Cybersecurity Awareness Month 2025: A Q&A

Each October, Cybersecurity Awareness Month gives us an opportunity to look at the emerging threats impacting the payments industry and the countermeasures being employed to stop them. This year, I sat down with my team to explore a range of topics, including:

• The evolution of fraud
• How AI is changing the security game
• How new technologies like network tokenization and biometric payments are empowering stakeholders
• What role technology providers like NMI play in securing the payments space

Question: What are the most significant new security threats in online payments? And what is the most significant security threat in fintech?

Peter: Fraud and compliance are always the big two, but from a more security-focused standpoint, I think the biggest new thing has to be the emergence of AI as a tool for cybercriminals. That applies to both payments and fintech as a whole.

Cybersecurity will always be a “bigger wall, bigger ladder” dance. But, an argument could be made that generative AI, as it currently exists, has a bigger impact as a ladder than a wall. I believe that will inflect very shortly, but for now, generative AI tools are enabling cybercriminals to refine and scale attacks at near-zero cost. 

For example, the spelling mistakes or odd phrases that might’ve given away a phishing email? They’re gone now. And those emails can be generated en masse in minutes. Bad actors are even using generative AI to create fake personas — complete with back stories, social media profiles, resumes and LinkedIn accounts — to infiltrate companies through the hiring process and gain access through the front door.

That said, it’s important to remember that every time a new technology emerges, bad guys get creative before defense inevitably catches up. So, while the balance of AI’s impact will shift towards better security, right now, its role as a rapid-scale vector really benefits the bad guys. That makes proactively securing payment systems and cardholder data more important than ever.

Question: Tokenization seems to be the ideal solution for securing payments, so why are certain companies either not utilizing it or hesitant to do so? What are the alternatives that people are using instead?

Peter: I’m not sure it’s hesitancy as much as it is a need for more information. Research shows very clearly that the vast majority of companies that are highly familiar with tokenization opt to use it. Something like 92% of merchants and over 98% of payment service providers who are familiar with tokenization use it. But then you have something like 20% of merchants still not adopting tokens. So, to me, the question is, how do we better educate that 20% to get them into that “highly familiar” territory.

As far as alternatives to tokenization go, there are two ways to look at that. From the perspective of protecting the transaction against fraud, there are tons of security layers that merchants can and should use, including 3-D Secure (3DS), two-factor authentication and AI-driven fraud protection tools like Kount. Passkeys are also becoming a lot more popular. All of these safeguards play a role.

But from the perspective of protecting card data and walling the merchant off from data breach liability, in my opinion, there really is no alternative to tokenization. Every transaction is encrypted, and systems like  Secure Sockets Layer (SSL) and Transport Layer Security (TLS) absolutely still have a place. But nothing isolates card data like tokenization, and so it really is in its own class.

Question: What about biometrics in payments? How do they strengthen security? On the flip end, how might they undermine security?

Peter: Biometrics are a fantastic tool with a big role to play in the future. Because the key to the lock is completely unique to the individual, it’s extremely hard (but not impossible) to beat.

But how biometric payments will be implemented is less clear. For instance, passkeys are a great alternative to a password that requires a user to be logged into a device which can be biometrically protected, like a smartphone with a fingerprint or face ID. It’s fast and easy to use, and people are already highly trusting of those biometric systems built into their devices. 

But then you have systems like the palm scanners that retailers like Whole Foods rolled out through Amazon One. What we’ve seen there is some consumer hesitancy and concern about how that kind of biometric data is secured and used when given to a company. And that’s a valid concern because, as you mentioned, there’s a flip side to this. What happens if a user’s personal biometric data is stolen? That’s a big question that we’ll need to have a very good answer for before consumers trust biometric payments enough to use them at scale.

Question: How has AI changed how fraudsters operate, and how should companies supercharge their payment security strategies to prepare?

Peter: Going back to the “bigger wall, bigger ladder” dance, it’s really important that companies understand that bad actors are using these tools to the full extent of their current capacity. So, both merchants and payment providers need to ensure they’re using the most up-to-date security tools, as well. I can’t really emphasize enough that it’s an arms race. And if you’re using security that isn’t cutting-edge, you might be losing.

So, if you’re using tokenization, get on network tokens. If you’re using rules-based fraud screening, get on an AI-powered system. Things like that. Ultimately, there isn’t a lot the average merchant or even payment service provider (PSP) can do directly as far as building their own security. So it really is just a question of ensuring the security systems you’re getting through your partners are as up-to-date as possible and, equally important, that you have a partner that lives on the cutting edge of payment security innovation.

Question: What should a Software-as-a-Service (SaaS) company ask its embedded payments partner about security?

Peter: The two most important questions are:

1. How do I protect my customers and their customers from the next generation of fraud and cyber threats
2. How do I minimize my own exposure to both threats and potential liability

It’s really a question of asking for education. SaaS companies have strong security expertise because security is a critical part of software development. But it isn’t payments security. For example, the average SaaS company is not going to understand Payment Card Industry (PCI) compliance requirements. They need an expert partner that can educate them on what they need to do and, even more importantly, how to use tools to minimize their compliance scope altogether.

The right partner acts as a trusted advisor that can look at a SaaS company’s current tech stack, operations and security systems and see where things can be improved in a payments context. So, if you have the right partner, simply asking “What could we be doing better?” could go a very, very long way.

Question: What is NMI’s approach to security and data privacy?

Peter: Security in depth. What do I mean by that? There are so many different potential vectors for cybercrime — and especially for fraud — that the required security changes are based on how, what and where a consumer is buying. That has the potential to be complicated, so our goal is to make sure our partners can offer merchants everything in a way that makes it simple, frictionless and inexpensive to maximize protection.

At NMI, that starts with better underwriting — a process before a single transaction is ever processed. Tools like ScanX allow our partners to underwrite merchants more accurately and consistently without creating a bottleneck in the sign-up process. Then, when the transactions start flowing, it’s 3DS, network tokenization and additional tokenization through digital wallet support with Apple Pay and Google Pay. It’s catching fraud with AI-powered screeners like Kount. It’s a card-spinning detection to prevent merchants from devastating spinning attacks. The list goes on.

If there’s a gap, the bad guys will find it. So, our goal is to fill as many potential gaps as possible, either with a tool that’s already included in the service or one that can be turned on in seconds as a value-added service. So, security in depth that adds little to no friction for the merchant.