Are you confident your fraud prevention capability can support growth — and the rise of agentic commerce?
Fraud risks, especially those driven by evolving technology, are never far from the headlines. With the rapid rise of artificial intelligence and autonomous agents, it is more true now than ever. The imperative to invest continuously and improve is not optional — allowing fraud systems and strategy to stagnate creates risks that reach well beyond direct financial losses.
Increasingly, card scheme fines along with a negative impact on authorisation and conversion rates can be as damaging — if not more so — than the fraud losses themselves. To compound the challenge, it is not only attackers that merchants are competing against. Every time a competitor improves its fraud defence then fraudsters migrate towards merchants that have not kept pace.
This paper sets out the key areas of focus for UK retail fraud teams, covering structural foundations, authentication strategy, the emerging threat landscape from AI and agentic commerce, and the growing impact of Visa's VAMP programme.
Before addressing the sophisticated threat vectors, it is essential to establish the right foundations. Even incremental hygiene improvements can significantly reduce the noise from opportunistic fraud, and signal to Organised Crime Groups (OCGs) that you are not an easy target.
Fraud teams should be embedded as an integral part of the payments strategy — not consulted after decisions are made but involved from the outset in the development of new payment types, products, services, and channels. This applies across all fraud methodologies: payments fraud, account takeover (ATO), and returns fraud as a minimum. This should also include policy and procedures to ensure that the firm meets the requirements of the Economic Crime and Corporate Transparency Act (ECCTA) avoiding the ‘failure to prevent fraud’ offence.
The goal should be to shift the culture from one of refusal or post-incident remediation, to one where fraud teams actively help the business find ways to say yes — safely. That means building the right controls in from the start rather than retrofitting them later.
A modern fraud solution should be capable of ingesting multiple data sources and applying AI-based models across the full customer journey — not just at checkout. Key considerations include:
3DS authentication has historically been deployed either as a high-risk filter or, worse, as a substitute for a properly developed fraud strategy. Neither approach is adequate in the current environment.
The shift required is from a reactive, high-risk-only model to a holistic authentication strategy that uses fraud risk signals to apply the right level of friction at the right point in the journey — and shares that intelligence with issuers to improve risk management across the ecosystem.
Mail Order / Telephone Order (MOTO) transactions represent a disproportionate fraud risk given their inherent inability to support strong customer authentication. Merchants still operating significant MOTO volumes should be actively working to reduce them, for example by:
Passkeys and non-SMS multi-factor authentication (MFA) should now be the standard for securing customer accounts. Reliance on passwords and SMS-based one-time passcodes (OTPs) creates unnecessary exposure to credential stuffing, phishing campaigns, and SIM-swap attacks. Migration to passkeys also reduces friction for legitimate customers, supporting conversion alongside security.
The emergence of Large Language Models (LLMs) and agentic commerce introduces a new category of fraud risk that most merchants have not yet fully incorporated into their threat models. These risks operate at two levels: the use of AI by fraudsters to enhance existing attack vectors, and the structural vulnerabilities introduced by non-human buyers acting within commerce environments.
Fraudsters are already exploiting LLMs to increase the sophistication and scale of their attacks. This includes automated generation of phishing content, real-time social engineering scripts, and the use of AI agents to conduct high-volume credential testing or account takeover attempts at speeds that overwhelm traditional rule-based defences.
As agentic commerce — where AI agents transact autonomously on behalf of consumers — moves from concept to commercial reality, it presents a distinct set of challenges for fraud teams:
Beyond direct fraud, agentic commerce raises complex liability and consent questions that will generate disputes and reduce recovery rates:
|
|
Investment priority Merchants who move earliest on fraud defence tooling will have an advantage as agentic commerce volumes grow through 2026 and beyond, particularly: > identity verification for non-human buyers > bot and agent fingerprinting at checkout > anomaly detection in return and refund flows |
Visa's Acquirer Monitoring Programme (VAMP) consolidates fraud and dispute monitoring into a single ratio and represents one of the most significant scheme-level developments affecting UK merchants in recent years. It warrants dedicated attention from fraud teams
The VAMP ratio is calculated as reported fraudulent transactions plus total disputes, divided by total settled transactions. Critically, only card-not-present (CNP) transactions are included in the calculation. Merchants are required to maintain a ratio below 1.5% from April 2026; however, in practice the operational threshold is considerably lower, as acquirers apply internal limits — often as tight as 50 basis points at the portfolio level — and do not typically share these with merchants.
VAMP's scope creates challenges that differ from earlier monitoring programmes:
Addressing VAMP requires a multi-layered approach spanning the full transaction lifecycle:
The following questions are designed to help fraud and payments leaders assess their current position and identify priority areas for action:
Fraud prevention has never been a purely defensive discipline, but the stakes have risen sharply. The introduction of VAMP, reducing customer friction, and the structural disruption posed by agentic commerce mean that fraud teams are now operating at the intersection of financial risk, regulatory compliance, and commercial strategy.
Merchants that treat fraud investment as a cost to be minimised will find themselves exposed; not only to direct losses, but to acquirer pressure, scheme penalties, and reputational damage. Those that invest in scalable, extensible fraud prevention infrastructure, and who move early on the emerging risks, will be better positioned to grow with confidence.
Retail Perspective #8 : Fraud Risks & Prevention