The Rise of AI in Payment Fraud and Cybersecurity

Artificial intelligence and machine learning are increasingly influencing how security operates on both sides of the fence. Organisations are using them to spot unusual activity more quickly and with more precision. Attackers are using them to run phishing campaigns, impersonate people convincingly, and scale fraud operations that would have required whole teams just a few years ago.

The uncomfortable truth is that both sides are using the same technology and are getting better at it. Attackers do not follow scripts. They adapt in real time, blend into normal-looking traffic, and automate the trial and error that used to slow them down.

The Attacker’s Advantage

AI has lowered the barrier to sophisticated attacks considerably. Credential harvesting, social engineering, synthetic identity fraud, and card testing are not new threats, but AI makes them faster, more targeted, and harder to distinguish from legitimate activity.

A phishing email that once took hours to craft can now be personalised and sent at scale. In some emerging cases, attackers are experimenting with automation that adjusts payloads or lures based on defensive responses.

In the AI Risk and Resilience Special Report published across 2025–2026, Mandiant observed that threat actors are moving beyond experimental use of generative AI and increasingly operationalising AI across the attack lifecycle.

The report highlights a shift toward more automated and adaptive techniques, where AI is used to support reconnaissance, phishing, and malware development at scale, reducing how much human effort is needed to run and evolve campaigns.

AI as a Defensive Capability

The same shift is happening on the defensive side, often quietly. Many of the fraud platforms, identity tools, and monitoring systems organisations already rely on have machine learning built in, sometimes without it being particularly visible or labelled as such.

These systems work by processing large volumes of transaction data, authentication logs, and behavioural signals to spot patterns that do not fit. Rather than flagging individual events in isolation, they correlate activity across users, devices, and systems.

This is how organisations can catch things like account takeover attempts or card testing activity that might look unremarkable on their own. In complex payment environments with heavy API traffic and distributed infrastructure, that kind of correlation is genuinely difficult to do without automation.

Compliance Pressure and the AI Gap

PCI DSS v4.x represents a meaningful shift in how organisations are expected to approach security compliance. Rather than functioning as a purely prescriptive checklist, the standard now places greater emphasis on achieving defined security outcomes.

This change introduces two methods for meeting requirements: the traditional Defined Approach, which follows the familiar step-by-step control structure, and a more flexible Customized Approach, which allows organisations to design controls that fit their specific environment, provided they can demonstrate, through testing and risk analysis, that the requirement objective is met.

That second option is where the real mindset changes sit. PCI DSS v4.x is less concerned with the technology used to implement a control and more concerned with whether the implemented control is effective in meeting the security objectives.

This creates space for organisations to move away from rigid, one-size-fits-all implementations and adopt more modern, risk-driven security designs. As long as the intent of a requirement is met, organisations have more flexibility to tailor their control architecture to their operational reality.

While the standard does not explicitly require AI or machine learning, it does expect organisations to have proper logging, monitoring, and processes in place to detect and respond to suspicious or unusual activity.

In practice, many teams achieve this using existing security tooling such as SIEM platforms, behavioural monitoring approaches, and automated log analysis. Some organisations also use capabilities like User and Entity Behaviour Analytics to improve visibility and scale detection across large, complex environments.

However, passing a compliance audit and actually being secure remain two different things. Organisations can satisfy every requirement and still carry blind spots in detection and response that only surface when something goes wrong.

Business email compromise illustrates this well. Controls exist for it, including awareness training, email filtering, and access restrictions. Attackers know those controls exist and design around them.

According to the Microsoft Threat Intelligence findings in the Microsoft Digital Defense Report 2024, threat actors involved in business email compromise continuously adapt their techniques, messaging, and supporting infrastructure in response to detection and defensive controls.

The campaigns persist not because controls are missing, but because attackers adapt to them more quickly than many defences do.

This is precisely what PCI DSS v4.x is responding to. The emphasis has shifted from whether controls are present at a point in time to whether they continue to work effectively under real-world conditions.

That distinction pushes organisations toward continuous validation rather than snapshot assessments, and it raises a governance question that cannot be sidestepped.

As behavioural analytics and AI-assisted tools take on more of the detection and response work, organisations must still be able to demonstrate how alerts are generated, how the system is tuned over time, how false positives and negatives are managed, and how the whole thing maps back to a specific requirement intent.

The flexibility that PCI DSS v4.x offers comes with heavier responsibility to document, justify, and evidence that whatever solution is in place, whether traditional or AI-enhanced, is genuinely doing its job. Saying “we use AI” is not an answer an auditor will accept.

The Future: AI Agents in Security Operations

We are at the beginning of the next phase of AI in security operations, and it is agentic. Rather than systems that simply detect and alert, agentic AI is designed to investigate, correlating signals across endpoints, identity, network, and application layers, then assembling a coherent view of activity for analyst review.

Across enterprise security platforms, AI-driven workflows are increasingly being embedded into investigation and incident triage workflows, with some extending into guided remediation. The direction is clear and the pace of adoption is accelerating.

The meaningful change is not detection itself but speed. Investigation cycles that previously took hours are being compressed significantly, reducing the window between when an attack begins and when someone understands what is happening.

In payment environments, where delayed detection can mean mass cardholder data exposure, that matters enormously. Security controls are increasingly built into operational workflows, where automation does not just flag issues but helps investigate them.

This shifts the analyst’s role away from constant alert monitoring and toward validating findings and making decisions.

What It All Comes Down To

AI systems are only as good as the threat models and data behind them. As both attackers and defenders lean harder into AI, security outcomes depend less on what tools an organisation has purchased and more on how quickly it can adapt, validate, and respond.

That is a harder problem than it sounds, and it does not get solved at audit time.

It raises some honest questions for security and compliance leadership. Do you have real-time visibility across your payment environment, or are there gaps that only surface after something has already gone wrong?

Has anyone formally assessed whether your AI-driven tools are performing as expected, or are you trusting the vendor’s word? Can abnormal behaviour be detected and acted on at the speed it occurs?

And are your PCI controls functioning as continuous, validated mechanisms, or as checkboxes that get ticked once a year and largely left alone in between?

Most organisations get this wrong in the same way: they treat AI as a product to buy rather than a control to govern.

A fraud platform with machine learning under the hood is still, fundamentally, a control, and every control needs to be tested, documented, and proven to work. Vendor marketing does not change that.

A model might perform well, but without proper validation and oversight, it is not necessarily any safer than the rules-based system it replaced.

The real challenge is no longer whether organisations have security controls in place, but whether those controls can be trusted to behave consistently as environments and attack patterns evolve.

Frequently Asked Questions

How is AI being used in payment fraud?

Cyber criminals are increasingly using AI to automate phishing campaigns, create convincing impersonations, develop synthetic identities, and scale attacks such as credential harvesting and card testing. AI allows these attacks to become faster, more personalised, and more difficult to detect.

Can AI improve cyber security?

Yes. AI can help organisations detect suspicious behaviour more quickly by analysing large volumes of transaction data, authentication logs, and behavioural patterns. This enables security teams to identify potential threats that may otherwise go unnoticed.

Does PCI DSS v4.x require organisations to use AI?

No. PCI DSS v4.x does not require organisations to implement AI or machine learning. Instead, it requires organisations to demonstrate that their security controls effectively detect, monitor, and respond to threats, regardless of the technology being used.

What are AI driven security controls?

AI driven security controls use artificial intelligence or machine learning to support activities such as fraud detection, behavioural analytics, threat monitoring, and incident investigation. Like any security control, they should be regularly tested, validated, and documented.

Why is governance important for AI security tools?

AI tools should not simply be trusted because they use advanced technology. Organisations need to understand how they make decisions, monitor their effectiveness, manage false positives and negatives, and ensure they continue to meet security and compliance requirements over time.

How can Data Protection People help?

Data Protection People works with organisations at exactly this intersection, validating that adopted controls, whether AI-enabled or traditional, align with PCI DSS requirements and broader security standards such as ISO 27001, and can be evidenced to an auditor without ambiguity.

Compliance postures do not always keep pace with the technology changes happening inside them. If AI and automation have reshaped how your controls operate but your last formal assessment predates those changes, this is a risk.

Finding it through independent assurance is considerably better than finding it through a regulatory review or a breach.

Get in touch now for assistance.