A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

January 08, 2024 • Issue 24:01:01

Rolling out 2024 – Part 2

By Dale S. Laszig

The word evolve, derived from the Latin "evolvere," means to unroll, a fitting description of the payments industry's cyclical journey of embracing and replacing technology. In this second article of our series forecasting the coming year, industry leaders assess the potential impact of the top trends they see. Most experts cited herein agree credit cards, paper checks and other incumbent technologies remain resilient in the face of next-gen solutions. POS terminals, for example, continue to evolve alongside wearable, commercial off-the-shelf and virtual devices.


Simon Kahlaf, CEO at Marqeta, has seen credit cards evolve from a one-size-fits-all model to highly personalized experiential products that adhere to individual users' personal preferences. With more than 570 million credit cards in circulation in the United States, he anticipates more such hyper-personalization in the coming year.

"In 2024, I expect to see a transformation driven by the proliferation of embedded credit capabilities that allow brands to integrate customized rewards into their shopping experiences, and extend their reach beyond their own properties, and turn every payment action into a loyalty and re-engagement moment," he said. "Marqeta's research shows that 74 percent of U.S. consumers believe there is room to personalize rewards based on individual spending habits, showing the demand for credit providers to create individualized rewards and credit experiences."

He believes this consumer-driven expectation will compel more brands to offer financial services and offer credit themselves, which will help pave the way to co-branded card experiences. Ultimately, he noted, this trend will transform store credit cards from generic payment instruments to "the very heart of a brand's customer experience."

Can't touch this

Brad Hyett, CEO at phos by Ingenico, has seen an uptick in contactless payments and predicts this will continue to scale. "In 2024, Ingenico anticipates that the contactless payment trend will advance to the next level of accessibility and adoption," he said, noting that SoftPoS, also known as tap-to-mobile or tap-to-phone, allows merchants to use smartphones and connected devices to accept contactless payments, which he said is secure and compliant with PCI standards for mobile payments on commercial off-the-shelf devices.

Touchless technology is poised to disrupt the industry, Hyett noted, as diverse merchants use mobile devices to complement existing systems or accept contactless payments at roadside stands, food truck counters, ride-shares, pop-up shops, event concessions and more. He also mentioned that merchants are enhancing checkouts by offering preferred payment methods, dynamic currency conversions and buy now, pay later options at stores and online.

Independent software vendors with increased transaction volume and residuals can leverage these trends, he stated, predicting that worldwide SoftPoS will grow at an impressive 20.4 percent CAGR to reach $1,077 million by 2030.

Rising volumes, regulatory oversight

Scott Dawson, head of sales and strategic partnerships at DECTA, has seen a resurgence of debit usage, largely driven by real-time payments. "The world is increasingly digital with more payment methods than ever before so what was a simple matter of complexity will get ever more intricate," he said. "Factor in the volume of payments too; across the board the number of transactions using debit cards is increasing, for example there were 2.2 billion debit card transactions in July 2023, 4.9 percent more than the same period the year before."

Businesses need to meet this upward trajectory throughout 2024, Dawson stated, noting that preparedness and finding the right regulatory, security, processing and acquiring partners will be key to success in the coming year. Payments are increasingly swift and convenient for shoppers, but underneath the surface they are vastly complex, with even the simplest transaction going through a number of different processes and entities before it is complete, he added.

Troy Leach, chief strategy officer at Cloud Security Alliance, agreed organizations must prepare for massive regulatory changes, particularly regarding third-party service providers, generative AI and geo-political impacts on global cross-border payments.

"For regulation, it will be looking at cloud and other services that financial services are reliant upon and maturing demonstration to regulators of their resiliency," he said. "We already have clear expectations from DORA [Digital Operational Resiliency Act] in Europe with enforcement planned for 2025-2026. PCI DSS v4.0 has many new requirements for 'multi-tenant service providers,' and the U.S. Treasury along with several other U.S. federal agencies have begun work on exploring the role and influence of cloud service providers in critical infrastructure."

Human, artificial intelligence

Leach also expects generative AI to impact customer journeys in 2024. "We will likely see more code developed by machine learning that is truly built with security in the design, but we will also see faster exploits of known vulnerabilities," he stated. Unfortunately, he noted, fraudsters will also deploy AI-driven attacks, which will require a proportional response driven by machine learning and human intelligence rather than manual gatekeeping.

Crime-as-a-service offers AI tools to novice criminals with little technical knowledge, Leach noted, stating easy-to-use interfaces like FraudGPT and WormGPT enable newly minted criminals to deploy a variety of scams and fraudulent attacks at scale.

"Generative AI will create unique, well-crafted social engineering attacks that are much harder to detect, at a volume and quality never before seen," he said. "This includes easy ways to circumvent several forms of bio-authentication and to spoof people in authority using video and audio representations from credible-looking sources." In this climate, authentication will be disrupted like never before, Leach added, underscoring the need for multi-factor authentication at all points of interaction. On the bright side, he said, machine learning is becoming adept at reverse engineering code, which will help merchants and providers verify and authenticate consumers and transactions.

Advanced, automated attacks

Jeff Zitomer, senior director, product management, emerging products at HUMAN, has observed that half of today's internet traffic is made up of bots. There are positive bots, he said, such as Google's crawler, and there are malevolent bots that use advanced, automated technologies to attack websites in ways that are difficult for service providers and end-users to detect. "Think of the Facebook 'Like' button, the checkout with PayPal button or the Klarna buy now pay later button," he said. "These buttons use JavaScript from PayPal, Klarna, Facebook, Pinterest and TikTok. Then Google Analytics and advanced analytics vendors record these sessions and provide product managers with heat maps of where users are clicking on sites."

Through it all, he noted, JavaScript scrapes and records user data, including payment card data and login credentials, which advertisers leverage to retarget users with recently viewed items. These activities use scripts that load dynamically from across the internet, bypassing change management and security controls while relying on third party providers and leaving original website owners with little to no control over what's running on end-user browsers, he said.

PCI DSS v4.0 addressed these issues, Zitomer noted, with the following requirements:

  • Requirement 6.4.3: requires merchants to confirm scripts are authorized, have integrity and are inventoried with written justification as to why each script is necessary.
  • Requirement 11.6.1: requires merchants to deploy change and tamper detection mechanisms that alert personnel when http headers and page content are modified without authorization, including those who outsource payment processing to third-party payment service providers.

Shadow APIs

Unknown and unmanaged APIs, also called "shadow APIs," pose security risks, as well, according to Laurent Van Huffel, senior vice president, financial services at Axway. Citing the Cequence 2022 API Protection Report, he noted that sophisticated attackers study APIs and exploit security flaws, such as weak authentication and excessive data exposure, while eluding detection.

"Shadow API was the leading source of API security risks, followed by API abuse or OWASP API10+ and the 'Unholy Trinity' of credential stuffing, shadow API and sensitive data exposure," he said, adding that these risks highlight the need for organizations to have visibility and control over all APIs. Protecting APIs will be critical in open banking, Van Huffel said, adding that the Consumer Financial Protection Board's proposed personal data financial rights rule, which is slated for enforcement in 2024, will help move banks away from screen-scraping as a data-sharing mechanism and toward publishing APIs, hopefully using the FDX standard. The proposed rule will make it easier for consumers to break up with banks that provide bad services by offering data portability, which is akin to keeping a cell phone number when changing carriers, Van Huffel stated. Noting that Gen Z will make up 27 percent of the labor force by 2025, he suggested enhanced data portability will help banks and credit unions retain customers while attracting this vital demographic.

"A growing number of financial institutions will adopt open banking and embedded finance strategies, leading to the creation of new ecosystems in partnership with fintechs," he said. "This will require a move from old fashioned 'dev portals' to modern storefront technology that allows API curation and productization, automated onboarding of third-party vendors who will consume these API products, subscription management, and greater API adoption."

Artificial and human intelligence

One of the biggest developments of 2023 was the emergence of generative AI, which Leach expects will follow the same cycle as other disruptors that require enterprises to re-evaluate approaches to authentication and transaction security.

"Because so many marketers have overly used the term in every email, I've seen senior payment leaders begin to think this was just the popular word du jour," he said. "This will be transformative and follows the same cycle of the internet, smart mobile devices and cloud computing as the next very disruptive technology that will be much more quickly adopted and force the speed of business to operate faster and differently."

Charbel Safadi, president of modernization and transformation at Zafin, added, "Many organizations are considering the adoption of generative AI technologies. The central question revolves around how AI can effectively be utilized to reassess and improve product design, customizing offerings for each individual. This transition not only poses a challenge but also presents an opportunity."Safadi went on to say that AI has the potential to centralize and grant access to everyday data encountered by most organizations. The focus should pivot to creating dynamic product offerings that align with each customer's stage of life, priorities and preferences, he added.

Venkataraman Balasubramanian (Bala), CTO at Zain, suggested generative AI is a subset of AI and embedded analytics. "In the same vein that generative AI is an opportunity, it is also overhyped," he said. "As an LLM-based technology, generative AI needs a body of literature to review, and if more and more content providers protect their content and stricter regulations come into play, then it may be used less."

What's old is new again

Reflecting on the cyclical payments journey, DECTA's Dawson noted that AI is hardly new. "The payments industry has been using artificial intelligence and machine learning for years," he said. "Every time you make a payment, anti-fraud checks are carried out by what are effectively AIs, and it's been this way for years."

AIs can help users create realistic words and images, but Dawson believes organizations would rather use AI to increase productivity than chase a moonshot. The basis of AI technology has been around for years, he said, but it really took off in 2023, thanks to ChatGPT. Regulators will be hard-pressed to keep up with technology that evolves this fast or anticipate its full capabilities, he added. end of article

Dale S. Laszig, senior staff writer at The Green Sheet and founder and CEO at DSL Direct LLC, is a payments industry journalist and content strategist. Connect via email dale@dsldirectllc.com, LinkedIn www.linkedin.com/in/dalelaszig/ and Twitter https://twitter.com/DSLdirect

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing