Welcome to the PCI Security Standards Council’s blog series, The AI Exchange: Innovators in Payment Security. This special, ongoing feature of our PCI Perspectives blog offers a resource for payment security industry stakeholders to exchange information about how they are adopting and implementing artificial intelligence (AI) into their organizations.
In this edition of The AI Exchange, SISA’s Founder and CEO, Dharshan Shanthamurthy, offers insight into how his company is using AI, and how this rapidly growing technology is shaping the future of payment security.
How have you most recently incorporated artificial intelligence within your organization?
We have adopted a three-pronged strategy - AI for Cybersecurity, Cybersecurity for AI, and AI for Continuous Improvement.
AI for Cybersecurity focuses on embedding artificial intelligence as a core enabler across all ten of SISA’s solution lines, driving both growth and operational efficiency.
Cybersecurity for AI emerged as a dedicated solution line 18 months ago, in response to rising concerns from our customers around securing AI implementations. To strengthen this domain, we also launched an ANAB-accredited certification program, "Cybersecurity Professional for AI (CSPAI)", which has received tremendous response and adoption globally.
Finally, AI for Continuous Improvement reflects one of SISA’s foundational beliefs: that learning, innovation, and improvement must never stop. We are infusing AI into everything we do — enabling faster insights, smarter decisions, and continuous enhancement across the organization.
What is the most significant change you’ve seen in your organization since AI-use has become so much more prevalent?
The world is moving faster than ever, and many long-held assumptions are being redefined. I see the world pressing a reset button. For SISA, as for many others, the challenge lies in how swiftly we can evolve in this new age of AI. This transformation is not just about technology; it’s a profound change management journey. As we go through this transformation, I’m conscious that we must approach it with real intent, not treat it as a box-ticking exercise, but as a catalyst for meaningful progress.
How do you see AI evolving or impacting payment security in the future?
Like any technology disruption in the past, AI is going to have its merits and challenges for payments security. The merits are many - payment fraud detection is getting better, and AI in security solutions is automating several mundane tasks, allowing cybersecurity professionals to focus on higher-value work. For example, SISA launched an Agentic SOC at RSA earlier this year, demonstrating how L1 and L2 tasks can be automated, and we’ve already seen strong adoption of this solution. We’ve also seen AI being used to write reports, review evidence, and perform many tasks that auditors typically find tedious as QSAs.
On the flip side, AI is also expanding the attack surface. As a forensics-driven cybersecurity company that believes in turning hindsight into foresight, we’re observing that attackers are leveraging AI as effectively as defenders. We’ve seen a rise in polymorphic malware and increasingly sophisticated malicious scripts, as AI makes code generation easier and faster than ever. Our Digital Threat Report for the BFSI Sector 2024 highlights several of these emerging AI-driven threats.
In summary, the battlefield is being redefined and in the age of AI, both the offense and defence are evolving at unprecedented speed.
What potential risks should organizations consider as AI becomes more integrated into payment security?
AI, as it stands today, can be viewed through three key facets.
- The first is Analytical AI (Machine Learning/Deep Learning), which powers anomaly detection by training algorithms to identify patterns and make predictions based on historical data.
- The second is Creative AI (Generative AI), which moves beyond prediction to generation. It doesn’t act autonomously but responds intelligently to prompts.
- The third is Autonomous AI (Agentic AI), which can think, plan, and act - not just respond.
The potential risks of AI must be assessed across each of these dimensions. In Analytical AI, threats include data poisoning, where attackers manipulate training data to mislead models; model inversion, where adversaries reconstruct sensitive training data through repeated queries; and adversarial examples, where subtle input changes, even a few pixels, can trick an image classifier into misidentifying an object.
In Creative AI, we face risks such as prompt injection, where malicious instructions are embedded within inputs to elicit unintended or sensitive outputs. Another emerging concern is model supply chain risk i.e. tampering with model weights or datasets to introduce backdoors into downstream systems.
Finally, in Autonomous AI, we anticipate risks like unbounded autonomy or recursive loops, where agents may continuously act or scrape data without human oversight. And there’s multi-agent collusion, where compromised agents coordinate or influence others to perform malicious actions.
A fourth facet is now emerging - Synthetic Reality AI where AI fuses the physical and digital worlds through robotics, AR/VR, and other cyber-physical systems.
This merging of the physical and virtual worlds will accelerate the rise of Agentic Commerce and payment security professionals must work together to secure this evolving ecosystem. From agentic identity and trust manipulation to transaction and payment tampering, and even supply chain risks, the threat landscape is set to expand rapidly. We’ve addressed these emerging challenges extensively in our Cybersecurity for AI (CSPAI) certification program to help strengthen the preparedness of the payment security community.
What advice would you provide for an organization just starting their journey into using AI?
The first learning I would share with anyone beginning their AI journey is to accept that change will be difficult. Many underestimate the scale of change management required.
Second, educate your top leadership on what AI truly can and cannot do. The reality is that many leaders overestimate their understanding of AI and, as a result, fail to identify the right use cases for their organizations.
Third, build AI competence across the company — everyone should understand how AI impacts their role and decisions.
Fourth, develop a clear 6 - 18-month transformation plan, depending on the organization’s size and complexity. Implement changes that directly improve either the top line or the bottom line.
Finally, measure progress continuously, and ensure that AI transformation stays on the CEO’s agenda.
What AI trend (not limited to payments) are you most excited about?
I’m excited about possibilities that were once beyond humanity’s reach. Drug discovery, for instance, holds immense promise. Imagine breakthroughs that could lead to a cure for cancer. With AI, it’s predicted that we could expand both our lifespan and our health span, enabling us to live better and longer lives. Space research is another fascinating frontier where AI could drive extraordinary discoveries, even advancing our aspiration to become a multi-planetary species.
