Visa Says Cybersecurity Decides Who Wins Digital Commerce

The word “cybersecurity” can imply a defensive, even reactive discipline.

But effective cybersecurity has never truly been either of those things, and as fraud scales faster, attack surfaces sprawl across ecosystems and consumer trust hardens into a competitive moat, treating cybersecurity as merely a protection is in many ways inviting attack for the businesses that do so.

“It is a core business function. I find it hard to think of any business today that isn’t at its core a technology business,” Jeremiah Dewey, head of Cyber Solutions at Visa, said during a conversation for the “Visa Protect Series” hosted by PYMNTS.

When security is relegated to an ancillary role, he argued, companies miss its most important contribution: enabling the business to grow safely and confidently in a digital-first world. In today’s digital economy, cybersecurity is increasingly about enabling trust and turning resilience into competitive advantage.

The numbers on the side of the attackers alone demand attention. Ransomware attacks surged 126% in 2025, according to Spin.ai, with average breach costs approaching $5 million per incident. Nearly 70% of breaches now cause material business disruption. And yet, many organizations continue to treat cybersecurity as a subsidiary of IT rather than a core business function.

“The vast majority of fraud begins with a cyberattack,” Dewey said, noting that fraud losses, false declines, customer attrition and reputational damage are all downstream effects of upstream security failures.

Preventing those failures may not show up as new revenue, but it can directly preserve growth.

The Expanding Attack Surface and Limits of Perimeters

Modern cyberattacks rarely begin with brute force. Instead, they exploit misconfigured APIs, compromised credentials or vulnerabilities introduced by third-party vendors.

Dewey credits most organizations for understanding this shift but warned that awareness has not translated into full coverage, particularly as zero-day exploits can now be weaponized in hours, not weeks.

“Threats are evolving very quickly,” he said. “They can turn new entry points and new methodologies into fraud and monetary losses very quickly.”

Perimeter-based security models can struggle under this complexity, particularly in payments, where companies operate inside sprawling ecosystems of issuers, acquirers, merchants, FinTechs and vendors where security teams are overwhelmed by the sheer volume of signals they must analyze.

“The court of public opinion will judge you more harshly if you’re not responding to events quickly and thoroughly,” Dewey said, noting that consumers expect transactions to be fast, accurate and secure, and they expect companies to demonstrate that protection is built into the experience.

“If you can’t earn that trust,” he said, “I don’t think you have a chance in today’s market.”

That’s why, if risk detection ends at a company’s internal boundary, organizations are effectively outsourcing their security posture to their partners and often without visibility into what lies beyond.

Against this dynamic threat landscape, identity has become the focal point of defense, Dewey stressed. But even identity now encompasses far more than employees and customers. “This is more than just human identities, it encompasses devices, even AI agents,” he said.

Security Becomes a Product Feature, Not a Checkbox

The growing overlap between cybersecurity and fraud is reshaping how risk should be measured. Traditionally, cybersecurity struggled to demonstrate direct revenue impact and was therefore labeled a cost center. Increasingly, that distinction no longer holds.

Still, it’s commonly only after suffering breaches, rework and downstream losses that many companies recognize the value of building security “as far left as possible.” Done correctly, that approach reduces friction, accelerates launches and preserves customer confidence at scale.

Visa’s own approach reflects embracing a proactive cybersecurity posture at ecosystem scale. Over the past five years, the company has invested $12 billion in technology and infrastructure, much of it in cybersecurity and fraud prevention. Operating one of the world’s largest payment networks gives Visa visibility that individual organizations cannot replicate.

“What we see on our own network, and what we see through the information sharing we have with our partners globally, gives us a great view,” Dewey said, explaining how that intelligence allows Visa to help clients not just respond to fraud, but help to prevent it by identifying patterns early and sharing insights quickly.

Artificial intelligence (AI) has become central to this evolution. Companies using AI to detect threats identify cyber incidents faster and save millions per incident.

Dewey also sees AI as an equalizer, allowing small and midsize issuers, merchants and FinTechs to compete more effectively.

“It’s no longer a matter of who can afford the most expensive thing that’s out there,” he said. “It’s what’s in play that can help the community.”

Combined with ecosystem-wide information sharing, modern tools allow smaller players to move faster and, in some cases, be more nimble than attackers themselves. Still, Dewey was unequivocal that AI alone is not sufficient.

“The human element still comes into play when you have to make judgment calls,” he said.

AI is effective at pattern recognition and triage, but humans remain essential for interpreting context, handling ambiguity, and managing insider-driven incidents such as social engineering.

Effective systems, in Dewey’s view, alternate between machine and human checkpoints, creating layered checks and balances rather than privileging one over the other. And above all, they enable trust at scale, accelerate innovation and turn resilience into competitive advantage.