Field note

Payment modernization stalls at security review, not architecture

Payment modernization projects do not stall at the architecture layer. They stall at the security review layer - threat models built for monoliths, questionnaires written for general software, cycles tuned for annual releases. The teams that ship on time put security in the room before design, not after.

Apr 13, 2026 · Navin Agrawal · Payments · 2 min read

Payment modernization stalls at security review, not architecture

Visual brief

Visual brief

Payment modernization stalls at security review, not architecture

As of April 2026

Payment modernization projects do not stall at the architecture layer. They stall at the security review layer. Across multiple major platform transformations, every one lost months to reviews that were not designed for API-first payment infrastructure.

The security teams were not wrong. They were doing exactly what they should. The problem was the process: threat models built for on-prem monoliths, questionnaires written for general-purpose enterprise software, and review cycles calibrated for annual releases.

Where it stalls

Security review

modernization rarely stalls at architecture - it stalls at a review layer built for other software.

Payment-specific risk

Off-template

token-lifetime drift across rails, idempotency replay, and OAuth scope sprawl across four rails.

The fix

Risk register

a joint threat model before design produces one artifact security helped define.

Why the template misses

Payment APIs are not general-purpose enterprise software. They carry threat surfaces a standard questionnaire does not cover: token lifetime drifting across rail boundaries, idempotency replay risk, and OAuth scope sprawl when you integrate four payment rails at once. None of those map cleanly to a generic, NIST-aligned review template, so the review spends its time discovering the shape of the system instead of judging it.

What the fast teams do

They run a joint threat model with security before design starts, not at the end of it. That session produces one artifact: a risk register mapping payment-specific attack vectors to agreed controls, written before a line of code exists. The register then replaces the discovery phase of the formal review, because security already knows what acceptable looks like for a payment API surface - they helped define it.

Payment modernization stalls at security review, not architecture (as of April 2026): modernization rarely stalls at the architecture layer and instead stalls at a security review layer built for other kinds of software; payment APIs carry off-template risks like token-lifetime drift across rails, idempotency replay, and OAuth scope sprawl across four rails; and the fix is a joint threat model run before design that produces one risk register security helped define, replacing the discovery phase of the formal review.
Put security in the room before design, and the review judges the system instead of discovering it.
Payment architects who ship modernization on schedule have one thing in common: a security team that was in the room before the design started.

Was this useful?

Choose once.

Related Posts

View All Posts »
Banks are starting to twin the org, not just the branch

Banks are starting to twin the org, not just the branch

Digital twins began as 3D models of physical space. The next step is simulating how a bank actually runs - so you can test a payment-rail change or a regulatory shift against every system before it touches production. Most banks still only document what exists.

Under a second is the right answer to the wrong question

Under a second is the right answer to the wrong question

At an AWS Bedrock AgentCore Payments session the question was what happens at a thousand transactions a second, and the answer was settlement in under a second. Both are true and they answer different questions. The right frame for one payment crossing a trust boundary is the wrong frame for a million events a day inside one agent fleet, where the chain fee stacks up before anything else does.

Stablecoin custody and issuance converge on one charter

Stablecoin custody and issuance converge on one charter

Two US regulatory threads just lined up. The GENIUS Act created a federal pathway to issue payment stablecoins, and the OCC's new rule lets national trust banks hold digital assets in non-fiduciary custody - then conditionally chartered Coinbase as one. Issuance and custody can now sit inside the same federally regulated counterparty.

A chartered bank just put a stablecoin on card settlement

A chartered bank just put a stablecoin on card settlement

SoFi Bank put SoFiUSD on Mastercard's settlement layer. Authorization still rides the card rails and the merchant sees nothing change, but the interbank fund movement happens on-chain, around the clock, with no batch window and no correspondent float. For the first time, issuers and acquirers get to choose their settlement medium.