What can we expect in the digital payments landscape with AI pervading every aspect of digital business and transformation?

2024 marked the year AI took center stage, and the momentum is stomping its way into 2025 as certainly as taxes are here to stay!

With the increasing sophistication fueled by AI, the payment sector is under pressure to strengthen defenses against AI-driven payment fraud and ransomware.

We sought out insights into the payment security landscape from Yew Kuann Cheng, Regional Vice President, PCI Security Standards Council (PCI SSC) Asia Pacific

Take, for instance, organizations in the healthcare sector. They are entrusted with personal, payments and medical data of their patients. Similarly, financial institutions are prime targets for cybercriminals as they manage valuable information. Online payment fraud is escalating at an alarming rate.

A study from Juniper Research has found that the cumulative merchant losses to online payment fraud globally between 2023 and 2027 will exceed USD$343 billion. Malicious actors are lurking around to exploit our weaknesses through new avenues. However, we are also leveraging the same technology to combat these bad actors and protect ourselves.

AI is not new to the payment industry as we have traditionally used the technology to identify anomalies and detect attacks in the system. It is beneficial especially when the input data is large, and the response times required are short. These AI models will improve with more data input as they are learning what works.

While it has proven to be a good support for fraud detection and data security, there have been some AI systems leaking sensitive payment data of users. Attackers can also target these systems and bypass defenses for their fraudulent activities. Commonly labelled as a double-edged sword, AI will be used and exploited by both good and bad players.

What are some top emerging threats posed by the rapid growth of AI-powered cyber-attacks when it comes to payments, and what are the implications for businesses?

Cheng: Malicious actors are getting better and better as they exploit the different gaps and flaws within the AI model to extract sensitive data. Traditional security measures may not be sufficient to counter these sophisticated AI-powered cyber-attacks. It is important for businesses to invest in robust defenses against such threats. Some emerging threats observed are:

• Malware and phishing: Criminals use malicious and sophisticated software to infiltrate a computer system and steal payment data. Ransomware is the fastest growing malware threat. One of the most common mediums for malware is through phishing emails. These emails look highly convincing, such as an invoice or electronic fax, but they trick victims into clicking malicious links and/or attachments.
• Remote access: Criminals access systems that store, process, or transmit payment data through weak remote access controls. Remote access may be used by payment terminal vendors, for example, to provide support to your terminal or to provide a software update.
• Deepfakes and voice cloning: Deepfakes has constantly been in the headlines and the technology continues to improve. AI-powered deepfakes can create realistic videos and audio recordings of individuals, enabling fraudsters to impersonate executives or customer service representatives to authorize transactions.
• Outdated software: Criminals look for outdated software to exploit flaws in unpatched systems.
• Online skimming: Criminals attach malicious software or scripts to payment pages, which can extract the customer’s payment data when they use their payment accounts at the online merchant’s store. Subsequently, these criminals will use the stolen data to make fraudulent transactions.

How can organizations protect themselves from such cyberthreats?

Cheng: Many organizations are not prepared to face these emerging threats. Cisco’s 2024 Cybersecurity Readiness Index reveals that only 3% of organizations are assessed as having a mature stage of cybersecurity readiness in 2024. They found that the evolving threat landscape, resource challenges, and complexity of networks, cloud and applications are taking a toll on today’s organizations.

Also, a lack of knowledge and experience is the top challenge faced by organizations.

Organizations must remain vigilant and employ necessary measures to counter emerging threats effectively. They should drive more awareness internally on the handling of sensitive data, particularly payments. Proactively educating employees would help them to understand the best practices such as recognizing phishing emails and using strong passwords.

Another good practice is to conduct regular security assessments to identify and address potential weaknesses in the system. Organizations should also leverage on AI-powered solutions and machine learning to analyze threats and enhance fraud detection.

Lastly, adoption of industry standards and procedures can adapt to the ever-changing threats on budget and on time.  

What are the latest developments from PCI SSC to ensure security standards remain adaptive to emerging threats like ransomware and AI-driven cybercrime tactics?

Cheng: To ensure the secure handling of payment card information, PCI SSC manages the Payment Card Industry Data Security Standard (PCI DSS). It is a set of requirements for any organization that processes, stores, or transmits payment data.

The latest version, PCI DSS version 4.0.1, aims to address the evolving security requirements of the payments industry by introducing greater flexibility, adaptability, and support for alternative approaches. During the process, potential vulnerabilities and gaps in the organizations’ security can be identified early before they escalate into high risk.

Adopting PCI standards is not merely about ticking the boxes. It is about building trust between the businesses and their stakeholders and offering a sense of security to them. By embracing PCI standards, businesses can navigate the complexities of the digital landscape with confidence and mitigate risks, ultimately emerging stronger in the face of adversity.

Please share your opinion on 2025 trends in the payment space.

Cheng: In 2025, several key trends are set to shape the payment space, with AI continuing to drive innovation and transformation across the industry. Other notable trends include:

• Super apps: Super apps will continue to gain prominence, particularly in Southeast Asia, where e-wallet payments are projected to be worth more than $114 billion by 2025. Consolidation among digital wallet providers is expected, resulting in a few dominant regional and local super apps. Companies like Grab, Alipay, and WeChat are leading this shift, offering integrated services that combine payments, ride-hailing, food delivery, and more.
• Innovations in payments: With the latest update of the PCI MPOC standard (Mobile Payments on COTS; Commercial Off The Shelf devices), more innovative and acceptance solutions are anticipated.  Also known as Tap to Phone or SoftPOS, these solutions should make payments more accessible and more personalized. 
• Digital identity: Phishing-resistant authentication factors was referenced in the latest version of PCI DSS v4.0.1. This refers to the adoption of passkeys and similar technologies that will no longer rely on passwords, and this in turns prevent phishing. More and more companies will be encouraged to adopt this form of authentication given that it will help to meet the Multi-Factor Authentication (MFA) requirements in the standard.