The report, “Orchestrating Trust: The Future of Fraud Prevention in Payments,” argues that fraud management is entering a new phase. Digital commerce has created a complex network of payment gateways, identity tools and security systems. When these tools operate independently, merchants risk higher false declines, added friction and lost sales. Fraud orchestration platforms aim to unify those signals into a single decision layer, helping organizations respond to threats faster while improving the customer experience.

The research finds that the next generation of fraud prevention focuses less on a single detection tool and more on coordination. Modern fraud defenses combine behavioral data, device intelligence, machine learning models and payment routing into an integrated workflow that can assess risk in milliseconds. The goal is to protect transactions while keeping legitimate purchases moving through checkout.

Key Findings From the Report:

• 85% of merchants say reducing friction for legitimate customers is their biggest fraud-prevention challenge. Companies increasingly see customer experience as part of the fraud equation rather than a separate concern.
• 53% of U.S. financial institutions already use fraud orchestration or expect to adopt it soon. The technology is moving from experimentation into mainstream deployment across banks and payment providers.
• 51% of global eCommerce merchants expect spending on fraud-management staff to remain flat or decline. At the same time, most plan to increase investment in automated fraud technologies that can scale more efficiently.

The third finding highlights a structural shift in how organizations approach fraud management. As digital payments grow, companies are under pressure to control operating costs while responding to more sophisticated attacks. Automation is filling that gap.

Fraud orchestration platforms help companies do more with fewer resources. These systems connect application programming interfaces, third-party risk signals and internal transaction data into a unified decision engine. Instead of routing every transaction through the same checks, orchestration systems can apply stronger verification only when risk indicators justify it. That improves approval rates while reducing unnecessary friction.

The model also allows organizations to test and refine fraud strategies quickly. Businesses can experiment with different security tools, adjust rules across channels and analyze performance in real time. This flexibility has become increasingly valuable as fraud tactics evolve rapidly across digital wallets, instant payments and embedded commerce.

The report notes that fraud prevention is expanding beyond the moment of payment. Modern strategies track risk signals throughout the entire customer lifecycle. That includes onboarding, account changes, transaction monitoring and dispute management after the purchase is complete.

For merchants navigating a fast-changing payments landscape, the takeaway is clear. Fraud prevention is becoming an integrated discipline rather than a standalone function. Coordinated defenses allow businesses to protect customers, preserve revenue and keep digital commerce moving.

At PYMNTS Intelligence, we work with businesses to uncover insights that fuel intelligent, data-driven discussions on changing customer expectations, a more connected economy and the strategic shifts necessary to achieve outcomes. With rigorous research methodologies and unwavering commitment to objective quality, we offer trusted data to grow your business. As our partner, you’ll have access to our diverse team of PhDs, researchers, data analysts, number crunchers, subject matter veterans and editorial experts.

Findings in the March edition of the PYMNTS Intelligence “Share of Wallet: Amazon vs. Walmart” report reveal that modern consumer is increasingly no longer one coherent decision-maker. Instead, shoppers are two psychologically distinct selves: a disciplined survival optimizer, and an aspirational reward-seeker.

In this emerging landscape, retailers like Amazon and Walmart may no longer be fighting the same war. Total share of wallet as a concept is increasingly bifurcating distinctly into the two perennial retail categories of essentials and discretionary spending. The result is not a zero-sum retail contest, but a segmentation of dominance.

The report’s findings frame this as a “consumer wallet reset,” a structural reallocation of spending driven by macroeconomic pressure, changing consumption patterns and the maturation of digital commerce.

Retail’s New Balance of Power

Consumers are not choosing between Amazon and Walmart. They are choosing both, and relying on each for a specific purpose. The PYMNTS Intelligence report found that Amazon is the go-to for discretionary purchases, while Walmart anchors essential spending.

Amazon’s ability to convert browsing into buying through one-click checkout, personalized recommendations and near-instant fulfillment makes it uniquely suited to capture discretionary spend. When consumers decide to indulge, Amazon is increasingly the default interface.

The report’s findings show that, by the fourth quarter of 2025, Amazon captured a record 11.1% of total U.S. retail spending, with outsized dominance in categories like hobby goods (35% share), electronics (32%), and apparel and furniture, where its share has more than doubled over time.

Yet Amazon’s dominance has limits. In grocery, a category defined by frequency, perishability and price sensitivity, its share remains a modest 3%. There, and across other gaps, is where Walmart is focusing.

If Amazon has mastered discretionary spending, Walmart has perfected the opposite: the steady, unglamorous capture of essentials. The retailer’s share of overall retail spending has remained remarkably stable over time, a reflection of its entrenched role in everyday consumption.

Walmart’s strength is most pronounced in grocery, where its share of food and beverage spending has increased by 13% since 2019.

But that strength comes with a trade-off. As Walmart has deepened its hold on essentials, it has lost ground in discretionary categories like clothing, electronics and hobby goods, where growth is faster and margins are often higher.

Read the report: Consumer Wallet Reset: How Amazon Wins Discretionary Spend and Walmart Holds Necessities

The modern consumer may feel conflicted, but their behavior is increasingly patterned. Survival mode and splurge mode are no longer anomalies; they are the defining rhythms of contemporary consumption.

Amazon wins when consumers want. Walmart wins when they need.

For the broader retail sector, this bifurcation presents both a challenge and a constraint. Companies that cannot clearly position themselves within either survival mode or splurge mode risk becoming less relevant. The traditional “middle” retailer offering a mix of value and aspiration without excelling at either may become a model that is increasingly difficult to sustain.

The deeper implication of this shift may also be that retail is evolving from a collection of channels into a set of behavioral platforms. Walmart and Amazon are not just destinations; they are becoming default responses to different types of consumer needs.

When a household considers how to restock the pantry, the answer is increasingly predetermined. When an individual feels the impulse to treat themselves, the pathway is similarly preconfigured.

Ultimately, in a world where consumers are more constrained, more selective and more digitally enabled, the battle for the wallet is no longer singular. It is becoming segmented, strategic and increasingly asymmetric.

At PYMNTS Intelligence, we work with businesses to uncover insights that fuel intelligent, data-driven discussions on changing customer expectations, a more connected economy and the strategic shifts necessary to achieve outcomes. With rigorous research methodologies and unwavering commitment to objective quality, we offer trusted data to grow your business. As our partner, you’ll have access to our diverse team of PhDs, researchers, data analysts, number crunchers, subject matter veterans and editorial experts.

There’s an innovation race growing over digital identity. On one hand are banks and merchants that have traditionally been reliant on tools like passwords, one-time passcodes, biometric selfies and voice checks to power online authentication.

On the other are fraudsters using artificial intelligence (AI) to replicate those signals at scale through deepfakes, synthetic identities and cloned voices.

“AI is great. It’s exciting, it’s changing commerce, and we’re all embracing it,” James Mirfin, senior vice president, Global Head of Risk and Security Intelligence Solutions at Visa, told PYMNTS  during a discussion for the March edition of the What’s Next In Payments (WNIP) series, “How Will AI Change Identity?”

“But the criminals and the bad actors have been using [AI] probably faster than some of the businesses that are trying to defend against it,” he said.

The result is that commerce is now entering an AI identity era, where trust must be established not just through credentials but through behavioral intelligence, cryptographic tokens and ecosystem-wide cooperation.

After all, the same technologies that are driving innovation are also expanding the attack surface.

How AI Is Forcing Payments to Reinvent Identity Verification

For years, financial institutions have invested heavily in identity verification tools designed to reduce fraud while maintaining a seamless user experience. These systems include document authentication, facial recognition with liveness detection and voice biometrics that allow customers to access accounts using spoken phrases.

However, the industry is seeing where the technology is advancing and improving existing defenses for fraud protection: Synthetic identities can now be generated in seconds, while AI-driven voice models can replicate a person’s speech patterns with alarming accuracy. The result is a growing sense that static authentication methods, no matter how sophisticated, may no longer be sufficient on their own — a layered approach is needed, with behavioral identity included in the mix. Behavioral identity looks at how the person acts over time, instead of asking who someone claims to be.

Mirfin said there’s a danger that when you’re building these defenses, you focus on one and think that’s the weakest link or most vulnerable. However, the reality is that companies have to be vigilant about all of these: fake voices, fake faces, fake behavior.

The result is a reframe of the very architecture of fraud detection, which has relied heavily on verifying identity at a single moment, such as when a user logs in or creates an account. As AI grows more sophisticated, that approach is giving way to continuous monitoring that evaluates how someone behaves over time.

For large enterprises with dedicated fraud teams, adapting to this new landscape is already underway. But smaller merchants often lack the resources to build advanced security systems on their own.

Ensuring Security Across the Entire User Journey

The challenge will only intensify as “agentic commerce” emerges, where AI assistants and software agents begin shopping and transacting online on behalf of consumers. In that world, merchants and payment networks will need new ways to distinguish legitimate automated activity from malicious AI agents.

“If you go back 18 months or two years, most merchants would say: ‘Bot? Stop,’” Mirfin said. “Now you’ve got good bot behavior interacting with your website, and that changes the game.”

He added, “If a consumer chooses to use an agent to shop for them, the merchant needs to be ready to accept that and recognize that interaction.”

To that end, Visa and other industry players are developing standards to help merchants and consumers trust in agent-driven transactions. One example is the introduction of “trusted agent” protocols designed to confirm that an AI acting on behalf of a consumer has legitimate authorization.

The core function of payment networks, Mirfin noted, has always been establishing trust between parties that do not know each other.

“The one that we’re spending time looking at, and it’s probably harder to detect, is fake behavior. These are bots that start to mimic human behavior or human interactions,” he said.

These illicit bot systems look less like traditional fraud and more like authentic customers navigating a website due to their capability for imitating the data-driven rhythms of human browsing patterns, typing speeds and purchasing habits.

Mirfin compared the concept of defending against these next-generation software threats to an old-school bank teller assessing customers in person.

“If you are sitting in a café or restaurant, people’s behavior typically is fairly similar,” he said. “But you can spot someone that looks a bit nervous or twitchy. It’s the same in banking. Historically, bank tellers were looking for anomalous behavior.”

In the digital world, those anomalous signals come from, amongst other things, transaction patterns, device data, and location information. When analyzed together, they form a behavioral fingerprint that is far harder for fraudsters to replicate consistently.

“You can’t just focus on account creation or setup,” Mirfin said. “It’s about identifying good behavior and good activity over time.”

What Today’s Landscape Reveals About the Next Frontier

Another foundational technology gaining renewed relevance in this AI-driven environment is tokenization.

“There’s no reason for raw credentials or identity data to move around the internet in plain form anymore,” Mirfin said. “Tokens can do more than protect payment information. They can define limits, parameters and permissions around a transaction.”

Yet technology alone may not be enough. One of the biggest structural challenges facing banks, Mirfin argued, lies inside the organizations themselves.

Fraud prevention, cybersecurity and identity verification are often handled by separate teams within financial institutions, each operating with its own tools and priorities. In an AI-driven threat environment, those silos could become a vulnerability. Gartner recently predicted structural convergence, forecasting that by 2031, 50 percent of large financial institutions will consolidate online fraud prevention, identity, and cybersecurity responsibilities under teams reporting to the CISO, driven by the identity-centric nature of modern fraud.

“Traditionally you’ve had cyber teams, fraud teams and identity teams operating separately,” Mirfin said. “I’d love to see the industry … [bring] those groups together.”

Better collaboration across those domains, he said, could help financial institutions stay ahead of rapidly evolving threats while also reducing friction for consumers.

“We all shop every day,” Mirfin said. “We want to buy things in the easiest way possible, but we also want to know we’re protected.”

The strategy was simple. If a card was used most often, it would generate the most transaction volume and deepen the relationship between the cardholder and issuer.

However, that dynamic is beginning to shift. Consumers now move fluidly between credit cards, buy now, pay later plans, debit cards, and digital wallets, depending on context, cash flow and convenience. As payments choice becomes more flexible, loyalty to a single card is weakening.

As PYMNTS CEO Karen Webster wrote Wednesday (March 11), consumers are increasingly managing spending across multiple payment tools rather than committing to a single card. In that environment, the challenge for issuers is shifting toward influencing the moment a consumer decides how to pay.

Banks and payment networks are increasingly turning to artificial intelligence and transaction data to meet that challenge, using the technology to personalize offers, adjust rewards and tailor incentives around individual spending patterns.

The Offers Feed Becomes the New Battleground

Much of the innovation in credit card rewards is happening outside the checkout flow itself. Instead, the competitive frontier is shifting toward the offer ecosystems that shape purchasing behavior before a transaction occurs.

“I think the real AI revolution in credit cards isn’t necessarily happening at checkout,” Jeanniey Walden, chief marketing and executive advisor at Rakuten Rewards, told PYMNTS. “It’s happening in the offers feed.”

Traditionally, rewards programs relied on broad categories, such as travel, groceries or dining. While those structures were simple, they were designed for a hypothetical “average” cardholder whose spending patterns rarely matched reality, Walden said.

AI is beginning to change that by analyzing large volumes of transaction data and behavioral signals to determine which merchants, discounts or promotions are most relevant to each cardholder.

“For years, merchant-funded offers have tried to match what merchants want to promote with what consumers actually want to buy,” Walden said. “AI is starting to close that gap.”

Instead of generic promotions, rewards platforms can now generate offers that reflect where a consumer shops, how frequently they visit certain merchants, and the time of day or context in which purchases occur. The goal is to influence decisions earlier in the buying journey, shaping what consumers see before they reach the checkout page.

“The brands that understand how to show up when algorithms are deciding who gets recommended are going to find the most success down the road,” Walden said.

From Static Rewards to Personalized Incentives

AI is also changing how issuers design rewards. Rather than relying on fixed categories that remain constant for months or years, AI systems allow incentives to become even more dynamic and responsive to behavior.

Malte Rau, co-founder and CEO of corporate card platform Pliant, told PYMNTS that early AI applications in rewards programs focus on analyzing transaction data to customize offers and category bonuses around real spending patterns.

“Most of the early use cases we see involve analyzing transaction data to tailor merchant offers, discounts or category bonuses around how cardholders actually spend,” Rau said.

That capability makes it possible to move beyond broad rewards categories toward more targeted incentives.

Instead of offering generic travel or dining bonuses, issuers could surface offers in real time when a cardholder is about to make a purchase at a particular merchant or location. The result is a rewards ecosystem built to influence decisions precisely when consumers are choosing how to pay.

Walden said the industry’s long-term direction is toward increasingly individualized reward experiences.

“AI makes it possible to move toward a much more localized and personalized experience, where the offers you see are shaped by your behavior and what the system learns about you over time,” she said.

For all PYMNTS AI coverage, subscribe to the daily AI Newsletter.

That is the central theme of the December edition of the Payments Orchestration Tracker series, “Orchestrating Trust: The Future of Fraud Prevention in Payments.” The report argues that as digital commerce grows more complex, fraud has become more coordinated and adaptive.

Static rules engines and stand-alone machine learning tools are no longer sufficient. Instead, merchants and financial institutions are turning to fraud orchestration, described as a command-and-control layer that connects multiple risk tools, identity systems and payment gateways into a single decisioning framework. The goal is not only to reduce fraud losses, but also to protect revenue by minimizing false declines and checkout friction.

The report highlights several data points that underscore the shift:

• 85% of merchants say their top fraud challenge is preventing fraud without degrading the customer experience.
• 53% of U.S. financial institutions already use fraud orchestration, with another 16% implementing it and 26% planning adoption.
• 51% of global eCommerce merchants expect fraud-management staffing costs to remain flat or decline, even as 63% plan to increase investment in fraud technology.

Those figures reveal a broader structural change. Fraud management is moving from labor-intensive review processes toward automated, real-time systems that can evaluate identity, device data, transaction history and behavioral signals in milliseconds.

The report goes further than defining orchestration. It frames it as a response to a deeper tension in payments. Merchants operate in a world where authorization rates, checkout speed and conversion metrics matter as much as loss prevention. Nearly half of merchants estimate that up to 5% of legitimate orders are incorrectly declined as fraudulent, representing an estimated $50 billion in lost revenue industrywide. Fraud systems that are too blunt create their own financial risk.

Orchestration aims to resolve that tension by sequencing tools intelligently. Instead of running every transaction through every check, platforms determine when heightened scrutiny is warranted and when it is not. Trusted customers move through streamlined flows. Suspicious patterns trigger layered defenses such as behavioral biometrics, device fingerprinting or additional authentication.

Another significant insight is the connection between fraud strategy and payment routing. The report stresses that fraud controls and payment optimization are intertwined. Gaps in fraud systems can increase false declines. Poor routing decisions can increase exposure. By integrating fraud orchestration into open payments platforms, merchants can coordinate risk checks and authorization strategies in tandem.

The document also emphasizes operational efficiency. Many merchants manage five or more payment integrations, along with multiple fraud vendors. Fragmentation creates blind spots and raises costs. Central orchestration reduces the burden of managing disparate systems, allows A/B testing of fraud tools and enables faster iteration as fraud patterns shift.

Importantly, fraud orchestration does not end at the authorization moment. The report outlines a life-cycle approach that spans onboarding, account changes, transaction monitoring and post-purchase disputes. Fraudsters exploit gaps between channels and stages. A unified system provides cross-channel visibility and centralized case management.

The underlying message is that fraud has become too dynamic for siloed defenses. As instant payments, embedded commerce and digital wallets compress decision windows, organizations need adaptive systems that can learn and adjust in real time. Fraud orchestration is positioned not as a new tool, but as an architectural layer that brings coherence to an increasingly complex ecosystem.

For payments leaders, the implication is clear. Trust is no longer maintained through isolated controls. It is sustained through coordinated intelligence that protects revenue while preserving the customer experience.

At PYMNTS Intelligence, we work with businesses to uncover insights that fuel intelligent, data-driven discussions on changing customer expectations, a more connected economy and the strategic shifts necessary to achieve outcomes. With rigorous research methodologies and unwavering commitment to objective quality, we offer trusted data to grow your business. As our partner, you’ll have access to our diverse team of PhDs, researchers, data analysts, number crunchers, subject matter veterans and editorial experts.

The momentum is real. So is the attention. But much of that attention has centered on the technology itself, the interfaces consumers may use and the possibility of a faster path from intent to purchase. What has received less attention is the merchant.

The merchant is still the one that owns the checkout flow, manages the payment relationships, absorbs much of the fraud and chargeback risk, and tries to turn a transaction into a lasting customer relationship. That is the part of the agentic commerce story that Spreedly is trying to bring back into focus.

The payments orchestrator said in a Thursday (March 5) press release that agentic commerce is now live as a channel on its open payments platform. Merchants can process agent-initiated transactions over their existing payment infrastructure, keep their current payment service provider relationships in place and remain the merchant of record.

Enterprise merchants are already testing agent-driven transaction flows, and support for emerging protocols, including Universal Commerce Protocol (UCP) and Agentic Commerce Protocol (ACP), is in development, with an initial release targeted for later this quarter, the release said.

That message is different from some of the broader conversations around agentic AI.

Spreedly is not pitching agentic commerce as a reason for merchants to hand over control. It is pitching it as a new channel that still must work within the economic and operational realities merchants already deal with. Many of the early standards writers seem to understand that point, Spreedly CEO Justin Benson told PYMNTS.

“I think it was pretty telling that many of the specs that are being written, but the position taken early on was you are going to be the merchant of record,” Benson said. “That was really helpful” because it showed awareness that “the merchant didn’t want to be disintermediated.”

That does not mean the hard parts are solved. When asked how merchants are thinking about owning the customer relationship in agentic commerce, Benson said the industry is still in discovery mode.

“Anyone who says they’ve got all the answers is not being very transparent,” he said. “We’re all learning this together.”

Spreedly is working through these questions with leading-edge merchants, and “every answer brings up a new question for them,” he said.

That uncertainty is one reason the merchant-of-record issue matters so much.

Not an Event

Checkout is not just a payment event; it is a business engine, Benson said. Merchants use it to shape economics, present payment choices, offer loyalty options and surface cross-sell opportunities. If the agent layer sits between the shopper and the merchant in a way that strips out those options, the merchant may lose more than a few clicks in the checkout process.

“I think that is one thing that’s missed,” Benson said. “In the checkout, there’s a lot happening.”

Merchants are thinking about the economics behind that, along with cross-sell and upsell opportunities, loyalty offers, and whether they want to present their own credit card or buy now, pay later options. For some merchants, a model where “the agent will just do it” could become “a significant threat to their business model,” he said.

There is also the less glamorous issue of responsibility. Merchants should not assume that agentic commerce changes the basic liability structure attached to a transaction, Benson said. They still must think about fraud, liability shifts and chargebacks in much the same way they do now.

In the early phase, merchants will likely view an agent-based transaction with “the same type of liability, same type of responsibility” as a human-initiated one, he said.

That’s where vaulting becomes more important. Spreedly’s announcement described the company’s smart vaulting as a way for consumers to transact without reentering card details while merchants keep control over spend limits, token enforcement, expiration rules and controlled transaction environments. In simple terms, agentic commerce will only work at scale if the stored credentials behind it are handled securely and under merchant-defined rules.

“Vaulting is having a moment again,” Benson said.

“Nobody wants to be involved in handling secure data” because of the cost and risk attached to it, he added. The original promise of vaulting and tokenization was to move sensitive card data “out of scope for a merchant,” which reduced risk and complexity. Now, as agentic commerce develops, that need is returning to center stage.

“It’s almost a back to the future there,” he said.

The Credentials Gap

That leads to the issue of the gap between today’s credential systems and the ones agentic commerce may require, Benson said. A relatively simple one-to-one relationship between a merchant and a payment provider may be manageable. But the model gets more complicated once merchants start dealing with multiple agentic commerce sources, digital wallets and new layers of permissions and issuer requirements.

The opportunity is not only to manage the flow itself, but also to manage “the unique characteristics around that tokenization around that token,” he said.

That framing suggests the real work in agentic commerce may happen below the surface.

The consumer may see a clean prompt and a simple purchase. Behind that, merchants and payments providers may be dealing with a much denser set of credential, token and routing questions than current checkout systems typically expose.

Benson made a similar point when discussing customer experience. One example he raised was travel, where a transaction often does not end when the first authorization is made. Hotel bookings can produce later charges. Merchants may also make real-time decisions about which payment service provider or merchant identity should handle a transaction, and those decisions affect reconciliation on the back end.

Spreedly is also trying to position itself on the open side of the market. The company is not tied to any single AI platform and wants merchants to use one integration to enable payments across emerging AI environments, Benson said, suggesting a practical rather than ideological view of open systems.

Although open standards help the industry move, they can become too generic over time and may give way to more specialized approaches, he said.

“Open standards tend to be very strong in the first one to two to three years,” Benson said. But because they “have to support everybody,” they can become too broad to support deeper niche use cases. That’s why companies like Spreedly expect to support open standards while also preparing for more customized flows later.

For all PYMNTS AI coverage, subscribe to the daily AI Newsletter.

The concept of postmortem is borrowed from engineering teams, who’ve been using postmortems for years to prevent catastrophic bugs. They’re one of the most underutilized tools in product development. When adapted thoughtfully for UX and product work, they create a systematic way to learn from both our successes and our failures, but most teams either skip them entirely or do them so poorly that they might as well not bother.

Let’s fix that.

What Postmortems Are (And Aren’t)

A postmortem is a structured analysis of a completed project that examines what happened, why it happened, and what systemic changes are needed as a result.

The goal is straightforward: to understand the project thoroughly enough to replicate successes and prevent failures.

Notice I wrote, “completed project,” not “failed project.” This is the first misconception teams need to overcome. Yes, you should absolutely do a postmortem when your new onboarding flow tanks conversion rates, but you should also do one when your redesigned checkout process increases purchases by 40% instead of the 15% you predicted.

Success often teaches us more than failure, but only if we learn from it.

How Postmortems Differ from Sprint Retrospectives

If you’re doing some form of Agile, you’re probably already conducting retrospectives. These happen every sprint and focus on your team’s process: What should we keep doing? What should we stop? What should we try next? They’re forward-looking and process-oriented.

If you’re interested in doing effective UX retrospectives (and you should be!), here are some tips for how to do them. Regular retros can improve your team’s process significantly, but they don’t get rid of the need for project postmortems.

Postmortems have some similarities with retrospectives, and a lot of the advice about running them can be used for both events, but they’re different in key ways. Postmortems are backward-looking and outcome-oriented. They examine a specific project after it’s complete (or after you have enough data to evaluate it) and ask whether that project succeeded, why or why not, and what we can learn from that outcome.

A sprint retrospective might surface that your team needs better stakeholder communication. A postmortem might reveal that your last product launch failed because you never validated the problem you were solving, and it will result in a new requirement that all future projects include problem validation before entering design.

Both are valuable. Neither replaces the other.

When to Hold Postmortems

Timing matters more than most teams realize. Hold a postmortem too soon, and you’re making decisions without data. Wait too long, and people forget crucial details or move to other teams.

For projects with measurable outcomes like experiments, launches, or feature releases, wait until you have enough data to evaluate success. If you’re measuring retention over 30 days, don’t hold your postmortem on day 2, but don’t wait six months either. By then, the team has moved on and the details have faded.

For projects without clean metrics (like exploratory research, design-systems work, or process improvements) hold the postmortem within two weeks of completion, while everything is still fresh.

As a general rule: if people are saying “I don’t really remember why we decided that,” you’ve waited too long. But if people are saying “We don’t know whether this worked or not,” you’re too early.

What Belongs in a Postmortem

Let’s consider two scenarios, one “failure” and one “success,” to understand what a good postmortem looks like.

Scenario 1: The Failed Metrics Experiment

Your team hypothesized that adding social proof to your product signup page would increase conversion by 30%. You designed variations, ran the experiment properly, and conversion increased by 1%. Essentially, no change.

A postmortem here needs to examine two things: why the experiment failed and why you believed it would succeed.

The first question might reveal that your users are enterprise buyers who don’t care about consumer social proof, or that the design implementation was too subtle, or that social proof matters, but 30% was wildly optimistic.

The second question — why you believed it would succeed — is often more illuminating. Did you skip user research because you were “pretty sure” about the solution? Did you base the estimate on a competitor’s case study without considering how different its users are? Did stakeholder enthusiasm override data? Did a product manager oversell their pet project in order to get their idea shipped?

Understanding your reasoning process helps you fix it. Maybe the deliverable is a new requirement that all experiment hypotheses must be backed by user research. Maybe it’s a calibration session for the team on realistic effect sizes. Maybe it’s a decision to stop using competitor case studies as primary evidence.

Scenario 2: The Super Successful Feature

Your team shipped a new dashboard feature that you hoped would improve user engagement. You estimated a 10% increase in daily active users. Instead, you saw 45%, the feature came in two weeks early, and users are requesting similar updates to other areas of the product.

Why did this go so well?

A good postmortem might uncover that the designer had worked in this domain before and deeply understood user workflows, or that you involved users unusually early and ran some initial experiments to validate the direction before shipping the final feature. It might show that you had a stable team with no turnover during the project or that the engineering lead pushed for a technical approach that made iteration faster.

Whatever the reasons, you want to identify them and systematically increase the chances of replicating them. Maybe you create a new practice of bringing in domain experts for complex features. Maybe you insist on validation experiments for strategic projects. Maybe you fight for team stability during important initiatives.

Success isn’t magic. It has causes, and you can identify them.

The Anatomy of a Good Postmortem

Here’s what you need to make postmortems useful.

1. The Right People in the Room

At a minimum, include:

• Core team members who worked on the project
• The product manager or project owner
• Key stakeholders who were involved in decisions
• Someone from a related team who can offer outside perspective (optional)

Don’t invite 30 people. You want enough perspectives to see the full picture but few enough that everyone can contribute meaningfully. Six to ten people is usually right.

2. Clear Success Criteria (Ideally Defined Beforehand)

If you didn’t define what success looked like at the project’s start, the postmortem becomes much harder. You end up arguing about whether a 5% increase was good or whether shipping two weeks late was acceptable.

Define success metrics upfront for future projects. For the current postmortem, spend time at the beginning aligning on what you were trying to achieve and how you’re measuring it now.

3. Psychological Safety

This is critical, especially for projects that didn’t go well. If people are afraid they’ll be blamed, they won’t share honestly, and you won’t learn what actually happened.

Make it explicit: “We’re here to understand what happened and improve our system, not to blame individuals.” Consider having a facilitator who wasn’t involved in the project run the session.

When mistakes come up, the question is always “what about our process allowed this mistake to happen?”, not “why did this person mess up?” People make mistakes; systems should catch them.

4. Root-Cause Analysis

This is where you dig deep to understand why something happened. One useful technique, borrowed from my engineering days, is the five whys.

Here’s how it works with a design example.

Problem: Users abandoned the new checkout flow at a high rate.

• Why? They got confused at the payment-information step.
• Why? The form wasn’t clear about which fields were required.
• Why? Required field indicators weren’t visible enough in the design.
• Why? The designer used the component library’s default styling without customizing it.
• Why? The component-library documentation doesn’t explain when to customize components for accessibility.

Now you have a real root cause: inadequate component-library documentation. The solution isn’t “the designer needs to be more careful.” It’s “update component-library docs with accessibility guidelines and customization recommendations.”

Or, it might be to update the components’ implementation  so that it’s impossible to ship something that isn’t accessible. Sometimes the solution depends on what’s possible for your team to accomplish or to convince another team to improve.

You don’t always need exactly five whys. Sometimes it’s three, sometimes it’s seven. Keep asking until you hit something systemic that you can change.

Other useful techniques include:

• Timeline reconstruction: mapping key decisions and their consequences
• Resource-allocation analysis: did we have the right people, time, and budget  
• External-factor consideration: market changes, competitor moves, or organizational shifts that affected the outcome

5. Actionable Postmortem Deliverables

This is nonnegotiable. Every postmortem must produce concrete changes to your system.

Bad postmortem deliverables:

• “Communicate better with stakeholders.”
• “Be more careful with research recruitment.”
• “Don’t let this happen again.”
• “Be smarter.”

These are vague, unactionable, and unfollowable. They also rely on humans always doing the right thing in every circumstance, which, in my experience, is not going to happen.

Good postmortem deliverables:

• “Add a required stakeholder-review gate at the end of the research phase for all strategic projects.”
• “Update the research-recruitment checklist to include a step for verifying participant qualifications before scheduling them”
• “Create a prelaunch checklist that includes reviewing analytics implementation with engineering.”

Notice that good deliverables change the system. They create new processes, update documentation, modify checklists, or establish new requirements. They don’t rely on people promising to “do better.”

Focus on two types of changes:

• Process changes, like instituting checklists, adding new review steps, or fixing broken systems, can prevent bad things from happening
• Culture changes, like changing the team’s mindset or making certain behaviors feel more normal, shift how the team operates

Maybe you discover that your best work happens when designers pair with researchers early, so you make early pairing the default. Maybe you learn that having a dedicated project manager improves communication and adherence to timelines, so you fight for project-management support on future strategic work.

6. Someone Owns Each Postmortem Deliverable

Actionable deliverables are worthless if nobody implements them. Before the postmortem ends, assign an owner and a deadline to every action item.

Then follow up. This is the part most teams skip, which is unfortunate, because without it, your postmortem won’t change anything. Establish a recurring monthly reminder to check on action items and update your team on progress. If something isn’t getting done, figure out why, and either reprioritize it or remove it.

7. Documentation and Archiving

Write down what you learned and store it somewhere the whole team can access — a shared drive, a wiki, a Confluence page, or whatever works for your organization.

Make it easy to find. Future team members should always see the postmortem from the checkout redesign when they’re about to start a new checkout project.

Include:

• Project overview and goals
• Success metrics and actual outcomes
• Key findings from the root-cause analysis
• Deliverables and their owners
• Timeline (if relevant)

Don’t write a novel. Two to three pages is usually enough.

UX-Specific Considerations

While postmortems originated in engineering, UX and product work has its own challenges that deserve attention.

Research Quality vs. Research Impact

Sometimes great research gets ignored, or mediocre research drives major decisions. Your postmortem should examine both the quality of the research and whether it actually influenced the outcome. It should also acknowledge when research wasn’t done at all, and look at what the outcomes of the project were.

If you did rigorous generative research that no one acted on, that’s worth analyzing. Why didn’t it land? Was it a communication problem? A timing problem? Did stakeholders not understand the implications? Did you fail to connect research insights to business metrics? Regular postmortems can uncover patterns of project failures after neglecting research results.

Stakeholder-Engagement Patterns

When and how you involve stakeholders dramatically affects project outcomes. Postmortems should examine this explicitly.

Did you involve leadership too late, after decisions were already made? Did you overinvolve them, turning every minor decision into a committee discussion? Did you bring them in at the wrong moments, asking for detailed feedback on execution when you needed strategic direction?

Identify the engagement pattern that worked (or didn’t) and codify it for future projects.

Design-Iteration Cycles

UX work requires iteration, but how much is right? Postmortems can help you calibrate.

Maybe you learn that you tested too early with throwaway sketches that confused users and wasted time. Maybe you tested too late and had to throw away high-fidelity work. Maybe you tested with the wrong users — early adopters when you needed mainstream users, or consumers when you were building for enterprise.

These insights help you optimize future iteration cycles.

Distinguishing Correlation from Causation

Be careful about assuming that because X happened before Y, X caused Y. This is especially important in UX work, where many factors may influence outcomes simultaneously.

Your new design launched and retention improved. Great! But did the design cause the improvement, or did it launch at the same time as a marketing campaign, a competitor’s price increase, and a seasonal upswing in your category?

Good postmortems separate signal from noise by looking for evidence beyond timing. If you ran an A/B test, then you have a head start because you already know whether the design change was effective and can focus on investigating why your hypothesis succeeded or failed, so you can improve future decision making. If you didn’t have an experiment, triangulate using existing qualitative data to rule out alternative explanations and to understand what likely drove the outcome. 

Making Postmortems Part of Your Culture

The first few postmortems will feel awkward. People won’t know what to expect. They’ll worry about blame. They’ll wonder if this is a waste of time.

Push through it.

After you’ve done three or four, and people see action items getting implemented, and they watch the team genuinely improve, postmortems will start to feel valuable instead of painful.

Here’s how to build the habit:

• Start with successes. Your first postmortem should examine a project that went well. This sets a positive tone and teaches people the format without the emotional weight of analyzing a failure.
• Keep them blameless. Every single time, reinforce that you’re examining systems, not judging people. When someone blames themselves or others, redirect to process.
• Follow through ruthlessly. If you don’t implement the deliverables, people will stop taking postmortems seriously. Implementation is where the value lives.
• Share learnings broadly. When a postmortem produces a valuable insight, share it with other teams. This multiplies the value and encourages participation.
• Make them regular but not burdensome. You don’t need a postmortem for every tiny project. Focus on strategic projects, major launches, significant experiments, and anything that produces surprising results (good or bad).

The Goal: Systematic Improvement

Here’s what I learned doing postmortems as an engineer: when something bad happened, like a P0 bug taking down production, a security vulnerability, or a data-loss incident, we couldn’t just fix the immediate problem. We had to understand the root cause well enough to prevent that category of problems from ever happening again.

The same principle applies to product development. When a project fails or succeeds beyond expectations, you have a rare opportunity to understand why and systematically improve how your team works.

Most teams don’t take advantage of this opportunity. They ship, they move on, they repeat the same mistakes and fail to replicate their successes. They get better slowly, through gradual accumulation of experience, if they get better at all.

Postmortems let you get better quickly and deliberately. They transform random experience into systematic learning.

But only if you actually do them. And only if you follow through on what you learn.

So pick a recent project and try a postmortem. Get the team together, dig into what happened and why, and commit to changing something based on what you learn.

Then do it again next month.

You’ll be surprised how much faster you improve when you’re learning intentionally instead of accidentally.

A reused password harvested in an unrelated breach enables a criminal to access a stored wallet and drain loyalty points.

Call them the twin engines of commerce’s breaking point: Authentication failure and credential-based fraud.

Conversion Pressure Meets Fraud Fatigue

PYMNTS reporting has noted that credential stuffing and phishing continue to exploit password reuse, creating operational and reputational damage for merchants and financial institutions.

High-income shoppers, who often maintain multiple digital accounts across retail, travel and financial services platforms, are especially sensitive to login friction. They are also attractive fraud targets because of higher balances and transaction values. The combination of elevated cart values and persistent credential-based attacks sharpens the business case for stronger, lower-friction authentication.

This is the context in which attention around passkeys is accelerating.

Signals From Platforms

Passkeys are passwordless login credentials based on public-key cryptography that are stored on a user’s device and unlocked locally with biometrics or a PIN, eliminating shared passwords and reducing exposure to phishing and credential theft.

PayPal and Stripe grabbed their fair share of attention this week amid rumored dealmaking, but no matter what the outcome of any corporate action, their own efforts in moving beyond the password has been notable. PayPal has expanded support for passkey-based login for consumer accounts in the United States and additional markets, positioning the feature as a way to reduce phishing risk while simplifying sign-in.

Stripe has published developer guidance encouraging merchants to implement passkeys through WebAuthn standards to improve login resilience and speed. Both companies sit at critical junctions of online checkout and wallet activity. When large platforms integrate a security model into widely used login flows, adoption may follow.

PYMNTS coverage of wallet competition has emphasized that conversion rates and security posture increasingly are valued by consumers, as evidenced by our continuing “How the World Does Digital” series.

If passkeys demonstrably reduce login friction and phishing exposure within major wallet ecosystems, merchants may view implementation as part of their near-term roadmaps.

Where Adoption Stands

Passkeys are built on standards developed by FIDO Alliance, which has promoted phishing-resistant authentication based on public-key cryptography. Major operating systems and browsers now support passkeys, enabling credentials to be stored on a device and unlocked locally through biometrics or a device PIN.

Financial institutions are testing passwordless authentication in limited deployments, often layering it alongside existing multifactor controls rather than replacing them outright.

Adoption remains uneven. Some merchants have integrated passkeys into account login flows. Others continue to rely on passwords and SMS one-time passcodes, citing integration costs, customer education hurdles and account recovery complexity.

From a regulatory standpoint, passkeys present both opportunity and scrutiny. Because biometric data typically remains on the user’s device rather than being stored centrally, the model may reduce exposure under state biometric privacy laws. However, institutions must still satisfy supervisory expectations around strong authentication and fraud mitigation.

Pain Points Addressed, Challenges Ahead

The commercial appeal is concrete. Passkeys eliminate password reuse, diminish phishing effectiveness and remove reliance on SMS codes that are vulnerable to SIM-swap fraud. They can shorten login time and reduce password reset support costs.

Enrollment requires consumer awareness and trust. Cross-device synchronization is improving but depends on platform ecosystems. Account recovery processes must be designed carefully to prevent lockouts without reintroducing weak fallback mechanisms.

In the meantime, merchants face measurable abandonment tied to authentication. Financial institutions face ongoing credential-based fraud. The trajectory of adoption will hinge on evidence as passkeys produce lower account takeover rates and improved conversion metrics within major wallet and checkout environments.

The payments industry is locked into a race toward speed. Faster rails, real-time settlement, one-click checkout, invisible authentication and more innovations are all pointed toward one assumption: that friction is the enemy, and technology’s job is to eliminate it.

But as the payments ecosystem matures, the next frontier is one of understanding where speed alone is no longer a differentiator.

“If you think about the payments industry and what we’ve been building for the last decade, it’s faster rails, smarter algorithms. But we hit a wall when those algorithms do not have the full picture,” Entersekt Chief Strategy Officer and Co-Founder Dewald Nolte told PYMNTS  during a conversation for the “What’s Next in Payments” series February edition, “Word of the Year.”

That wall is becoming more visible to banks, merchants and FinTech platforms grappling with a paradox: They have more data than ever, yet are often less certain about what it means. Fraudsters exploit that ambiguity, while legitimate customers are caught in the crossfire of overly cautious risk models.

“We are drowning in data, but we’re starving for wisdom,” Nolte said, noting that for 2026, his word of the year is “context.”

When Fraud Prevention Becomes a Customer Experience Problem

Historically, fraud prevention has been measured by how much bad activity gets blocked. But that metric obscures an uncomfortable truth that the same systems designed to stop criminals can frequently alienate loyal users.

“It’s almost an insult,” Nolte said of repeat customers forced through unnecessary verification. “It’s like, you should know me.”

Consider a high-value transaction flagged by traditional controls. A $5,000 payment to an online casino, for example, may automatically trigger alarms. Yet without historical insight into the user’s behavior, the system cannot distinguish between fraud and a known, affluent customer acting exactly as they always have.

“If you have the full context of this user, such as the fact that there’s been 10 transactions over the last six months with no issues, suddenly that changes from fraud to, ‘This is a VIP customer, and how can we enable that?’” Nolte said.

This is where context transforms from an analytical enhancement into a competitive necessity. Payments leaders are realizing that false declines, the legitimate transactions rejected by risk engines, can carry hidden costs around lost revenue, damaged trust and diminished brand loyalty.

One of the most visible outcomes of context-driven payments, Nolte predicted, may be the decline of blanket authentication challenges such as one-time passwords and step-up verification prompts applied indiscriminately.

“It’s going to be the death of the automatic step-up,” he explained.

Instead of treating every transaction as suspicious until proven otherwise, contextual systems can continuously interpret behavioral signals, device intelligence and historical patterns to determine when security should be visible, and when it should disappear entirely.

The Real Barrier Isn’t Technology. It’s Fragmentation.

Despite advances in machine learning, cloud infrastructure and real-time processing, the payments industry’s biggest constraint is not computational power. It’s fragmentation.

Data remains trapped inside institutional silos: Issuing banks guard transaction histories, merchants hold behavioral insights and identity signals are scattered across third-party providers. Each participant sees only a slice of the customer journey.

“If you’re only looking at your little silo, that’s not good enough anymore,” Nolte said, describing the emerging baseline capability as “orchestrated ingestion,” or the ability to gather signals from multiple sources in real time and synthesize them into a unified risk decision.

“Sometimes the biggest challenge is that we want to build our little kingdom,” he added. “But there’s someone out there who has a perspective that you don’t have, and you need it.”

The urgency for collaboration is amplified by the evolving sophistication of financial crime. Fraud networks already operate as highly coordinated information-sharing ecosystems, trading techniques and data in real time.

“The criminals do better than us in one area,” Nolte said. “They actually share data.”

To counter that threat, institutions should consider adopting what Nolte called “collective defense” by pooling intelligence across organizational boundaries.

“There is a regulatory recognition around making sure that the guardrails and mechanisms for sharing data in a responsible way are being addressed,” he said.

Evolving Trust From Transactions to Relationships

If the payments industry’s first digital era was defined by velocity, its next phase may be defined by interpretation. Context turns isolated transactions into continuous relationships, allowing systems to recognize intent rather than merely process inputs.

“You want to move from just the fraud rate of how much fraud did I block to the trust rate,” Nolte said.

The shift reframes security as a customer experience discipline as much as a risk function and means quantifying how effectively an institution approves legitimate activity while still maintaining high protection levels.

Nolte suggested the real benchmark is the reduction of false declines without sacrificing fraud prevention.

“If I can maintain 99.9% fraud prevention by slashing my false declines by 50%, that’s the measure,” he said. “How much can I reduce these false declines where I make my most loyal customers feel like strangers?”

At the end of the day, in 2026, the winners in payments may not be those who move money the fastest, but those who understand the moment best.