The Payments Stack Wasn’t Built for AI-Era Fraud

Infrastructure Month: AI has made fraud cheaper to launch, harder to detect, and faster to execute, exposing just how fragmented and slow many payments defenses really are. Here's what to do about it.

Apr 02, 2026

How is AI fundamentally changing the economics of fraud attacks in payments?

Hilla Peled, SVP, AI & Head of CTPO Office, Nuvei: AI is industrializing the economics of fraud by lowering the barrier to entry while simultaneously blurring the lines between human and synthetic behavior. To counter this, generic models are no longer enough; defense now requires deep domain expertise to identify the subtle anomalies that only a specialist-led AI approach can detect.

Ben Cash, Manager of Product Management, Q2: What once required technical expertise, coordination, and time can now be automated, personalized, and deployed at scale. Attackers can generate highly convincing social engineering campaigns, adapt them in real time, and test defenses continuously. If your defenses are not learning in real time, they are aging in real time. That is why the real shift is not just better models, but better real-time decisioning built on connected signals across the customer journey.

Andrew Helms, CEO – USA, SumUp: The capital and time once required for large-scale attacks (i.e. labor, stolen lists, manual testing) have been virtually eliminated. What took a team weeks now takes a script and mere hours. That shift isn’t marginal; it changes who can run an attack and how often they can try. For small businesses, this is especially dangerous. They don’t have dedicated fraud teams. They rely on their payments provider to be the first and often only line of defense.

Daniel Stanbridge, Chief Risk & Compliance Officer, Kurv: AI lowers the barrier to entry for fraudsters and increases the speed and scale of attacks. Fraudsters can also adapt quickly when defenses change, altering the risk-reward equation because the cost of an attack drops while the potential payout grows. Fraud rings can also run smaller teams with fewer resources. Payments companies need defenses moving just as quickly, because static rules can’t keep up with these newer attacks.

What parts of the payments stack are most overdue for modernization in order to deal with AI-enabled fraud?

Daniel Stanbridge, Kurv: The weakest areas are in data infrastructure and cross-network visibility, because many payments platforms operate on fragmented pipelines. Fraud signals live in the gateway, processor, risk engine, and dispute platform, so teams aren’t able to see a full payment lifecycle at once. I’ve found that decision systems are falling behind because many companies still rely on static rules built years ago.

Hilla Peled, Nuvei: Fraud decisioning is the most exposed layer because many systems still rely on static rules that cannot adapt to the speed of AI-driven attacks. However, the shift toward AI has revealed that the real bottleneck is data fragmentation; even the most sophisticated models will fail if they are fed incomplete or siloed data that lacks the deep context of the full payment lifecycle.

Ben Cash, Q2: The biggest gap is not a single component but the lack of connectivity across the stack. Identity, authentication, session behavior, and transaction monitoring are often treated as separate problems, when fraud really moves seamlessly across all of them. That fragmentation matters because modern fraud does not reveal itself in one neat moment. It often starts before login, evolves during the session, and only becomes visible when money is about to move. The areas most overdue for modernization are signal orchestration and real-time decisioning. Many institutions still rely on point-in-time risk scoring or post-transaction monitoring. That model does not hold up in a world where fraud can happen in seconds.

Andrew Helms, SumUp: The fraud decisioning layer is where I’d start. Initially, the industry built risk models for a world where fraud moved slowly enough to catch on a delay. That world doesn’t exist anymore. When attacks are AI-generated and adapting in real time, decisioning has to keep pace. Strengthening onboarding and identity verification is part of that too. Synthetic identity fraud doesn’t start at the point of sale, it starts at sign-up, and a stronger front door means less to fight downstream.

How did payments stacks become so layered and complex over the past decade?

Ben Cash, Q2: The complexity is a byproduct of innovation happening in silos. Over the past decade, financial institutions have added new capabilities like real-time payments, digital wallets, embedded finance, new authentication layers, and identity verification, often by layering new solutions on top of legacy systems. Each addition solved a specific problem, but few were designed to work together from the start. Over time, that created a stack where data is duplicated, decisions are disconnected, and workflows are fragmented.

Andrew Helms, SumUp: Payment complexity grew through small, isolated decisions: adding a third-party processor for a new payment method, bolting on a fraud vendor, or adding regional acquirers for international expansion. No one tracked the total stack complexity. The pressure to ship fast also led to technical debt. Companies integrated quick fixes, promising to clean it up later. “Later” rarely came, leaving the industry with a decade of expensive, hard-to-unwind complexity.

Is today’s payments infrastructure simply too fragmented to defend effectively against modern fraud?

Daniel Stanbridge, Kurv: Fragmentation is a big problem in modern payments. One transaction can pass through several systems, each recording different data, which makes it difficult for businesses to see the full story. Think: the gateway, processor, fraud provider, issuer network, and dispute platform. Each channel makes its own decisions, and that can create blind spots. While one system flags suspicious behavior, the signal may never reach the others, and fraudsters love to exploit this gap.

Ben Cash, Q2: Fragmentation does create blind spots. Each tool might be effective in isolation, but fraud does not happen in isolation. It spans channels, systems, and moments in the user journey. That is especially true in scams and account takeover, where no single event may look suspicious enough on its own, but the sequence tells a very different story. What we see today is a patchwork of point solutions that generate signals but do not share context. That forces fraud teams to stitch together the story manually, often after the fact. The result is slower response times, higher operational costs, and more friction for legitimate users.

What foundational changes should payments companies make now if they want to successfully integrate AI into their platforms?

Hilla Peled, Nuvei: AI only works if the foundation is right. Companies need clean, unified data, fewer silos, and architecture designed for real-time execution. The platforms that succeed will be the ones where fraud, orchestration, and payments operate as one system, not separate tools.

Andrew Helms, SumUp: Start with the data. AI is only as good as what you feed it, and building on fragmented or inconsistently structured data creates real gaps. Before you can build effective models for fraud, personalization, or anything else, you need a clean, unified data foundation.

Second, be selective about where AI adds real value versus where it creates new risk. AI-powered insights and smarter support tools make a lot of sense. Companies need to be careful about fully autonomous decisioning on high-stakes transactions without a human review layer. It isn’t because the technology isn’t capable. It’s because trust is easy to lose and hard to earn. If a legitimate sale gets flagged and a merchant can’t get a straight answer about why, that’s a trust problem.

And third, build for explainability, not just as a compliance checkbox, because merchants deserve to understand what is happening with their business. When the system can explain its decisions clearly, you build the kind of confidence that keeps merchants with you long-term.

What else should companies be thinking about?

Ben Cash, Q2: One urgent issue that still does not get enough attention is the lack of shared intelligence across institutions. Fraud is not confined to a single bank or payment rail, yet most defenses still operate that way. Bad actors, mule accounts, devices, and suspicious patterns often show up across multiple environments, while most institutions are still defending primarily with what they can see inside their own walls.

Andrew Helms, SumUp: The accountability gap around AI in payments doesn't get nearly enough attention. When an AI model incorrectly denies a legitimate merchant or flags a real customer as fraud, responsibility is murky. The model vendor says it's the platform's problem. The platform says it's the model. And the merchant or customer is left with no recourse. Long-term trust in payments infrastructure depends on clear accountability — and the industry needs to get ahead of this before regulators force the issue.