2026 in payments: Our Co-Founder's analysis and advice

In 2026, the payments landscape is changing faster than ever. It’s worth listening to all voices, including skeptics, and learning from them.

Take agentic ecommerce for example. Major companies are investing a lot of resources into enabling and promoting this new way to streamline buying using AI, but there are conflicting opinions on the extent that this will take off. There are several unknowns at this point, and all we can do is speculate.

Agentic unknowns – and one agentic known

The thing is, agentic commerce may or may not fully take off. But agentic commerce fraud will definitely take off. And merchants should plan ahead for that, at the very least.

How will agents identify themselves to merchants?

Good agents will identify as agents, not as humans. We've seen initiatives around voluntary identification schemes. It helps to think of agents as a different type of bot.

In the past, a deterministic fraud detection system could simply block all bots, because there were few legitimate and lawful use cases for shopping bots. AI agents are promising to be a type of “good” shopping bot, so rules-based fraud detection can no longer live up to the challenge.

In a certain light, this is not new: New tech and evolving consumer habits have slowly but surely rendered deterministic systems ineffective over the last few decades. Automated, adaptable and scalable solutions, such as those using AI and machine learning, are the only viable option for fraud detection.

Meanwhile, the use cases for fraudulent agents are endless. For instance, they make it easier to deceive systems that solely rely on behavior analysis. An agent can be requested to click around and move the cursor in a way that mimics a human. They are a further, more sophisticated, way for criminals to automate fraud and scale up their operations.

It is a possibility in the short term that agents may identify as normal users – but this includes illegitimate agents. As agentic protocols are adopted, possible fraud vectors widen.

• A fraudster may deceive a legitimate agent to shop from a fake website.
• A fraudster may set up an illegitimate agent to interact with a legitimate online shop.
• A fraudster may successfully intercept or spy on legitimate transactions on legitimate websites conducted by legitimate agents.

The list is endless. When agentic commerce is a significant part of the market, will common fraud change as well?

Fraud detection companies need to make sure that we are awake to new trends stemming from agent behavior.

So, what can merchants do?

What can merchants do? Be aware; develop heuristics; continue to monitor closely. Fraud always translates to revenue loss. If you observe otherwise unexplained revenue loss, you may be experiencing agentic fraud.

In other words, no matter whether you adopt agentic protocols as a merchant, you should definitely add AI agents to the list of suspects – be they AI shopping agents in particular or other AI agents.

What does not look like a scripted attack any more, thanks to criminals enlisting AI agents, is very likely still detectable by examining a breadth of data.

Machine learning models can spot deviations from normal behavior as exhibited by the majority of your good customers. And several fraud signals will
continue to be relevant.

New legislation affecting payments

Any technology that achieves mass adoption will become a target of fraud. Or a means of fraud. In turn, it will also catch the eyes of regulators. It will happen with agentic AI, in time, as we saw with the recent new wave of BNPL legislation around the world:

The inflationary cost of living crisis led to BNPL regulation, for example in the UK, where authorities dubbed the previous landscape “the BNPL Wild West” and introduced mandatory affordability checks, credit reporting and oversight, among other changes. In principle, there is nothing novel in this development.

This crosses over to the recent changes in the EU related to the EUDI Wallet – a form of member-country-specific digital identification wallet currently in deployment. Not much attention has been given to this, yet it will affect merchants in a very real way, soon:

Merchants with EEA-based customers are mandated to accept EUDI for secure customer authentication (SCA) and identity verification (IDV) by 2027.

Staying pragmatic about identity

Every attempt to curb fraud from a regulatory perspective has focused on identification. EUDI is not going to fully solve the problem of online identity fraud, and it might also go against privacy legislation.

We can either have extreme privacy or extreme identification. It’s a spectrum of competing interests.

Reality always falls somewhere in the middle.

A few years ago, some thought 3D Secure would be the end of a certain kind of fraud. But fraud adapts – identity isn’t the sole answer. Identity is often the first thing that people reach for when they try to solve fraud. A catch-all solution to a complex problem is unlikely to be the silver bullet. If it were, 3D Secure would have been it.

Identity is always one tool in the arsenal for solving fraud. It’s important to stay pragmatic. Anything and everything is vulnerable to a sophisticated fraud attack. Identity theft is terrible – and lucrative; identities are already vulnerable.

There are also severe consequences to the individual for getting it wrong. If we overload a single identity and use it for many things, and one person in a million loses that identity, that’s still a life
changing experience.

Regulators will have to be smart about failsafes to the EUDI wallet or any similar systems. What happens when someone steals your card and uses it to buy something? You can request a chargeback, which both helps solidify trust in card-not-present payments and minimizes bad outcomes for victims of fraud.

There needs to be an equivalent for the EUDI Wallet, so you can dispute illegitimate use of this wallet that belongs to you – a challenge process.

And what about privacy? Sometimes people don’t want to give their details, or even provide tokens. They do not want to be known but still want to be able to shop. This is down to individuals.

But businesses need to allow for both, if they want to increase their customer base. You need to allow for privacy and also for those who don’t prioritize privacy as much.

It’s similar to supporting guest checkout – those companies who choose to offer it are casting a wider net.

People used to just buy something, but now that’s completely flipped: The market has shifted to account-based approaches. Merchants expect shoppers to set up an account, storing within it as much of their data as possible, including payment cards, and maybe digital proof of identity as well.

We could draw parallels to Ravelin’s fraud detection, which uniquely focuses on everything we know about the customer and all their lifetime activity rather than only on one specific transaction or other user action.

For merchants to maximize revenue opportunities, we need to account for both people and actions; and for both those who are privacy-minded and don’t want to set up an account, and those who don’t mind and are happy to share all their data with merchants.

Sophisticated fraud detection solutions can support guest checkouts too, enabling merchants to appeal to a wider audience. After all, a sophisticated solution will not limit itself to the data provided by the user in order to calculate a fraud score.

Fraud is not going away

The fact of the matter is, fraud will always be with us.

And businesses still want to do business. There is no one-size-fits-all solution.

As a merchant, make sure your fraud detection partners can live up to new challenges, continue to monitor developments closely, and are consistently improving their products.

As we do at Ravelin.