A finance director asked us last month what she should actually buy. Her contact centre vendor pitched her an AI agent that takes card payments by voice. Her gateway pitched her an AI fraud model. Her CCaaS platform pitched her a generative summarisation tool. She'd been sold three different futures in a fortnight, and she wanted to know which ones would survive a PCI audit and which would quietly disappear by Q3.
Fair question. We thought we'd write down what we tell people who ask us the same thing.
What's actually shipping in 2026#
Let's start with what's real. AI in payments isn't one thing — it's at least five different categories, and they're at very different levels of maturity. Lumping them together is how teams get sold something that doesn't work.
Fraud scoring and decisioning
This is the oldest and most mature category. Machine-learning fraud models have been in production at scale since the mid-2010s. Stripe Radar, Adyen's RevenueProtect, Worldpay's FraudSight — they all use trained models to score transactions and route the borderline ones through 3-D Secure or step-up authentication. By 2026, these systems are table stakes. If your gateway doesn't have one, you're paying for fraud you don't need to pay for.
What's changed since 2024 is that the models now incorporate behavioural signals from earlier in the session — typing cadence, device telemetry, network entropy — and weigh them against population baselines. The lift over rules-based fraud detection is real and measurable. UK Finance's 2025 annual fraud report noted card-not-present fraud volumes fell 4.7% year-on-year despite transaction counts rising, which is a small but meaningful win that ML decisioning probably deserves credit for.
What hasn't changed: false positives still cost more than fraud at most merchants. The model that approves more good transactions usually beats the one that catches more bad ones. If a vendor is selling you a fraud AI on the strength of its catch rate without showing you its approval rate, they're selling you the wrong half of the story.
Voice payments and AI agents
This is where the hype is loudest and the reality is messiest. The pitch: an AI voice agent takes a customer's card number over the phone, processes the payment, and confirms it back. No human, no hold music, lower cost per call.
The problem is PCI DSS v4.0.1. If your AI agent hears, transcribes, or has any path to the card data, it's in scope. The whole thing — the LLM, the speech-to-text layer, the orchestration logic, the logs, the prompts — sits inside your cardholder data environment. That's an audit nightmare and a security risk, because LLMs and observability stacks are not built to keep secrets out of their telemetry.
The way around it isn't a smarter AI. It's DTMF masking — the customer types the card on their keypad, the tones are intercepted before they reach your platform, and the AI agent never hears or sees the card data. The AI can keep talking to the customer the whole time. It just can't be in the path of the card.
We built our integration with this in mind. If a contact centre is running an AI voice agent on Genesys, Five9, NICE CXone, Amazon Connect or any of the modern CCaaS stacks, the AI handles the conversation and our masking layer handles the card capture. The AI gets a callback when payment succeeds or fails. That's the only architecture we've seen that survives a v4.0.1 audit.
Transaction monitoring and reconciliation
Less glamorous, but this is where AI is quietly saving finance teams real money in 2026. LLMs are good at reading bank statements, matching them against expected payments, and flagging the exceptions. The boring 80% of reconciliation work — the bit where you stare at a spreadsheet trying to figure out why three payments to the same customer arrived on different dates with different references — is now mostly automatable.
If you process payments at any volume, this is the place to start. Lower risk, faster ROI, no PCI implications because the AI is working with bank-side data, not card data. We see finance teams cut reconciliation FTE by 30–50% with off-the-shelf tools.
Customer service deflection
The CCaaS platforms have all shipped generative-AI summarisation, intent classification, and self-service deflection in the last 18 months. The Contact Centre Management Association's 2025 benchmarking work suggests well-implemented deflection is taking 8–12% of payment-related calls out of the queue entirely — "check my balance", "when's my next payment", "update my card on file" — without a human ever picking up.
That's a genuine cost saving. What's also true: the calls left over are harder, longer and more emotional. Average handle time goes up. CSAT can go down if you don't measure the right things. Don't take the cost out of the agent headcount until you've measured the human work that's left.
Code generation and ops automation
The category nobody talks about. AI is writing payment integration code, generating PCI ROC documentation, and handling incident triage in payment ops. None of it customer-facing, all of it real productivity. If you've got a payments engineering team and they're not using AI for boilerplate integration work, you're paying for hours you don't need to pay for.
What to ignore#
A list of things we've been pitched in the last year that aren't real yet, won't be real in 2026, or aren't worth the risk.
"AI-native" PCI compliance
Some vendors are pitching AI as a way to be PCI-compliant without descoping the cardholder data environment. The pitch goes: the AI handles card data "securely", and you don't need to do the boring scoping work. This is wrong. PCI DSS v4.0.1 doesn't care how clever your AI is. If the model can see or infer card data, the system is in scope. Period. The only way to reduce scope is to keep the data out of the system entirely. That's what PCI DSS has always required and it's what v4.0.1 still requires.
Generative AI for chargeback evidence
An AI that writes your chargeback rebuttal letter sounds great until you realise the issuer is using their own AI to read it. The arms race has already started and it's making win rates worse, not better. Use AI to extract and structure evidence from your own systems. Don't use it to generate the prose. The issuer's model will see the patterns.
"Conversational checkout"
The idea that customers will want to pay by chatting with an AI in a messenger window. Some will. Most won't. We've watched the data on this for two years and conversion rates are consistently lower than a normal checkout flow. The customers who want to type their card number into a chat bubble are not a growing demographic. If you need a non-web channel for payment, payment links via SMS or email convert better and cost less.
Predictive declines
Some gateways are pitching models that predict which cards will decline before they're submitted. This sounds useful and is mostly noise. The signal that actually predicts a decline (the card itself) is the same signal the issuer's model uses, but theirs has more data. You're guessing at their answer. Spend the engineering time on retry logic and network tokenisation instead.
The boring question that matters most#
If you're a finance director, a contact centre director, or a head of payments, the question to ask any AI vendor in 2026 isn't "how clever is your model?" It's "what does this do to my PCI scope?"
That's the question that determines whether the project lives or dies in production. We've watched four-month build projects get killed in week one of QSA review because nobody asked it. The cleverest model in the world is worthless if it puts your entire stack in scope.
The corollary: build AI around your descoped payment layer, not through it. Whatever you're doing with AI — voice agents, summarisation, fraud, reconciliation — keep the card data flow separate. Use channel separation or DTMF masking to keep the card-bearing path narrow, audited, and unchanging. Then change everything else as fast as you want.
What we'd do if we were starting over#
If we were a contact centre director planning AI adoption in 2026, we'd do four things in this order.
First, descope. Get DTMF masking or secure telephone payments in place before any AI work touches the card flow. This is the foundation. Without it, every other project is fighting compliance.
Second, automate reconciliation. Low risk, fast payback, learns your team how to manage AI workflows without betting the customer experience on it.
Third, deflect the easy calls. Use the CCaaS platform's native generative AI for balance queries, payment-status questions, card-on-file updates. Measure deflection rate and the change in handle time on the calls that remain.
Fourth, only then consider AI voice agents for payments. By the time you get here, you've got descoped infrastructure, a team that understands AI ops, and data on what your customers actually want from automation. You can pilot honestly instead of buying the pitch.
The teams who skip steps one to three and go straight to step four are the ones we hear from in panic six months later. The model works in the demo. It doesn't work in audit. By then they've spent the budget.
Where this is going#
Our honest read: the AI category will consolidate fast in 2026 and 2027. Half the voice-payment startups pitching now won't exist in 18 months because they can't survive a real QSA review. The CCaaS platforms will absorb the genuinely useful pieces. Fraud ML will get better quietly, the way it has for a decade.
The infrastructure question — how do you let AI into your payment operation without giving it access to card data — is the one that matters and the one nobody else will solve for you. That's the work to start now. The AI vendors will catch up to whatever you build. The compliance auditors won't.
If you want to talk through what this looks like for your contact centre, get in touch. We've helped teams in contact centres across the UK and EU work out which AI projects are worth doing and which ones to walk away from. No demo theatre, no roadmap promises — just what's in production today and what isn't.
