CVV2 brute forcing is surprising
The issuing institution should dictate whether CVV2 is verified and perform the verification.
It should also have 'velocity' checks on bad CVV2 attempts and/or fraud systems that detect multiple bad CVV2 attempts and ultimately block or restrict the card once a limit is reached so using a variety of different Merchants should not be able to bypass this restriction.
I would expect the CVV2 limit/tries to be in the single digits to minimise the chance of a 'lucky' guess. After all inputting 3 relatively clear digits from the back of the card is one of the simpler parts of the payment process.
It would be interesting to know which Visa cards were used/derived and which institution(s) issued them.
The researchers are correct in that this should be addressed by the Payment Networks and Card Issuers but the Merchants should always demand the CVV2.
Biting the hand that feeds IT
