The PaymentsJournal Podcast

Today is World Passkey Day. And while the industry celebrates the shift away from passwords, the more important question is what kind of passkey replaces them. Many organizations recognize that passwords are on the way out, with passkeys emerging as a replacement. What’s less widely understood is that the two main types of passkeys—synced and hardware-bound—serve very different use cases and carry distinct risk profiles. While both improve security and usability compared to passwords, one offers much greater protection.  In a Payments Journal Podcast, Adam Lowe, Chief Product and Innovation Officer at CompoSecure and Arculus, and Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, broke down how these approaches differ in practice. They explored how keys behave when stored in software versus hardware, and why those distinctions are especially important in payment authentication. What Is a Passkey?  A passkey is a cryptographic credential that allows a user to authenticate their identity with an application or service without a password. Many consumers encounter passkeys through mobile devices or platforms like Microsoft, often using biometrics such as fingerprints or facial recognition to log in. In most of these cases, the underlying credentials are software-based and synced through the cloud. This approach is very convenient: a single passkey can work seamlessly across multiple devices. However, that convenience introduces risk. If a user’s cloud account is breached, the bad actor may gain access to synced credentials, creating a significant security concern. Synced passkeys also face additional challenges. For example, while modern implementations are designed to resist replay attacks, improperly implemented systems or surrounding infrastructure can still be vulnerable if intercepted authentication data is reused to trick a system into granting access. “The more we have out there that’s living in the cloud, it’s just more readily accessible to cybercriminals,” said Goldberg. “The more that we can do in a physical environment—in addition to what we’re doing in a digital space—just enhances the security.” As Goldberg noted, hardware-bound passkeys are generated, stored, and managed on a local device, like a smart card or USB. These are widely used in high-security environments, including U.S. government and intelligence settings, and are generally considered best-in-class for strong authentication. “Software passkeys are great for that first layer, but we really need that depth of defense,” said Lowe. “Adding hardware local passkeys provides that next layer of defense for users.” A common misstep that organizations make is adopting hardware passkeys without fully modernizing their underlying systems. Often, this is done to avoid disrupting user workflows. While hardware passkeys can add a strong layer of protection, their benefits are limited if they are simply layered on top of legacy infrastructure rather than integrated into a modern authentication architecture. “When you sign, you’re getting a digital signature from the key, but you’re also attesting,” said Lowe. “There’s a certificate on hardware that proves it’s a valid hardware signer. While that food chain lives in the cloud, it can be manipulated. So another value to the hardware is not only am I signing, I am signing from a valid piece of hardware in a very straightforward way.” Non-Portability Is the Key  With hardware-bound passkeys, credentials are generated and stored within a secure element on the device. A secure element is a specialized chip designed to create and protect cryptographic keys—similar to those used in passports or payment cards. The defining characteristic here is non-portability. The private key never leaves the device. This is analogous to keeping a physical house key in your pocket: access requires possession. Because the key can’t be exported, duplicated, or remotely accessed, the attack surface is dramatically reduced. “We’re not saying that software passkeys go away,” said Goldberg. “It’s just an additional layer, a step-up authentication. It’s going to take a little bit more friction to authenticate and verify certain types of transactions or even certain types of individuals.” Read Privileges vs. Write Privileges  So when are software passkeys good enough, and when is hardware-backed authentication necessary? One useful way to frame the distinction is through read versus write privileges. Read privileges—access to view data—generally carry lower risk, since no changes can be made. In these scenarios, software-based passkeys may provide an acceptable balance of security and convenience. Write privileges, on the other hand, allow users to take actions that alter systems or move value, such as initiating payments. These higher-risk operations are where hardware-backed authentication becomes far more important. “That’s where we typically see that software to hardware migration, for stepping up an event,” Lowe said. “A very typical example would be sending a wire, sending any reasonable amount of money. Any time you get a risk flag, you can have the user tap into a step-up event.” The Tipping Point  The shift to hardware-bound passkeys could have occurred years ago, but widespread adoption likely depends on a tipping point—one that convinces organizations the added security justifies the change. “That tipping point is going to be a combination of increased cybersecurity risk, such as network infiltration that leads to data breaches,” said Goldberg. “It’s going to be upticks in fraud and increased risk to identity.” Many experts expect that payment flows, in particular, will increasingly require hardware-based authentication, given the high value and sensitivity involved. “If you do hardware-based authentication on a payment card, it shows possession of the physical card, which also answers so many fraud questions,” Lowe said. “We’ll get to the tipping point where consumers are concerned about their identities being compromised, and governments have more concern about verifying the authenticity of individuals, agents, and companies,” he said. “The whole notion of getting away from software-based authentication to having this additional layer of hardware will just become second nature.” The post The Passkey You Can’t Steal: Why Hardware Beats Software for High-Stakes Authentication  appeared first on PaymentsJournal.

When events like the NCAA Final Four come to town, they bring an influx of short-term workers who keep everything running—but often for just four or five days. Despite the brief duration of this work, many organizations still rely on traditional payroll systems to compensate them, creating unnecessary friction where speed and simplicity matter most. In industries that have relied heavily on cash tipping, such as hospitality, prepaid cards can be just as game changing. Instead of asking for a valet driver’s Venmo, a diner could scan a QR code and send a tip directly to the driver’s prepaid account. While event staffing and tipping are two clear examples, the potential extends much further. In a recent PaymentsJournal podcast, Ben Osmond, SVP of Treasury and Payment Solutions at U.S. Bank, and Jordan Hirschfield, Director of Prepaid at Javelin Strategy & Research, explored the impact of prepaid solutions across sectors such as the gig economy and contract work. As cash and checks continue to decline, prepaid products can reshape the work experience for contract and seasonal workers, while also delivering benefits for employers. Filling the Tip Card As tip jars have gone increasingly cashless, restaurants have sought more efficient ways to distribute tips digitally. “What they are doing is using prepaid programs to provide tips at the end of shift,” Osmond said. “There’s some interconnectivity with the point-of-sale systems where we’re able to calculate the tips that a server is going to receive so that they can have those loaded onto a prepaid card at end of shift. Often, they will have them on their card and in their account before they jump in their car or jump on the bus to head home.” This model is often well received, in part due to consumers’ familiarity with gift cards and the stored-value accounts like those offered by Starbucks or Target. That said, some workers may still hesitate to accept tips through what they perceive as a gift card format. “Sometimes people don’t understand that you still get a regular paycheck maybe from your hourly work, and that a card that you get for your tip outs is a payroll card,” Hirschfield said. “Some of that is just the messaging and the idea around it, where they don’t think of it as payroll but as their tip card, that’s what it’s there for and that’s the intent.” “It’s a payment option; it doesn’t mean it’s the one thing they will get,” he said. “When you go home at the end of the day, you’ve got that tip money in your hands in the same way you would have in a cash environment. These products support the whole idea that there’s multiple ways to pay people, just like they’re always have been. It used to be you would get your check for your hourly work and your cash for your tip outs. Now, we’re moving to a digital environment for that.” Winning or Losing Talent Beyond tipping, digital prepaid cards can dramatically improve the work experience for contract and seasonal workers across industries. “Instant issuance changes the game when you think about those contractors, those seasonal workers and short-term employees whose entire employment experience might come down to five days of working at an event,” Hirschfield said. “When they finish on the day it closes, pay them out and their entire experience is complete. They’ve worked their hours; they’ve received their payment, and everyone has a clean break.” This streamlined approach creates a win-win: payers benefit from simplified coordination, while workers receive fast, secure, and flexible compensation. As short-cycle payments become more common—whether for summer jobs, event staffing, or project-based work—prepaid cards are well positioned to meet this important need. “More employers are starting to realize the value because today’s workforce is mixed,” Osmond said. “There are gig employees, contractors, and temps, and a lot of the legacy payroll systems struggle with high turnover and rapid onboarding of employees.  Ultimately, a pay experience can win or lose talent in a tight labor market. It’s very important that employees are being paid the way that they want to be paid.” Real-Time Earnings Access Just as important as how workers are paid is when they are paid. In a digital payments landscape, where consumers can receive near real-time transfers via apps like Zelle, the answer is increasingly immediate. “One of the most relevant trends today is earned wage access, the ability for an employee to receive wages for hours that they have already worked but have not yet received a paycheck for,” Osmond said. “With that Friday or every other Friday payday, they’re able to access these funds early and request a portion of their wages which can be sent to them electronically onto a prepaid card, plastic or digital.” Regardless of how payments are delivered, workers expect digital access to their financial information. This makes it critical to offer a robust app that provides full visibility into balances, transactions, and spending. This is especially important for contract and short-term workers, many of whom juggle multiple jobs and remain constrained by traditional pay cycles. “Having these options where you can get paid either with earned wage access on an early basis or a couple days early, those are critically important to the people receiving that money—especially when they may need to spend that money as soon as they earn it to fit their lifestyle.” Hirschfield said. “Also, you get people who are potentially underbanked and unbanked, and this can also fill that gap.” From the Employer’s Perspective While the benefits for workers are substantial, employers also stand to gain. Paying via prepaid can reduce onboarding time and administrative costs, enabling workers to get started more quickly. “It can cut costs around eliminating checks or email reissuing of checks, things of that nature,” Osmond said. “It can reduce fraud. That’s something that often doesn’t get talked about from an employer’s perspective, but there is fraud on paychecks. They’re also having less calls and less concerns into their HR or their payroll department with questions about their checks.” “You can lower the cost of ownership scale of all of these things,” he said. “We work with a lot of quick-service restaurants that have many different locations that are using our prepaid products. By having one product and one disbursement method, they’re able to be much more efficient than they would by delivering checks to each different location.” Immediate payouts can also play a valuable role during employee separations. Whether voluntary or involuntary, issuing final wages via prepaid card can help defuse what is often a sensitive and time-critical situation. And these scenarios are only part of the broader opportunity for prepaid solutions within the full-time workforce. “You look at other things where it might be an off-cycle payment, where it could be a bonus or sales incentive program,” Hirschfield said. “These things are done off cycle; they’re instantly done. You hit an incentive bonus on sales, you’re paid instantly, and you feel rewarded. These are all examples that play into why having programs like this help.” A Frontline Experience Taken together, these developments position prepaid cards as a valuable part of modern work experience—and signal the potential for disruption within the broader payroll space. “As we think about this as a whole, payroll and wages aren’t just a back-office function anymore, it’s a frontline experience,” Osmond said. “Payroll cards and wage cards have moved beyond check replacement to become a digital infrastructure for the workforce that today is mobile, it’s mixed, and it’s often outside of traditional banking.” “The next standard is simple, it’s a quick onboarding process,’ he said. “We need to pay people fast, we need to pay them consistently and we need to do it with controls in place that employers can stand behind. What these products do, it helps make a real bank-issued program that can support earned wage access as well as tip functions—without changing the payroll cycle as a whole for the employers.” The post Tips on a Prepaid Card: A Practical Solution with Broad Industry Impacts appeared first on PaymentsJournal.

Not long ago, fraud teams could keep pace by reviewing incidents one by one. That era is ending. Armed with artificial intelligence and cloud-scale infrastructure, today’s cybercriminals operate faster, more broadly, and with far greater sophistication than ever before. The rise of agentic commerce will only intensify these challenges, in part because it upends a longstanding assumption in fraud prevention: that bot traffic is inherently suspicious. In a world where legitimate transactions may be initiated by AI agents, that distinction becomes far less clear. In a recent PaymentsJournal podcast, AtData’s Diarmuid Thoma, Head of Fraud and Data Strategy, and Brandt Hoffman, Sales Director, Fraud Services, along with Jennifer Pitt, Senior Fraud Management Analyst at Javelin Strategy & Research, discussed how these shifts are dramatically impacting payments risk. At the center of this transformation is a simple but growing imperative—organizations must know, with confidence, who (or what) is on the other end of every transaction. Achieving this now requires systems capable of analyzing and contextualizing vast, dynamic data streams in real time. The Outputs of Scalability Historically, many fraud attacks were treated as isolated events, leading financial institutions to adopt a reactive, situational approach. However, there are often patterns that emerge when these incidents are viewed collectively. Recognizing and operationalizing those patterns is critical. “From a law enforcement perspective, I remember a mail theft case that I investigated,” Pitt said. “We conducted a search warrant on the suspect’s home and found bags of open and unopened mail. We also found stacks of paper that contained full personally identifiable information—name, date of birth, Social Security number, next of kin, last known addresses—you name it, he had it.” “We searched his phone and his computer, and we were able to see that he was connected with several other suspects that we were already investigating,” she said. “What we uncovered was this hierarchical organized crime ring where there ended up being more sophisticated identity theft and other crimes. If we were just looking at one of those players or incidents, we wouldn’t have seen this whole organized crime ring.” While traditional vectors like mail fraud persist, the digital landscape has allowed bad actors to expand their reach exponentially. Technologies such as AI and cloud computing have supercharged criminal capabilities faster than most organizations can evolve their defenses. Beyond just deploying generative AI to create more convincing impostor sites and deepfakes, bad actors can now deploy AI agents to autonomously carry out widescale fraud campaigns. For example, agentic AI has been used in a technique where email addresses are rapidly and sequentially created for use in fraudulent activities. “We see thousands and thousands of them every day, where we see sequential types of emails created and they’re not necessarily in one client,’” Thoma said. “Somebody’s using an email over here to create a bank account and going and buying a pair of sneakers over there.” “Individually, it looks fine; there’s nothing wrong there,” he said. “At a platform level, we see the cumulative effect. It’s a simplistic example, but that type of behavior is a direct output of the scalability of fraud.” Distinguishing Malicious Automation Given agentic AI’s potential to amplify fraud across every channel, the emergence of agentic commerce presents unique challenges for fraud prevention teams. Many of the open questions around agentic transactions center on authorization. In the conventional e-commerce model, the shopper selects items, completes verification, and explicitly authorizes the purchase. When an AI agent acts as the consumer’s proxy, however, new gray areas emerge. “What happens in a chargeback scenario?” Thoma said. “The industry hasn’t got all the answers on that. It’ll slowly emerge, but one of the things that won’t change is history. It’s still you buying it. Especially for physical goods, it’s going to your physical location, it’s going to your name, and it’s probably using your e-mail address to confirm all the details. There’s still a lot of information, even in the agentic world, that’s going to be coming through.” This means that one of the most important considerations for fraud prevention will be the user’s history. Fortunately, this data is already present for many consumers. For example, the organization can confirm the age of an email address, whether it has been actively used, and if there are any red flags associated with it. This historical data becomes a critical point of continuity as organizations design fraud strategies for agentic commerce. “It was always, ‘Let’s look at the negative aspects of what this transaction could present,’” Hoffman said. “Now, we have to be cognizant to bring in those positive signals. What are the good signals that we can lean on? What allows us to interpret or infer more quickly? How do we start to identify what it means to be a positive bot, or to be a good transaction along the line?” A Timeline Event To act on these signals effectively, teams must start from an accurate baseline. A core lesson from AI is that models are only as strong as the data that feeds them. Just as importantly, that data must remain current, especially as consumers’ digital footprints continue to expand. “Many still look at data like it’s a credit report, where it’s a static thing that you see in a piece of paper and that’s it,” Thoma said. “It’s not. It’s a timeline event. If you think about when you were 20 to now, you’ve had different addresses, you’ve had different IPs and different devices. Your name may have changed for different reasons, and your email probably changed one or two times.” “Your profile naturally evolves, so the importance of the data quality and the skill in the overlaying models is to know when that change is abnormal versus normal,” he said. A practical way to evaluate changes in a user profile is through percentage-based shifts. Significant or rapid deviations across key attributes may indicate potential account compromise. Similarly, the repeated use of a single element across multiple account creation attempts can signal synthetic identity activity, where bad actors combine real and fabricated information. “We commonly see that, and its behavior that is distinctly different from somebody who’s just moved addresses,” Thoma said. “Yes, they’ve moved addresses, but a lot of the time when people move, they only move a couple of blocks down. There’s continuity in that profile, where we can still say that even though the profile has changed, it’s still fine.” “That’s a broad example of how important it is to have that data quality,” he said. “Because if you don’t have fresh data to reference, the timeline to reference back further, you can’t say, ‘This is normal behavior for them or not.’ That’s how important it is.” Data for the Whole Organization The growing emphasis on identity verification is driving a widescale shift in how financial institutions approach fraud prevention. Yet opportunities remain to break down data siloes and improve visibility across systems. “We are seeing some evolution in the ability for payments teams and fraud teams to come together quicker,” Hoffman said. “Payments teams are very focused on the transaction and what it means to bring that revenue in. There still is some hesitation for the fraud teams and the payments teams to merge together.” “In the most advanced organizations that I work with, those two functions are working hand-in-hand,” he said. “They know exactly what’s going on from a payments perspective and how that affects the flow of fraud.” The pace and complexity of the threat landscape demand more sophisticated infrastructure. Modern fraud prevention solutions rely on graph-based methods to map relationships between entities—sometimes referred to as fraud topology or halos. These topology-aware systems can enhance detection accuracy while reducing costly false positives. They also enable organizations to apply the right level of friction within the customer journey, including step-up authentication when warranted. While designed for fraud prevention, the benefits of these capabilities often extend well beyond risk teams, strengthening decision-making and operational efficiency across the entire organization. “The data is customer data; it has huge amounts of value,” Thoma said. “You’re seeing their geolocation, behavior, age demographics—all that stuff is extremely important for the business, not just for the fraud team. Everybody thinks that’s a lot of money for fraud prevention, but it becomes very cheap because you’re splitting that into multiple budgets.” “The marketing team can use it for targeted products, and you can increase conversions,” he said. “It doesn’t have to be fraud data, it’s company data for all divisions of that business to use.” The post As Fraud and Agentic Risks Mount, Data Provides Continuity appeared first on PaymentsJournal.

International wires have long been the default for B2B payments—an entrenched system that works, but few would describe as optimal, given multi-day settlement timelines and high fees. But as stablecoins gain traction in cross-border transactions, businesses are starting to ask a more fundamental question: Can we replace wires altogether? In a PaymentsJournal Podcast, Avinash Chidambaram, Founder and CEO of Cybrid, and James Wester, Co-Head of Payments at Javelin Strategy & Research, discussed what would need to happen for stablecoins to become the default mechanism for B2B payments. What’s exciting as well is the possibility of even more use cases across payments, treasury, and remittance. “There are all sorts of things you can do better that you don’t consider to be a problem,” Wester said. “But maybe with new technology, we can do things that you didn’t even know were possible.” Structural Inefficiency Wires work well enough—they move money from sender to recipient, which meets the core need. What most enterprises don’t see, though, is the complex web of systems and intermediaries behind these transactions; they simply build their processes around bank-based payments. Over time, layers of intermediaries have made these systems deeply entrenched and difficult to replace. In the past, this made sense. Moving money across borders and oceans was a treacherous game, and paying a little extra for trust and security was a value-add rather than a painful cost. Now, however, times (and money movement) have changed. Organizations have access to tools that enable simpler, more streamlined alternatives with built-in trust. “The inefficiency isn’t just technological, it’s structural,” said Chidambaram. “Whether it’s correspondent banks, clearing houses, processors, [or] compliance, these experiences that are happening in the background between banks cost both complexity and time, and are hugely inefficient.” Looking for Improvement in B2B Alongside new technology came new expectations of transparency; companies want to track their payment from the second it leaves their account to the moment it lands in a recipient account. However, this is simply not possible with wire transfers. Stablecoins, on the other hand, offer complete traceability—and enterprises are taking note. They can verify, often in near real time, that funds have been received. This visibility is driving growing interest as businesses see clear operational benefits. “Most enterprises are focused on their core business and then they say, ‘OK, well, can I improve some of my operations and finance as a separate thing?’” said Chidambaram. “Now a customer can go into our platform and say I want to make a payment to this invoice and upload that invoice. We can automatically pull the funds from a customer’s account to fund the payment transaction, convert that to stablecoins automatically and then send stablecoin to the recipient’s wallet.” “That can improve B2B payments from two contexts,” he continued. “First, it’s just faster. Secondly, you can see that it’s settled—that [your recipient] actually received the funds.” Improving the User Experience For the longest time, a major barrier to broader digital asset adoption, including stablecoins,  has been poor user experience—complex interfaces and high stakes for errors. Firms like Cybrid are beginning to address these challenges across retail, commercial, and enterprise payments. The experience now goes beyond accessing a wallet to include greater visibility into transaction status and fees. The secret sauce is in programmability. Stablecoins by nature can be programmed—a payments team member can set up rules or triggers, which then guide how payments operate. For instance, payment terms. For instance, if you have to pay a supplier every month, you can create a programmable rule that ensures money lands on time, avoiding late fees or penalties and ensuring business continuity. But the use cases go beyond pre-determined rules and can become dynamic as well.“We’re starting to see people adopting ERP tools that have intelligence built into them,” said Chidambaram, “Where they can say, ‘Hey, your inventory is running low. Or you need to make these payments. Here are all the payables that you have.’ And over time, we’re finding that people are actually wanting to wait as late as possible to make those payments.” Keeping Existing Workflows Accounts payables and receivable teams already operate within established workflows in fiat currencies like the US dollar or Euro—for payroll, invoicing, and more—and are unlikely to overhaul them entirely. The good news, though, is that stablecoins operate in the background. When you make a payment, the recipient receives their local currency automatically (or stablecoins if they choose, but it’s not required). All the while, the business sending those payments benefits from speed, cost efficiency, and transparency. “You’re going to have an organization that says: ‘This is how I do payroll for my local employees, but I need to do this other thing for my contractors overseas and this other thing for my suppliers,’” said Chidambaram. “Some of them might have taken only wires then, but are now accepting stablecoins. They have the ability to pick which rail makes the most sense to solve the problem.” These benefits are especially relevant given the growing complexity of payroll, including irregular schedules and cross-border payments. Stablecoins could play a key role here. For example, enabling early wage access models that allow workers or suppliers to receive funds ahead of traditional pay cycles. “You get paid every two weeks because, in our brains, that’s how you get paid,” said Wester. “That goes back to direct deposit, which goes back to you had to have a check, and that goes back to all sorts of things that go into the processes. Same thing with AR/AP and so many of our payment processes at the corporate level. Now we can rethink a lot of those things.” Something Better For the foreseeable future, stablecoins will coexist with traditional payment rails. Both are necessary to support the trillions of dollars moving through global systems today. But as enterprises, suppliers, and payers grow more comfortable, a larger share of that volume is likely to shift toward stablecoins. “Many people think digital assets and stablecoins are a solution in search of a problem,” Wester said. “I’ll say, well, you know, what you’re doing now is slow, costly, and inefficient, with layers that you can’t see. You don’t think of this as a problem, but maybe that’s because you didn’t know there was anything better.” A key remaining hurdle is integration. Stablecoin payments are not yet embedded in most enterprise software platforms, where traditional methods like wires are still the default. But as vendors evolve and enable easier integration, stablecoins will become more accessible—unlocking even broader use cases. “Banks, PSPS, enterprises, large and small, every one of them have been thinking about stablecoins,” said Chidambaram. “How do I go in my take advantage of this? What are the capabilities I need? Then that starts to unlock people’s minds: What else can I solve with this new payment rail?” The post What Would it Take for Stablecoins to Replace Wire Transfers in B2B Payments? appeared first on PaymentsJournal.

When a shopper is tricked into making a fraudulent purchase, they expect recourse from their financial services provider. These guardrails are one of the reasons credit cards have become predominant in the U.S.—not only can consumers dispute charges after the fact, but many issuers proactively alert users when suspicious activity occurs. Similar protections exist for ACH payments, but they are largely a function of the lag between payment initiation and settlement. With real-time payments, such as those facilitated by FedNow and the RTP network, this buffer disappears. As both systems gain traction, particularly in B2B use cases, fraud prevention strategies must evolve to address payments that are instant and irreversible. In a recent PaymentsJournal podcast, Darren Beyer, Chief Product Officer at Qolo, and Suzanne Sando, Lead Fraud Management Analyst at Javelin Strategy & Research, discussed how the convergence of faster payments and increasingly sophisticated fraud is fueling a full-scale redesign of fraud prevention architecture. It has also placed a demanding onus on financial institutions to implement highly precise risk controls while preserving the customer experience. The Window Is Closing As faster payments erode the traditional safety net around transactions, institutions must shift fraud detection to earlier stages of the payment process. In the past, organizations benefited from extended review periods, during which funds could be reversed if necessary. That capability is quickly becoming a thing of the past. “In the world of instant payments, specifically around RTP and FedNow, you’ve got an instantaneous movement and settlement of money. And that’s where the problem lies, because there’s no longer time to pull this stuff back,” Beyer said. “There’s no window where you have an ability to say, ‘I really didn’t mean to send it’ or ‘I fat-fingered this particular account number.’” “With that gone, it’s less of an opportunity for the people sending payments to fix problems, and that opens the window for fraudsters,” he said. In this environment, striking the right balance between strong fraud prevention and a seamless customer experience is difficult, especially given the high expectations shaped by card and ACH transactions. These challenges are accelerating the need for real-time decisioning, where firms analyze multiple data points to assess payment risk before processing. However, achieving high decision accuracy will likely require introducing some level of friction. While this may feel new in the context of real-time payments, methods like multi-factor authentication are already familiar to both banks and customers. “Every time I log into YouTube, I get a six-digit one-time passcode,” Beyer said. “If I have to do that for YouTube, why is my financial institution not making me do that? They do when I log in, but if I’m doing a big payment out, shouldn’t the same thing be happening? Isn’t the ‘friction’ of getting a one-time passcode worth the extra two or three seconds it takes to put that into the website? I think the answer is yes.” The challenge lies in applying the right amount of friction in an emerging payments model. This is where step-up authentication plays a key role. It allows institutions to adjust controls, enabling low-risk payments to proceed smoothly while subjecting higher-risk transactions to greater scrutiny. Even so, introducing any friction into the customer journey can raise concerns for financial institutions. “There has been an assumption that strong security will ruin the customer experience, but Javelin has found that good security can improve trust and adoption of certain payment channels and methods and new technologies,” Sando said. “Consumers and businesses want to know that their accounts and their money is protected and that they can trust the institution and the organizations that they choose to do business with.” The Widening Technology Gap Implementing safeguards that remain invisible to legitimate users yet highly effective against bad actors is no small feat, but the tools to optimize this balance are rapidly improving. Artificial intelligence has been instrumental in advancing these capabilities, as it has across nearly every sector. However, many financial institutions have lagged in adopting these technologies. “This is a scenario where it’s so rapidly changing the industry but the traditional players—processors and banks who are operating under a regulatory environment and are operating under an environment where you can’t inhibit people from getting access to their money—they have all these constraints,” Beyer said. “Fraudsters don’t, and they can just start playing with all these great new AI tools.” “There’s always been a gap,” he said. “Fraudsters have always been ahead of the financial institutions and the processors, and the reason for that is they’re more nimble; they’re able to get things done quicker. If you didn’t have that gap, you wouldn’t have fraud.” Unfortunately, this gap is not only persistent but widening. Rapid advancements in generative AI and the emergence of AI agents have enabled cybercriminals to scale both the speed and scope of their attacks. “Bad actors can adopt those technologies quickly, and they’re incredibly creative. I don’t want to give them applause for that, but they’re incredibly inventive in the way that they take risks to use new technology,” Sando said. “It’s difficult for FIs to keep pace when it comes to the adoption of any innovation.” “It’s no surprise that AI is a problem for criminal manipulation,” she said. “But we also know that it’s a huge asset for financial services that they could make great use of in terms of automating certain aspects of the customer experience. Or even the employee experience, for things that maybe used to be a manual review of transactions, or typical tasks that were completed during fraud investigations.” Buttressing the System AI has quickly become central to modern fraud defenses, given its ability to detect anomalies across massive datasets. However, the rise of real-time payments is fueling the demand for intelligent infrastructure that can function as an authentication layer within the payment flow. This is especially critical in commercial environments, where overly restrictive controls can lead to false declines or delays—issues that can quickly escalate into serious operational and reputational damage. Ultimately, faster payments are not just driving the need for better technology, they are forcing financial institutions to rethink their entire approach to fraud prevention. “The organizations that are succeeding in instant payments are going to be the ones that can make the competent decisions on risk just as quickly as that money is moving in that real-time setting,” Sando said. “Fraud detection isn’t just this back-office function anymore, that just happens in the background without real knowledge of it. You have to highlight fraud detection because it’s now a critical piece of the payment experience.” This shift in mindset is essential. The fraud threat is not going away, but institutions can take advantage of one constant: the pursuit of easy money often leads criminals down the path of least resistance. “Fraudsters are always going to find a way, but they are fundamentally no different than anybody else in business,” Beyer said. “They have an ROI, their time is valuable, and they’re going to go where they can make the most out of their time. If your bank or your processor is tougher to get through than your neighbor’s bank or processor, they’re going to go to your neighbor.” “Make your buttress, your fortress, your castle gate—all the armor that you’re going to put around your system. Make that better than your competition and they’re going to go to your competition,” he said. “You’re never going to get a 100% fraud-proof system. Fraudsters will always be ahead, but if you can make yourself better than the people around you, then you’re not going to be the target, they are.” [contact-form-7] The post Instant, Irrevocable Payments Demand a Fraud Prevention Reboot appeared first on PaymentsJournal.