Payments and the cyber-security pandemic

Fraud has evolved into a professionalised, fast-moving and highly scalable industry - and it’s accelerating at a pace most organisations are struggling to match. Accounting for 41% of all reported crime, it has become the defining threat of a new cyber-security era. 

 

And with the UK now experiencing four nationally significant cyber-attacks every week, many experts warn that we’re in fact living through a cyber-security pandemic - one that is stretching organisational resilience and exposing weaknesses that have quietly accumulated over time. 

 

While businesses race to reinforce their networks, tighten access controls and adopt zero-trust principles, one critical area continues to receive far less attention: payment systems. Frequently outdated, fragmented and still dependent on manual processes, they’ve regrettably become some of the most exposed parts of an organisation’s infrastructure.

 

 

The hidden risks in outdated payments

Attackers are continually identifying weak points across increasingly complex technology landscapes, and these legacy payment systems - especially those still dependent on manual card entry or ageing channels - present exactly the kind of entry points cyber-criminals are on the hunt for. 

 

In many organisations, across all sectors, staff are still required to manually process card numbers, take payment details over the phone or enter sensitive information into internal systems that were never designed for the realities of today’s cyber-threat landscape.

 

These vulnerabilities extend far beyond operational inconvenience. When card data is distributed to parts of the organisation that are hard to secure, it expands the cardholder data environment and creates more opportunities for ransomware, data theft and deeper network compromise.

 

The problem is magnified when payment channels have grown organically over time, through inherited platforms, outdated integrations or departmental workarounds, leaving a patchwork of processes that few people have full visibility over.

 

As these fragmented systems accumulate, security teams struggle to map every payment touchpoint, let alone assess how each one is protected. That absence of clarity is precisely what sophisticated threat actors rely on to infiltrate systems.

 

 

Modernising payment defences

Regulators have begun responding to these vulnerabilities with stricter expectations. The latest version of PCI DSS introduced tougher requirements around authentication, encryption and continuous monitoring, signalling a clear shift towards more rigorous oversight. 

 

At the same time, the recent implementation of the Cyber-security and Resilience Bill 2025 is accelerating incident-reporting obligations and giving authorities greater powers to enforce baseline security standards across critical suppliers.

 

For years, organisations attempted to manage payment risk by strengthening internal controls, expanding monitoring and providing additional staff training. While these measures remain vital, they do not solve the core problem: the business is still collecting, processing or storing card data. 

 

As long as that information flows through internal systems, the attack surface remains intact. Now, a more modern approach is taking hold - one where the most sensitive data never enters the organisation’s environment in the first place. This marks a decisive shift in payment security thinking. 

 

Secure phone payment technology enables customers to enter their card details themselves via a secure keypad or payment link while the employee stays on the line to support. The information is transmitted straight to the payment service provider, meaning the organisation never sees or hears the card numbers at any stage.

 

Open Banking payments, also known as ‘pay by bank’, push this principle even further by eliminating card-based payments entirely. Instead, customers authorise transactions directly through their banking app, removing card data from the process and significantly reducing the amount of sensitive information the organisation must protect.

 

 

Human vigilance remains essential

By removing sensitive data from their systems, businesses immediately take away one of the most valuable targets for attackers. It is one of the most effective ways to close off opportunities for fraud and strengthen overall resilience.

 

However, even with sophisticated payment technology in place, organisations cannot assume that automation alone will protect them. The rise of AI-generated scams - from convincingly cloned voices to highly tailored phishing attempts - has made strong human processes more essential than ever.

 

Teams handling payments must still follow clear identity-verification steps when something feels unusual, and they need to know exactly how to respond when a request falls outside normal procedure. Staff need the awareness to spot the subtle signs of voice cloning or manipulated audio. They should also routinely verify that new payment methods are not being introduced without proper oversight.

 

Technology significantly reduces risk by limiting access to sensitive data, but human judgement often provides the crucial final safeguard. A payment system is only as secure as the operational discipline around it, and it is the combined strength of well-designed procedures and knowledgeable staff that keeps organisations ahead of the curve.

 

 

Building resilient payment journeys

As cyber-threats continue to escalate, businesses cannot afford to leave payment systems lagging behind. Strengthening these environments demands a dual approach: adopting technologies that limit exposure to sensitive information, and reinforcing processes so that staff can act decisively when faced with suspicious behaviour.

 

By modernising ageing payment channels, removing unnecessary access to card data and embracing secure alternatives, organisations can significantly improve their resilience. Combining these tools with robust internal procedures - such as strict access controls, regular staff training, continuous monitoring for suspicious activity, and well-defined incident response plans - ensures that payment systems become a central pillar of a wider cyber-security strategy rather than an overlooked vulnerability.

 

In a landscape of sophisticated, ever-evolving threats, secure and intelligently designed payment processes aren’t optional - they are your frontline defence.

 

By combining technology with human vigilance, organisations can transform risk into resilience, and in today’s cyber-security pandemic, those that act decisively will define the standard for security in the digital era.

 

---

 

Wayne Campbell is head of presales at Access PaySuite, part of The Access Group

 

Main image courtesy of iStockPhoto.com and sestovic