Welcome to the PCI Security Standards Council’s blog series, The AI Exchange: Innovators in Payment Security. This special, ongoing feature of our PCI Perspectives blog offers a resource for payment security industry stakeholders to exchange information about how they are adopting and implementing artificial intelligence (AI) into their organizations.
In this edition of The AI Exchange, In-Solutions Global Ltd Managing Director, Adelia Castelino, offers insight into how her company is using AI, and how this rapidly growing technology is shaping the future of payment security.
How have you most recently incorporated artificial intelligence within your organization?
AI is no longer a future consideration; it is the operational backbone of secure, scalable, and intelligent payment infrastructure. We have integrated AI across multiple enterprise functions:
Payments risk & financial crime controls
- Within our payments risk and financial crime controls, AI operates continuously in the background, flagging suspicious customers/merchants as they are onboarded, learning from emerging patterns.
- Instead of relying only on static rules, we use anomaly monitoring across channels to spot subtle deviations—whether they appear in customer or merchant behaviour, or operational flows—before they escalate into loss events.
- For Anti-Money Laundering (AML) investigations, adaptive risk scoring helps us prioritise what matters most, pushing higher-risk cases to the top of the queue while reducing noise and enabling investigators to spend time where it has the greatest impact.
Software engineering & delivery productivity
- In software engineering, AI-assisted development supports teams with contextual code suggestions and refactoring, helping engineers move from idea to implementation faster while maintaining quality and consistency across the codebase.
- Code review agents utilized for coding, security and compliance standards using shift left approach, help develop maintainable, secure and compliant code.
- By augmenting reviews with automated checks, we detect defects earlier in the delivery cycle, reducing rework and giving teams clearer visibility into risk before changes reach production.
- We are also using automation to generate test cases and strengthen regression coverage, so releases remain stable even as product scope expands and delivery cadence increases.
- Guard rails hook in place to block user prompts having sensitive Personally Identifiable Information (PII), sensitive data and risky tool commands.
Product design & internal operations
- For product design, generative AI accelerates early-stage exploration, turning rough concepts into User Interface and User Experience (UI/UX) options and prototypes quickly so stakeholders can align sooner and iterate with clearer direction leads to faster product shipping.
- Internally, we use AI to support workflow ideation and process documentation, capturing how work is actually done and making it easier to standardise, improve, and scale operations across teams.
- We also apply summarisation and knowledge-reuse capabilities to reduce time spent searching through internal material, helping teams extract key decisions and insights from documents and communicate them more effectively.
What is the most significant change you’ve seen in your organization since AI-use has become so much more prevalent?
The most significant change has been a shift from reactive operations to predictive, policy-led execution. AI is now embedded in day-to-day risk and delivery processes reducing manual load, improving decision consistency, and accelerating how quickly we can ship improvements without compromising controls.
- Operational efficiency (less manual work, faster throughput): AI has reduced hands-on effort across fraud triage, reconciliation, and routine documentation by automating first-pass review and summarisation. Teams spend less time on repetitive sorting and data gathering, and more time on higher-value investigation, exception handling, and control tuning.
- Data-driven decisioning (earlier signals, more consistent actions): Instead of relying primarily on static rules and hindsight reporting, predictive alerts and risk scoring surface emerging issues sooner and help standardise how we respond. This makes decisions more explainable and repeatable—especially during peak volumes—because actions and escalations are triggered by defined risk signals rather than individual judgement alone.
- Innovation velocity (faster delivery with stronger guardrails): AI-assisted software development has improved engineering productivity across design, coding, review, and testing. We move from idea to implementation faster through better drafting and refactoring support, earlier defect detection, and more automated test generation while retaining human oversight and security checks for high-impact changes.
- Higher Cross Functional Collaboration: Giving the right amount of visibility to the relevant stakeholders in the hierarchy, has resulted in greater and efficient collaboration, across verticals such as Business, Operations, Product, Technology, Finance, Cybersecurity & Compliance.
Taken together, these changes mean we operate with higher signal-to-noise, shorter cycle times, and more scalable controls. The result is a more resilient organisation; teams can respond quickly when risk increases and still keep delivery and compliance disciplines intact.
How do you see AI evolving or impacting payment security in the future?
AI is set to become the primary shield for payment security, taking charge of real-time fraud detection and policy enforcement. By leveraging advanced machine learning algorithms, AI systems can continuously monitor transactions, swiftly identify unusual patterns, and automatically flag suspicious activities. This automation not only enhances the speed and accuracy of fraud detection but also ensures that security policies are consistently applied without manual intervention. As cyber threats evolve, AI will adapt and improve its responses, offering proactive protection against increasingly sophisticated attacks. Predicted adoption: by 2026, 60% of banking and payments institutions will use AI-augmented decision engines for core risk operations.
- Real-time defence and automated enforcement: AI will increasingly act as the first line of defence, monitoring transactions continuously, detecting fraud patterns in real time, and automatically applying security policies with consistent outcomes.
- Agentic orchestration with compliance built in: Agentic AI will coordinate multi-step payment workflows (authentication, validation, exception handling, settlement) while embedding compliance controls aligned to PCI DSS and the PCI SSC AI Principles—reducing manual handoffs and human error.
What potential risks should organizations consider as AI becomes more integrated into payment security?
As AI becomes more embedded in payment security workflows, organisations should manage a set of interrelated risks spanning data protection, model integrity, operational resilience, and third party dependency:
- Data leakage & confidentiality: Large Language Models (LLMs) and AI agents can expose sensitive information through prompts, outputs, logs, or unintended training retention. Controls should include strong data minimisation, redaction, access boundaries, and clear rules on what data can be sent to models.
- Prompt injection, jailbreaks & data poisoning: Adversarial inputs (or compromised upstream data) can steer the model to ignore safeguards, disclose restricted content, or make unsafe decisions. Mitigations include input validation, tool/permission gating for agents, retrieval hardening, and monitoring for anomalous prompts and outputs.
- Bias, fairness & explainability: Models can amplify historical bias or produce outcomes that are hard to justify to customers, regulators, or auditors. Ongoing evaluation, documented decision logic, and human review for high-impact cases help reduce discriminatory outcomes and improve accountability.
- Over-automation & control failures: When too much authority is delegated to AI (especially agentic workflows), errors can propagate quickly and at scale. Define “human-in-the-loop” checkpoints, escalation paths, and kill-switches for edge cases, novel attack patterns, and high-stakes decisions.
- Vendor & supply-chain risk: Third-party AI services may be opaque, change without notice, or introduce data residency, subcontractor, and availability risks. Contracts and due diligence should cover transparency, security controls, incident response, audit rights, and model/version change management.
What advice would you provide for an organization just starting their journey into using AI?
- Start with strategy and use cases
-
-
- Prioritise low-risk, high-value use cases (e.g., summarisation, internal search, assisted triage) to build confidence and demonstrate ROI.
- Define success criteria up front (quality, latency, security, and operational impact) so pilots translate into scalable capability.
-
- Put governance and controls in place early
-
- Maintain a model inventory (purpose, data sources, owners), versioning, and approval gates for changes.
- Use human-in-the-loop checkpoints for high-impact decisions, plus monitoring, incident response, and rollback/kill-switch procedures.
- Align controls to PCI DSS, the PCI SSC AI Principles, and applicable local regulations (including data residency and retention expectations).
-
- Build capability across people and partners
-
- Train teams on secure prompting, data handling, model risk, and how to validate AI outputs in operational contexts.
- Vet vendors for transparency, auditability, data handling commitments, and change-management discipline (model updates, subcontractors, and SLAs).
-
-
What AI trend (not limited to payments) are you most excited about?
Agentic AI & autonomous workflow orchestration: AI systems that can plan and execute multi-step business processes end to end while staying within defined rules, approvals, and compliance boundaries.
- Shorter cycle times through fewer manual handoffs and faster exception resolution
- More consistent outcomes by enforcing policy and controls in every step of the workflow
- Better auditability when actions, inputs, and decisions are logged as part of the orchestration
Responsible AI operationalisation: The shift from AI experimentation to production-grade governance where models are measurable, controllable, and safe to run at scale using frameworks such as NIST AI RMF and the PCI SSC AI Principles.
- Clear ownership, risk assessment, and approval gates for models and updates
- Ongoing monitoring for drift, security threats, and unintended outcomes
- Audit-ready evidence (testing, controls, and documentation) that builds trust with customers and regulators
