Welcome to the PCI Security Standards Council’s blog series, The AI Exchange: Innovators in Payment Security. This special, ongoing feature of our PCI Perspectives blog offers a resource for payment security industry stakeholders to exchange information about how they are adopting and implementing artificial intelligence (AI) into their organizations.
In this edition of The AI Exchange, SecurityMetrics Vice President of Forensic Investigations, Aaron Willis, offers insight into how his company is using AI, and how this rapidly growing technology is shaping the future of payment security.
How have you most recently incorporated artificial intelligence within your organization?
One of the most tedious aspects of forensic investigations can be trying to find malicious code buried in thousands or even tens of thousands of lines of otherwise normal code. While AI is being integrated into nearly all aspects of our forensic work, including report writing, advanced heuristics, and monitoring, the biggest impact has been taking advantage of AI’s ability to quickly inspect vast amounts of code where digital skimmers, loaders, or other malware may be hidden, often behind conditional logic operators.
We’ve integrated our forensic AI tools directly into the payment process at the exact moment the customer is typing in the credit card information so that it can oversee the entire process from start to finish and detect suspicious activity, vulnerabilities, and zero-day-payment hacks in a way no current solutions could ever hope to match. Our tool is called Shopping Cart Monitor, and it helps fulfill the PCI DSS requirement 6.4.3 and 11.6.1.
We recently launched another tool utilizing AI, called Spectre AI. It’s designed to help banks and payment service providers manage the risk of their merchant portfolios. Spectre AI helps users find
risks within their merchant portfolios by scanning ecommerce websites and identifying those with vulnerabilities verified to lead to remote compromise. This helps reduce portfolio risk and increase a portfolio's value by highlighting the merchants who need targeted efforts to address their high risk of compromise. It automatically runs every month, predicting and forecasting which merchants are most likely to experience a fraud event. As risk trends change, users stay up-to-date by connecting additional fraud vector data into Spectre AI for analysis.
What is the most significant change you’ve seen in your organization since AI-use has become so much more prevalent?
The rate at which we are adopting and adapting AI into our forensic work is both thrilling and frightening. Tasks that we formerly allocated days or even weeks to accomplish can now be done in minutes or hours. It has become almost unthinkable to try to perform such tedious tasks as code reviews, log reviews, and packet analysis without at least some AI assistance.
How do you see AI evolving or impacting payment security in the future?
We have no choice. We will use AI to fight AI, or we will lose the war. Bad actors have no ethical dilemmas or best practices with which to wrestle. They are using AI to implement adaptive and stealth payment malware in new and even unimaginable ways.
As we implement defensive AI, we must grapple with how to do it in ways that preserve privacy, intellectual property, integrity and human oversight, and we must do so at a speed that keeps us in the battle.
What potential risks should organizations consider as AI becomes more integrated into payment security?
- Dependency: Can you get the job done without AI? If not, you are abusing it.
- Accuracy: AI has become infamous for its ability to hallucinate.
- Authenticity: “AI slop.” Don’t let AI ruin your reputation for quality work.
- Deception: AI can now mimic your favorite vendor, calling you directly, asking to change payment details in their own familiar voice. A healthy amount of skepticism is necessary to stay secure as AI evolves.
What advice would you provide for an organization just starting their journey into using AI?
AI has reached a point where it can be an amazing tool for a skilled programmer, pen tester, forensic analyst, or to enhance the productivity of just about any position. The temptation will be to eliminate expensive, skilled workers and rely on less skilled workers to produce similar output using AI. We are not there yet.
AI makes good employees better, mediocre employees risky, and bad employees dangerous. Keep your good people.
Always have a human review any work or output of AI for accuracy.
What AI trend (not limited to payments) are you most excited about?
We are already seeing autonomous vehicles, such as taxis, operating in certain cities. As AI takes over transportation, gridlock and shipping delays will become a thing of the past. AI will treat roads like network lanes and route you (human data) along the most efficient path to wherever you are going. This could reduce or even eliminate the need for traffic lights, stop signs, and reduce traffic accidents and deaths by orders of magnitude. This is something to be very excited about.
Still… I’ll be white-knuckling those first days of passing through an intersection at full speed, with nobody at the wheel, while other driverless cars whiz by within a few feet of colliding at high speeds.
