Dr Ismini Vasileiou, Associate Professor, De Montfort University and Director, East Midlands Cyber Security Cluster, discusses cybersecurity challenges associated with digital payments and the future of online transactions.
Digital payments are at the heart of today’s economy, but their rapid growth has also made them a prime target for cybercriminals. Securing payment systems is essential to maintaining consumer trust, safeguarding businesses, and enabling continued innovation.
Digital payments are no longer a convenience; they are the foundation of modern commerce. Mobile banking, digital wallets, contactless cards, and instant transfers have become part of everyday life. Yet the speed and scale of this transformation have also created vulnerabilities that criminals are quick to exploit. Cybersecurity has become inseparable from payments: without strong defences, trust erodes, fraud escalates, and innovation stalls.
In this article, I explore the major cybersecurity challenges facing the payments sector, how organisations can prepare for evolving threats, the critical role of collaboration between industry and academia, and why solving the cyber skills shortage is essential for securing the future of digital transactions.
The rising cybersecurity challenges in payments
The rapid growth of digital payments has broadened the attack surface in ways unimaginable even a decade ago. While digital transactions offer speed and efficiency, they also create new opportunities for fraudsters to exploit.
Phishing remains one of the most effective methods used by criminals. By luring customers into revealing login details or one-time passcodes, attackers can easily bypass security controls and gain access to accounts. Account takeover fraud has also become a major concern. With billions of leaked credentials circulating on the dark web, criminals can use automated tools to test usernames and passwords across multiple systems until they find a match.
Beyond consumer-facing fraud, payment providers face systemic risks. Many organisations depend on third-party vendors for services such as payment gateways, cloud infrastructure, or fraud detection tools. A weakness in any one of these links can compromise the entire chain. The supply chain is now a favoured entry point for attackers precisely because it is often less well-protected than primary financial institutions.
More recently, artificial intelligence has become a double-edged sword. On the one hand, AI can help organisations detect fraud more effectively. On the other hand, criminals are beginning to use AI to mimic genuine user behaviour, making it harder for systems to distinguish between real and fraudulent activity. The very tools designed to protect us are being repurposed to outsmart defences.
In short, the threats are escalating in sophistication and scale. Payments, by their very nature, are attractive to cybercriminals because they can be directly monetised. The question is not whether attempts will be made to breach systems, but how resilient those systems are in preventing and responding to them.
How organisations can prepare for cyber threats
The starting point for resilience is recognising that compliance does not equal security. While regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the EU’s Second Payment Services Directive (PSD2) set important baselines, they are not sufficient on their own. Organisations must embed cybersecurity into every layer of their payment systems.
Strong authentication remains critical. Multi-factor authentication (MFA), using biometrics or physical tokens, adds a layer of defence that passwords alone cannot provide. Tokenisation, which replaces sensitive card details with unique identifiers, ensures that even if data is intercepted, it cannot be reused. End-to-end encryption further reduces the risk of compromise.
Equally important is real-time monitoring. Criminals move quickly, and the ability to detect unusual behaviour in seconds rather than days can make the difference between stopping fraud and suffering major losses. Machine learning models can help flag anomalies, but these systems must be continuously updated and tested to remain effective.
Preparation is not only technical. Organisations also need robust governance and clear incident response plans. Too often, the first time an organisation discovers the weaknesses in its processes is during a live attack. Regular testing, tabletop exercises, and red teaming can reveal gaps and strengthen resilience before they are exploited.
Finally, consumer education cannot be overlooked. Even the most secure payment systems can be compromised if individuals are tricked into divulging their credentials. Clear communication, timely alerts, and simple guidance can empower consumers to act as an additional line of defence rather than a weak point in the chain.
The power of collaboration between industry and academia
No single organisation can address these challenges alone. Cybersecurity in payments is a collective endeavour, and collaboration is key. Industry and academia each bring distinct strengths to this effort, and when combined, they can accelerate innovation and resilience.
Academic researchers can provide the theoretical models, frameworks, and experimental approaches needed to tackle complex problems. For example, universities are developing new algorithms to detect anomalies in payment data and studying the human factors that lead individuals to fall for phishing scams. Industry, by contrast, has access to real-world datasets, operational constraints, and the scale needed to test solutions in practice.
Collaborative projects allow both sides to benefit. Payment providers can trial new fraud detection methods in controlled environments, while researchers gain invaluable insights from real-world feedback. This partnership also extends to policy. Academia can provide evidence-based analysis to shape national strategies, while industry ensures that regulations remain practical and aligned with operational realities.
The importance of such collaboration has been highlighted in recent UK initiatives, where clusters of businesses, universities, and local governments have come together to address regional cyber resilience. These efforts demonstrate that collective intelligence is stronger than isolated responses. Payments, given their centrality to economic activity, should be at the forefront of such initiatives.
Addressing the cyber skills shortage
Even the most advanced technologies and collaborative frameworks cannot succeed without skilled professionals to design, implement, and maintain them. The cybersecurity industry faces a global shortage of talent, and the payments sector is no exception.
This shortage manifests in two ways. First, there are simply not enough qualified professionals to meet demand. Second, the diversity of skills required is expanding. It is no longer enough to have technical expertise alone; professionals must also understand regulatory environments, consumer behaviour, and business risk.
Training the next generation of cyber professionals is urgent. Universities, employers, and governments all play a role in developing pathways into the sector. This is a theme also emphasised in the recent white paper I authored, ‘Cyber Workforce of the Future’, which sets out the case for a unified cyber skills taxonomy and new approaches to education and training. Apprenticeships, work-based learning, and short professional courses can complement traditional degree programmes, providing multiple entry routes into cybersecurity careers.
Diversity is another crucial factor. The industry cannot afford to draw talent from a narrow demographic pool. Encouraging underrepresented groups into cybersecurity, whether through mentoring, scholarships, or inclusive recruitment practices, widens the pipeline and enriches the sector with varied perspectives.
Without a sustained investment in skills, the payments industry will struggle to keep pace with the innovation of criminals. Skills are as critical to resilience as technology itself.
The future of secure digital payments
The digital payments revolution shows no sign of slowing down. As more transactions move online, the risks grow in tandem with the opportunities. Phishing, account takeovers, supply chain vulnerabilities, and AI-driven fraud all present real and pressing threats.
To secure payments, organisations must move beyond compliance to embed robust cybersecurity measures, including strong authentication, continuous monitoring, and tested response plans. Collaboration between academia and industry offers a powerful way to innovate, test, and scale solutions. Yet none of this is sustainable without addressing the cyber skills shortage that threatens the sector’s ability to defend itself.
Ultimately, protecting payments means protecting trust. Without trust, consumers will hesitate to adopt new payment methods, innovation will slow, and the digital economy will falter. Cybersecurity, far from being a technical afterthought, is the foundation upon which the future of payments must be built.
