Identity Is the New Perimeter

As e-commerce accounts for more and more payment transactions, the need to ensure a transactor’s identity is more and more crucial.

Traditional notions of identity in payments are quickly shifting, reflecting the growing use of an online component not just for card-not-present but also in-person transactions. It’s a changing dynamic further affected by criminal behavior, the speed of payments, and regulatory pressure. The need to ensure someone is authentically who they indicate they are is unending.

What has changed in the past few years is the fraud landscape, says Jason Bartolacci, director of the ProSight Fraud Alert Network, a part of the St. Louis-based ProSight Financial Association. It formed in 2024 with the merger of the Bank Administration Institute and the Risk Management Association.

Now, there are more fraud threat actors. The dollar amount of fraud activity has seen steady increases. Fraud is easier to commit using artificial-intelligence tools that can mimic authentic documents, commit attacks at scale, and make phishing attempts even more genuine-appearing, Bartolacci tells Digital Transactions, adding, “Everything is moving to digital channels any way.” He points to data from the FBI’s Internet Crime Complaint Center as evidence. It says fraud losses totaled $16.6 billion in 2024, up 33% from 2023’s $12.5 billion.

That shift has pushed payments providers to rethink what trust actually means.

“Trust is now the core currency of digital payments, and proving identity is no longer about static credentials alone. The future of trust in payments is behavioral: it’s about continuously verifying whether an action aligns with trusted, real-world economic behavior,” says Brigette Korney, global head of performance optimization at the processor Adyen N.V.

Beyond human-driven transactions, new models are also reshaping identity risk.

That means digital identity is a frontline issue now, in part because agent-led commerce is distancing humans from interactions, says Tyler Kattre, president of Madison, Wis.-based Wind River Payments. This is making digital identity a critical payments issue. “As automated systems increasingly initiate transactions, payment platforms need systems to confirm that an agent was authorized by a real, verifiable individual,” Kattre says.

Fraud on an ‘Industrial Scale’

What appears to be emerging is multiple avenues not only to the authentication of legitimate payments initiators but also to the weeding out of threat actors.

One tool that’s growing in use is behavioral indicators, says Dan Holmes, vice president of product planning and strategy at Feedzai. Fraud and identity had existed as separate factors, but that is changing, he says. Fraud is no longer just about a fraudster getting someone’s credential, but getting an individual to act on the fraudster’s behalf. “Behavioral identity diverts from traditional identity,” Holmes says.

This evolution of fraud and fraud prevention has added an intent element. It’s not enough in some instances to verify a user is legitimate. Now, it’s crucial to tell whether the action he or she wants to make aligns with his or her intent or that of a criminal manipulator. “It’s now changing from access to identity,” Holmes says. “And the intent of the Web session.”

One culprit is the rise of artificial intelligence into the greater arena, beyond just business uses. “AI makes it much easier to spin up nonexistent businesses,” says Dan Frechtling, senior vice president of product and strategy at LegitScript, a Portland, Ore.-based compliance-services provider.

“AI-driven tools allow criminal networks to create fraudulent identities and storefronts at scale, faster than manual monitoring teams can detect them,” he says. “AI generators produce unique imagery and professional-looking Web sites, helping criminals evade detection tools that typically flag recycled stock photos or duplicated content.”

That pressure is codified by programs such as Visa Inc.’s Acquirer Monitoring Program, which consolidates fraud and dispute monitoring into a single platform with streamlined remediation and ongoing thresholds, Frechtling says.

The result of all this change is the potential for a new trust model, one that incorporates behavioral-identity elements, multiple layers of signals, and assessments of the risk of each piece of identity data.

“With the accessibility of generative AI tools, it has become so much easier for fraudsters to impersonate someone,” Philipp Pointner, chief of digital identity at Jumio, a Sunnyvale, Calif.-based identity-intelligence company. “Personal data that is easily compromised online is being fed into AI systems, enabling hackers to generate fraud at an industrial scale. Fraudsters are generating thousands of synthetic identities in minutes with the click of a single button.”

‘Log in And Pay’

In practical terms, this threat could also make traditional organizational silos more permeable.

“What we are witnessing is the need for different kinds of teams to work more closely to solve this puzzle,” says Andy Mortland, vice president of product and development at Accertify, an Itasca, Ill.-based fraud-prevention services company owned by private-equity firm Accel-KKR.

“Risk, fraud, and loss prevention teams have historically been the most obvious groups to look after anything related to payments,” Mortland adds. “But increasingly, we see [chief information security officers] and [information security] teams getting involved, as they have different types of visibility into accounts, identity, [and] protecting customers. We think there is increased urgency for finance and risk teams to get closer to their CISOs, combine signals and intel, and work together to solve some very challenging identity-related challenges.”

Technologies to counter this include better liveness detection, behavioral data, device intelligence and session integrity, biometrics, and agentic AI use, observers say.

“We’ve reached a point where human intuition or the digital-verification strategies of yesterday are no longer enough—we need AI to fight AI,” Pointner says. “Advanced liveness detection is necessary with the sophistication of today’s deepfakes. This AI technology can analyze a person’s face and check for signs of life, such as blinking, subtle movements, and lighting, to prove the person behind the screen isn’t just a camera injection.”

Elements such as device intelligence and session integrity are important because they can provide context for a user’s actions.

“We are moving toward a world where identity and payments are no longer disjointed events, but rather a single, unified action, sometimes described as ‘Log in and Pay,’ says Israel Mazin, chief executive and cofounder of Memcyco Inc., an Israel-based digital risk-protection company. “By establishing trust upstream through continuous session integrity, we ensure that manipulation is detected before it turns into an authorized loss.”

Continuous Verification

Detection has always been the key. In the near term, it becomes more important as payments companies adopt agentic AI in their fraud-prevention efforts, more consumers adopt digital wallets, and technology consolidates to make AI easier to access.

“Within two to three years, I believe there will be a mass rollout of digital identity that will become as seamless as [what] tap-to-pay did for payments and it will live on your phone like a digital wallet, effectively ending the era of carrying physical plastic cards,” Pointner says.

“In this end state, when you provide proof of identity, the vendor receives the verification they need, but the proof stays with you,” he continues. “This eliminates the creation of centralized data honeypots that are attractive to hackers and creates a more secure and seamless digital environment where identity is portable and privacy-centric.” Europe, for example, has a digital-wallet mandate requiring each member state to create at least one certified and interoperable wallet by year’s end.

A realistic end state could include continuous verification that replaces point-in-time checks. It would also likely include portable and reusable digital identities, adaptive authentication, and clear accountability, such as the ability to explain and defend why a merchant was approved and retains support, “not simply that onboarding requirements were met,” says Leo Patching, chief executive of Kompliant, a LegitScript company.

“That shift is being driven by two forces,” adds Patching. “First, card-network programs now measure real outcomes, like fraud and disputes, and require remediation when thresholds are exceeded, rather than relying on static compliance artifacts. Second, the industry has recognized that transaction-monitoring explains what already happened, while merchant intelligence determines who you are still funding.”

‘Hitting Walls’

Coordinating all of this will take more collaboration among payments companies, Bartolacci says, especially as more digital channels emerge and their use grows. “Every feature or convenience for a user also is a convenience for a threat actor, too,” he says.

A view that fraud prevention is a journey, not a destination, can be helpful in the emerging digital-payments arena.

“Today, the most successful use cases blend identity, authentication, and payment authorization into one continuous, adaptive process,” says Saurabh Joshi, president of payments at Fort Worth, Texas-based CSG Forte Payments Inc.

“Meanwhile, agentic AI-powered risk engines evaluate context in milliseconds and decide when to step up or silently approve,” he adds. “For customers, behavior and biometrics do most of the talking, so they rarely need to take more steps with passwords and onetime codes. Good customers almost never feel the machinery, and bad actors keep hitting walls.”