines, and the cost of replacing products make every sale lost to fraud approximately three times more than its original value. These costs will only multiply, they added, as fraudsters continue to exploit weaknesses in back office and payment processing systems.

The report identified the top three attack schemes for all merchants (online and in-store): synthetic identity fraud, payment card fraud, and malicious bot attacks. Researchers also found that card-not-present fraud (25%) outranked all other forms of payment fraud, including counterfeit cards (22%), stolen or lost cards (20%), card ID theft (17%), and fake or doctored card fraud (17%).

Researchers found that the current threat environment makes it especially challenging to separate fraudsters from legitimate customers, especially in digital transactions. Survey respondents cited the use of mobile channels (47%), the rise of synthetic identities (47%), and limited or no real-time transaction tracking tools (46%) as the top three challenges of digital consumer verification.

Frictionless Tools

While 69% of survey respondents have implemented fraud prevention tools in digital channels, most found it difficult to deflect fraudsters without inconveniencing legitimate customers, particularly at the point of purchase. Researchers offered the following recommendations for creating a secure but frictionless experience:

Employ advanced, multi-tiered solutions. Use automated solutions, such as transaction scoring, to eliminate friction among low-risk shoppers. Transaction scoring creates a risk score to approve or deny a transaction and eliminate unnecessary steps in customer verification. When integrated with AI, biometrics, and other behavior-based authentication methods, these fraud prevention tools continuously evaluate customer identity and transaction risk while facilitating internal and external data sharing and collaboration.

Appoint a fraud management administrator. Assign an administrator to take ownership of a company’s fraud management, with responsibility for configuring, monitoring, maintaining, and continuously updating the system. This designated administrator will safeguard the customer journey, from account openings and checkouts to logins, an approach that protects all stakeholders — employees, customers, service providers — from card payment fraud and adjacent threats.

Risk-based, data-driven approach. Prioritize fraud mitigation to thrive in the ecommerce ecosystem. Leverage emerging technologies whenever possible to build a robust posture against fraud and reduce fraud losses, which can elevate conversions and trust.

Human, AI Oversight

As LexisNexis Risk Solutions noted, the growth of ecommerce has created more opportunities for criminals, with surprisingly little effort. A significant number of attacks in 2023 were prompted by human error, according to Verizon’s “Data Breach Investigations Report,” published May 1, 2024.

Chris Novak, senior director of cybersecurity consulting at Verizon Business, observed that 68% of data breaches in 2023 resulted from people making innocent mistakes or falling victim to social engineering attacks. “The persistence of the human element in breaches shows that there is still plenty of room for improvement with regard to cybersecurity training,” he said in a statement.

The Verizon Business data-breach team advised taking a multilayered approach to fraud prevention. “We (and many others) have said it before: Multifactor authentication goes a long way toward mitigating these types of attacks. For that matter, so does not letting your kids use your corporate computer to find ways of making free [gaming] V-Bucks,” they wrote. “As with anything else security-related, the most effective controls are typically the ones that leverage the human element along with technical resources.”

LexisNexis Risk Solutions proposed more than personal attributes — name, address, date of birth — to identify customers in the digital world. Merchants must also assess device risk, transaction risk, and online and mobile behaviors. AI-powered tools can do all of this and more, researchers stated, calling the approach the “new norm in fraud management.”