India's payments system has undergone a transformation that few countries in the world have experienced at such scale and speed. The country that once ran on cash has built a digital architecture where money moves in real time, across banks, apps, and merchants, with just a swipe or scan.

The Unified Payments Interface (UPI) is at the centre of this transformation –accounting for more than four out of every five retail digital transactions. According to the Reserve Bank of India, UPI handled 185.8 billion transactions in the financial year 2024-25 alone, a 41.7% year-on-year jump. In value terms, UPI payments climbed to Rs 261 lakh crore ($3 trillion), compared to Rs 200 lakh crore ($2.4 trillion) in the previous fiscal year.

But alongside this revolution, digital payment fraud in India has skyrocketed. Between April and January of FY25, Indians lost Rs 4,245 crore ($515 million) to digital fraud across 24 lakh (2.4 million) reported cases, according to the Ministry of Finance. Another data from the RBI revealed digital payments, including card and internet transactions, now account for 10.4% of total fraud amounts in the fiscal year ending March 2024, a dramatic leap from just 1.1% the previous fiscal year.

This surge comes at a time when India's digital payments infrastructure has achieved global recognition. Yet as the ecosystem scales rapidly, the security architecture and user awareness haven't kept pace, creating vulnerabilities that sophisticated fraud networks are quick to exploit.

At the same time, payments innovation has moved quickly into new frontiers – buy now pay later (BNPL), embedded finance, merchant APIs, offline QR codes, and even IoT-enabled transactions. These innovations, while expanding inclusion, have also outpaced the security guardrails built for a card-centric, bank-controlled system. APIs, microservices, and tokenisation bring efficiency but also complexity. As a result, fraud is no longer limited to the front-end user experience; vulnerabilities are now spread across every layer of the payment chain.

The evolving threat landscape

The past year has marked a turning point in the nature of fraud in India. Traditional methods like phishing, credential stuffing, and fake customer care calls remain rampant, but newer patterns are emerging that are harder to detect and far more damaging in scale.

According to Sanket Sarkar, founder and CEO of cybersecurity firm Zeron, fraud has grown more precise. Large-scale phishing attacks still dominate, but attackers are increasingly zeroing in on weak links in the digital payments chain – merchant onboarding flows, consumer social engineering, and API vulnerabilities. “We're also seeing higher convergence of fraud and cyberattacks, where adversaries use malware, botnets, and synthetic identities to bypass traditional controls," Sarkar adds.

That convergence has widened the attack surface well beyond “careless” consumers. Adelia Castelino, managing director at In-Solutions Global, points to the role of generative AI and deepfakes, which have “significantly transformed” the threat landscape. These technologies are now being weaponised for scams and sophisticated impersonation, “enabling new forms of social engineering such as ‘digital arrest’ and ‘pig butchering’ scams that blend elements of romance and investment fraud.”

The rapid adoption of digital and contactless payments has also created more entry points. Castelino notes that weaknesses in NFC and QR code systems, along with gaps in mobile payment app security, are being increasingly exploited. Another area of concern, she says, is the rise of malware targeting payment gateways, point-of-sale terminals, and e-commerce platforms. These malware variants intercept can intercept real-time payment data, log keystrokes, and even redirect transactions – often staying hidden for months while quietly siphoning off sensitive financial information.

The vulnerabilities, however, aren’t just technical. Institutional blind spots leave the system open in ways that ripple across networks.

A senior executive at Cred highlights the risk of supply chain attacks, where a single compromised vendor can become a gateway to hundreds of businesses. With businesses rushing to adopt advanced AI systems, attackers are finding ways to probe them too, sometimes even manipulating large language models through prompt injections and adversarial attacks.

Meanwhile, innovation in payments continues at breakneck speed. Every new feature is designed to drive convenience and adoption, but often without robust security frameworks. This leaves the ecosystem in a constant game of catch-up, where vulnerabilities surface faster than controls can be built.

On top of that, fraud monitoring remains fragmented. Many institutions still rely on basic rule-based detection, and “intelligence sharing” between players is limited. Fraudsters, in contrast, collaborate freely across borders. Payment companies, on the other hand, hesitate to share incident data, worried about reputational harm or regulatory scrutiny. This siloed approach weakens the collective defence.

As the Cred executive puts it, “Payment fraud is really an ecosystem problem. No single organization can handle it alone. Criminals share intelligence instantly, so defenders should collaborate just as quickly to effectively mitigate the risks.”

Why global payment security standards matter

As India’s payments system is going global, the need for robust, globally recognized security standards becomes critical. This is where organizations like the Payment Card Industry Security Standards Council (PCI SSC) play a crucial role.

“For background, the Payment Card Industry Security Standards Council is an open global forum created in 2006 by the five major card brands to develop, maintain and manage the PCI Security Standards. Simply put, our goal is to make payments safer – everywhere around the world,” says Nitin Bhatnagar, regional director at PCI Security Standards Council.

He explains that PCI’s standards are powered by industry input and designed to be forward-looking. “Input from the industry is crucial to ensure our standards continue to defend against current threat landscape. Our standards and resources are developed considering both emerging and established payment technologies and threats. Securing payment data with data security standards in an evolving payment ecosystem is critical to build robust payments infrastructure keeping security at the centre of everything.”

PCI standards remain “highly relevant in India, given the scale and velocity of digital payments,” notes Sanket Sarkar from Zeron. The challenge, he points out, lies in ensuring consistent adoption across a fragmented merchant base that spans from large enterprises to small neighbourhood shops now going digital.

Global standards provide what Sarkar calls a “common language of security.” Frameworks such as PCI DSS have introduced greater accountability in how cardholder data is handled, while newer tools like PIN security protocols, 3DS, and tokenization have been crucial in protecting consumers worldwide. They also enable Indian players to integrate confidently with global partners."

As transaction volumes surge and fraud risks intensify, PCI standards safeguard both data and consumers by addressing the very methods attackers exploit; making them integral to securing India's digital payments ecosystem, the Cred executive says.

PCI DSS 4.0.1, for instance, reduces data exposure through ‘stronger encryption, tighter scoping, and continuous testing’, and when combined with tokenization and point-to-point encryption, it limits the risks of storing or moving cardholder data. EMVCo protocols prevent cross-border fraud, while multi-factor authentication makes stolen credentials much harder to exploit, according to the executive.

But technology alone isn't sufficient. The human element remains crucial, both as a vulnerability and as a strength. Customer education, employee training, and user awareness continue to play vital roles in preventing social engineering attacks that no technology can fully address.

PCI SSC regional engagement board – India and South Asia

For years, global payment security standards were set in the West and applied everywhere else. But with India now shaping the future of real-time, mobile-first payments, that one-size-fits-all approach no longer works. Recognizing this, the Payment Card Industry Security Standards Council (PCI SSC) has launched a Regional Engagement Board for India and South Asia – a move that brings local realities into the global conversation.

“I am excited to welcome the new India-South Asia Regional Engagement Board members for their 2025-2026 tenure. This is indeed a proud moment for the region as payment industry stakeholders will be more involved in shaping a more secure payments ecosystem amid evolving cybersecurity challenges in a dynamic market like India and South Asia. The Board will meet regularly throughout the year to discuss payment data security best practices, threat trends, and market changes,” Bhatnagar adds.

The board isn’t just symbolic. It gathers 27 organizations from across the spectrum, UPI-developer National Payments Corporation of India (NPCI), Cred, HDFC Bank, Axis Bank, SBI Cards, Google, Zeron, 1 Cyber Valley, In-Solutions Global, LankaPay, Zeta, Bhutan National Bank among others. The mandate is to drive education, awareness and alignment on payment security standards in one of the fastest-growing digital economies in the world.

By creating this forum, PCI is giving stakeholders a structured platform to voice regional concerns. “The board ensures that service providers, merchants, banks and security assessors can bring India’s realities into the global standards conversation,” says Parminder Lall, chief executive of 1 Cyber Valley, a qualified security assessor. It’s also a recognition, he adds, of how Indian innovations are influencing the global payments roadmap.

A key challenge, however, is that most global security frameworks, including PCI DSS, were designed around card-based models, while India's ecosystem is mobile-first, API-driven and real-time, Lall further believes. That mismatch, industry experts say, makes localization critical.

As Sanket Sarkar of Zeron puts it, Board can help adapt global payment standards for innovations around instant payments methods like UPI, foster regional intelligence-sharing, and act as a bridge between industry players, and the PCI Security Standards Council.

Regulatory complexity adds another layer. "Fintech’s face overlapping obligations – from RBI guidelines to NPCI risk protocols to global standards best practices and data protection rules. These requirements are often duplicative, sometimes conflicting, and almost always resource-intensive," adds Adelia Castelino of In-Solutions Global.

“A PCI SSC-led regional board, working alongside major ecosystem players, can bring much-needed consistency and collaboration to standards,” she believes.

The establishment of the Regional Engagement Board comes at a time when industry players are increasingly recognizing that payment security is a shared responsibility that requires collective action.

Commenting on the importance of stakeholder engagement and feedback, Bhatnagar further adds, “As payment industry needs evolved, PCI SSC introduced the Secure Software Standard to address modern architectures and protect against complex attacks. On 28 October 2022, the Council retired its earlier Payment Application Data Security Standard (PA-DSS), which had guided software security for over 14 years. This reflects how PCI standards adapt in response to industry feedback.”

Conclusion

India's digital payments success story is still being written. The country has proven its ability to build and scale payment infrastructure at record speed. The bigger test now is whether it can replicate that success in security – an area where progress depends not on individual players, but on the collective will of the entire ecosystem.

Some encouraging signs are already visible. Tokenization, for instance, has seen widespread adoption. As Parminder Lall points out, more than 91 crore card-on-file tokens have been created, with almost 98% of e-commerce transactions now processed without using actual card details, according to the Reserve Bank of India data.

Looking ahead, newer technologies will reshape the landscape once again. Central Bank Digital Currencies (CBDCs), AI-driven fraud detection, and advanced biometric authentication systems all promise more secure payments – but each also introduces fresh risks that regulators, standard-setting bodies, and industry players will need to tackle together.

The newly established Board’s success will largely depend on its ability to balance multiple priorities: maintaining global consistency while accommodating local innovations, ensuring security without stifling innovation, and building trust across a diverse ecosystem.

With initiatives like the PCI SSC Regional Engagement Board, improved industry collaboration, and growing awareness among users and merchants, there are reasons for cautious optimism.

But the stakes couldn't be higher. India's digital payments ecosystem has become a model for emerging economies worldwide. How successfully it addresses security challenges will not only determine the trust and safety of Indian consumers but also influence the global evolution of digital financial services.

- This story is brought to you in partnership with PCI Security Standards Council.