ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council blog, preserved for tracking changes over time.
View Original →

The AI Exchange: Innovators in Payment Security Featuring PROSA

By Alicia Malone

The AI Exchange: Innovators in Payment Security Featuring PROSA


Welcome to the PCI Security Standards Council’s blog series, The AI Exchange: Innovators in Payment Security. This special, ongoing feature of our PCI Perspectives blog offers a resource for payment security industry stakeholders to exchange information about how they are adopting and implementing artificial intelligence (AI) into their organizations.  

In this edition of The AI Exchange, PROSA Chief Information Security Officer, Valther Galván Ponce de León, offers insight into how his company is using AI, and how this rapidly growing technology is shaping the future of payment security. 

How has your AI strategy evolved over the past 12-18 months?

Over the past 12–18 months, our AI strategy has evolved from exploration to a more practical, responsible, and security-driven adoption model. In cybersecurity, we have seen that AI is no longer only an emerging capability; it is becoming an important enabler for improving visibility, prioritizing risk, and supporting faster decision-making.

A key part of this evolution has been strengthening our use of AI-enabled security, analytics, observability, and risk management capabilities. These technologies help organizations identify patterns, improve context, reduce manual effort, and support security teams in detecting and responding to potential threats more effectively.

For us, the main change has been moving from asking “what can AI do?” to asking “where can AI help us make better security decisions?” We are focused on applying AI to support threat detection, risk prioritization, operational visibility, secure access, and cybersecurity resilience, while maintaining appropriate governance and human oversight.

AI provides speed, scale, and context, but cybersecurity still requires judgment, accountability, and a clear understanding of business impact. 

What is one AI initiative that has already delivered a measurable impact within your organization, and what made it successful?

One AI initiative that has delivered meaningful impact is the use of AI-supported security monitoring and response capabilities within our cybersecurity operating model. These capabilities have improved how security information is analyzed, correlated, and prioritized, allowing teams to focus on events that may pose a higher risk.

The impact has been reflected in better visibility, faster analysis of potential incidents, and more efficient response processes. Instead of relying only on manual review or isolated alerts, AI-supported analytics can help identify patterns, reduce noise, and provide better context for decision-making.

What made this initiative successful was not only the technology itself, but the way it was implemented. We aligned AI-enabled capabilities with clear cybersecurity use cases, strengthened monitoring and response processes, and kept human validation as part of the workflow.

In my opinion, this balance is essential. AI can help teams move faster and make better informed decisions. Still, final judgment should remain with experienced security professionals who understand the environment, the risk, and the potential business impact. 

How are you approaching AI governance, particularly around data privacy and security? 

Our approach to AI governance is based on responsible adoption. Since we operate in a highly sensitive environment, especially in the payments industry, we cannot treat AI only as an innovation tool. It must be evaluated with the same discipline that we apply to cybersecurity, data protection, regulatory compliance, and operational risk.

From a privacy and security perspective, our focus is on defining clear rules for how AI can be used, what types of information may be processed, and which use cases require additional review before implementation. We are especially careful with confidential information, customer data, payment-related data, and sensitive operational information.

For us, data minimization is very important. AI tools and AI-enabled capabilities should use only the information necessary for a specific purpose, under appropriate controls.

We are also approaching AI governance through access management, vendor risk management, monitoring, policy definition, and human oversight. AI can bring significant benefits to cybersecurity and operations, but it must be managed in accordance with clear security, privacy, and governance practices.

In my opinion, AI should help improve detection, visibility, analysis, and decision-making, but it should not remove accountability from the people and teams responsible for security. 

What challenges have become more apparent as AI capabilities have matured?

As AI capabilities have matured, one of the biggest challenges has been moving from isolated AI-enabled capabilities to a more integrated and adaptive cybersecurity model. Many technologies now include strong AI and analytics features, but the real value comes when those capabilities can work together, share context, and support faster, more coordinated decisions.

In practice, this is not only a technology challenge. It requires consistent data quality, clear ownership of security signals, strong governance, integration between processes, and well-defined response workflows.

Another important challenge is avoiding overreliance on AI. As detection, analytics, and automation improve, it can be tempting to assume that technology will always interpret risk correctly. In reality, AI still requires governance, tuning, validation, and human judgment. False positives, incomplete context, data silos, and inconsistent policies can limit the effectiveness of AI-enabled cybersecurity.

For me, the main lesson is that AI maturity is not just about adopting more advanced tools. It is about building the discipline to connect people, processes, data, and technology within a security architecture that adapts as threats evolve.

This is where concepts such as adaptive cybersecurity and cybersecurity mesh become very relevant. They encourage organizations to think beyond individual controls and focus on a more coordinated, flexible, and risk-based security model. 

What advice would you provide for an organization moving from early AI adoption to broader implementation? 

I recommend moving from experimentation to implementation with a clear strategy, not only with enthusiasm for technology. Early AI adoption is useful for understanding capabilities, but broader implementation requires governance, prioritization, risk management, and strong alignment with business and security objectives.

The first step should be to identify use cases where AI can deliver real value with manageable risk. In cybersecurity, this may include threat detection, alert prioritization, vulnerability management, user behavior analytics, incident response support, operational visibility, and risk analysis.

However, organizations should avoid implementing AI everywhere at once. It is better to scale based on proven results, clear metrics, and lessons learned from initial pilots.

I would also recommend building AI governance from the beginning. This includes defining what data can be used, how privacy and security will be protected, how vendors will be evaluated, how outputs will be validated, and where human review is required.

As AI becomes part of a broader cybersecurity model, integration becomes critical. The value is not only in having AI-enabled capabilities, but in connecting those capabilities so they can provide useful context and support coordinated decisions.

Organizations should invest in people and processes as much as in technology. AI can improve speed, visibility, and analysis, but it still depends on teams that understand the risks, the business environment, and the right response.

Successful broader implementation comes from balancing innovation with governance, automation with human judgment, and technology with a clear security strategy. 

What AI trend (not limited to payments) are you most excited about?  

The AI trend I am most excited about is Agentic AI, especially its potential to transform cybersecurity and operations.

I see Agentic AI as the next step beyond traditional AI assistants or copilots. Its value lies not only in analyzing information but also in helping reason through workflows, recommending actions, coordinating tasks, and supporting process execution under defined controls.

In cybersecurity, this is especially relevant. Security teams work with a large number of signals across different environments, systems, identities, applications, and business processes. Agentic AI has the potential to help connect those signals, accelerate investigation, prioritize risks, and recommend response actions with more context.

This is particularly valuable in an adaptive cybersecurity model, where organizations need to respond quickly as threats evolve.

What matters most is using Agentic AI responsibly. The objective should not be unrestricted autonomy but controlled, governed assistance. In my opinion, the real value will come from combining automation with expert judgment.

Agentic AI can help reduce repetitive work, accelerate analysis, and improve decision-making, while security professionals remain accountable for final decisions.

For me, this trend has the potential to make organizations more proactive, resilient, and adaptive, not only in payments but across many industries where security, trust, and operational continuity are critical. 

View More Content on Artificial Intelligence

Learn More About PROSA