In most organizations, the CTO and CISO sit on opposite sides of a familiar argument: one wants to move fast, the other wants to move carefully. Vineet Daniel has resolved that tension by becoming both. As CTO and CISO at PayMe, a fintech lending platform navigating the convergence of open APIs, embedded finance, and AI-driven credit underwriting, he has built a security philosophy that treats compliance not as a brake but as a foundation. In this conversation with CISO Forum, Daniel speaks candidly about structuring DPDP consent frameworks without sacrificing product velocity, the three Zero Trust gaps Indian fintechs rarely admit publicly, and why the pace of AI evolution, not any single attack vector, is what keeps him up at night.
CTO & CISO
PayMe
CISO Forum: Running both CTO and CISO roles simultaneously — where does the tension between shipping fast and securing deep show up most acutely in a fintech like PayMe?
Vineet Daniel: Being a CTO and a CISO means having two different hats at the same time. One responsibility is to deliver on time using innovative methods and technologies; the other is to ensure everything is compliant and secure. But at the same time, being a CISO doesn’t mean the CTO’s role has to stop innovating or shipping fast. Both work in conjunction and, in fact, have helped me build security from day one. So whatever we are doing, security is baked in, compliance is baked in, and we always make sure the team is trained and aware of the compliance requirements and regulations set by the RBI. Being both CTO and CISO has, in fact, helped both our team and our mission by enabling us to ship fast, innovate, and deliver secure solutions.
CISO Forum: AI-powered credit underwriting relies heavily on alternative data. What are the biggest cybersecurity and data integrity risks that CISOs in lending platforms often underestimate?
Vineet Daniel: I wouldn’t say that CISOs often underestimate anything; that would be an understatement. As a CISO, we have to make sure that, especially after DPDP, PII has come into the picture and into force, the personal data of the user, the ultimate consumer of the platform, remains secure and doesn’t get hacked, breached, or used by malicious actors. So, in that sense, whatever we are building, as I said earlier, whether it is on the database, the platform, or in transit, we make sure that it is secure. Even in our models, we have tested guardrails in place. Whenever PII is detected, and someone has inadvertently supplied personal information, a notification is sent. We make sure that everything, especially PII, doesn’t enter the public domain, LLMs, or unsecured or unsafe zones.
CISO Forum: With enforcement of the DPDP Act tightening in India, how are you structuring your DPIA and consent management frameworks without slowing product velocity?
Vineet Daniel: With the DPDP Act now in force, privacy has actually moved from being a good practice to a statutory obligation for vendors. We have built upon the concept of purpose limitation, for example. And it’s not just us; all the vendors who are supplying or helping us with data are equally aware. We also met with them while the DPDP framework was being finalized and before it came into force to discuss how we would manage user data. Because in certain places we rely on third-party APIs to obtain data, we have ensured, in collaboration with the vendors, that proper user consent is in place and is timestamped and recorded with audit trails and logs. The purpose is clearly mentioned, visible to the user, and visible to us. By that, we mean that the use of that data is solely for the stated purpose. For example, if we are pulling a bureau report for a particular loan, we use it only for decision-making and then discard it. Whenever that user applies for a new loan, we fetch fresh records.
CISO Forum: What does PayMe’s AI-powered fraud detection architecture look like, and how do you balance anomaly detection sensitivity against false positives that could hurt genuine borrowers?
Vineet Daniel: When it comes to technology, it’s not perfect. There are certain flaws and false positives. It depends on the ratio at which they occur, but thankfully, you can keep tweaking the percentage or threshold of what should be considered the correct parameter. For example, if a user uploads a live selfie, there is another check we have in place that brings AI into the picture. We verify that it is a live selfie, not a recorded one or a reused image. There are certain checks that we put in place.
Now, there can be false positives, but we also have to consider the impact of real fraud being ignored just because we don’t want users to be flagged by the AI system. So there is a small percentage we consider acceptable, and in those cases, we direct them for manual review rather than discard them.
We send them for manual review, and the feedback is fed back into the system. If the system’s flag was correct or incorrect, learning happens through reinforcement learning, and we continuously improve those systems. So yes, there could be false positives, but it is always a learning system. While we try to reduce false positives, people with malicious intent keep devising innovative ways to bypass controls. So it’s always an ongoing learning process.
CISO Forum: As embedded finance expands through open APIs, the attack surface grows dramatically. What’s your security philosophy for third-party API integrations with institutional partners?
Vineet Daniel: Embedded finance is real, and it went through a high-growth phase in which unit economics held up.
What I have learned is that embedded lending succeeds on two things: integration quality and absolute clarity of where the credit risk sits. As I mentioned earlier, we had many meetings with vendors, especially in embedded finance, where account aggregators play a key role. They have their own consent management systems and their own security practices in place. The DPDP Act does not apply just to us; it is equally applicable to our vendors. They are equally responsible and aware that they must maintain compliance.
So it’s not just us who need to be compliant; they do, too. When we onboard any vendor, we review each other’s compliance posture. We have a checklist that is followed with every vendor onboarding. We also have ISO and PCI DSS automation, which strengthens our security posture and gives our customers and vendors confidence that we are not creating security risks.
CISO Forum: CISOs across BFSI are nervous about GenAI. At PayMe, are you deploying it more aggressively as a capability, or are you still focused on managing it as a risk?
Vineet Daniel: I am enthusiastic about Generative AI and deliberately conservative about where it goes. Where it has delivered real value for us is in engineering productivity, internal knowledge management, operations, and, increasingly, customer support. We have deployed a customer support bot that has offloaded 60–70% of our customer queries from the support team to the bot.
The other area where we focus is governance. We authorize AI access through a controlled environment and use hyperscalers to do so. We don’t allow unmanaged personal AI tools on corporate devices or within office premises. Everything is done through enterprise accounts. We have measures in place to handle sensitive data.
I wouldn’t call it anti-AI. In fact, it’s the opposite. It’s about treating GenAI as something that must operate with clear access controls, audit trails, and accountability. That’s what lets you adopt it confidently rather than nervously.
So I wouldn’t say that, as a CISO, we need to be nervous or overly conservative about its adoption. This is a change that we cannot resist; we have to adapt to it sooner or later. At PayMe, we have already started adopting it, and the biggest change we have seen is in engineering and other departments, where it has increased efficiency multifold. It is another very efficient tool in our toolkit.
CISO Forum: SaaS-based lending platforms mean deep dependency on third-party vendors. How do you approach vendor risk management and security due diligence at scale?
Vineet Daniel: We have our own checklist that we have created over time. It has gone through many changes and iterations during this period.
For example, with DPDP coming into the picture, we made some changes again and added many clauses to it. We ensure that most of the vendors we onboard have VAPTs, relevant certifications, and proper governance practices within their organizations. We assess how seriously they take DPDP compliance and review the frameworks they use. We also conduct a small POC before onboarding and evaluate all the good practices they follow.
We ensure that the checklist is at least 90–95 percent green. At times, certain items may still be in progress. For example, one of our vendors was in the process of obtaining PCI DSS certification for their operations, so we gave them an exception with a time-bound limitation. We agreed that by a specific date, they would have to share the certification with us. So, this is how we go about it.
There is no casualness in due diligence. We ensure that everything, especially PII and customer data, is secured and transferred securely. There are measures and validations at each and every point where the data is transferred or changes hands.
CISO Forum: Has PayMe moved to Zero Trust architecture? What are the practical implementation gaps that Indian fintech CISOs rarely discuss publicly?
Vineet Daniel: There are certain things that Indian fintech CISOs do not want to discuss publicly, and of course, for obvious reasons. But yes, we’ve had close discussions among ourselves and with peers from different fintechs about how they are handling security, and ZTNA is one of the very good tools that helps us achieve that. This is also one of the questions I have been asked frequently in the past.
The first thing nobody likes to admit is that Zero Trust is actually easy to declare for new systems and very hard to retrofit onto what we already have, especially legacy systems. Most Indian fintechs, including ours, have legacy services and integrations built before Zero Trust was implemented. We are actively working on it and building new architectures in which Zero Trust principles are implemented from the start. We are also in talks with several vendors at the moment, and by next month, we will fully implement Zero Trust in our architecture.
The second gap is identity. Zero Trust actually lives or dies on strong identity management for every user, service, laptop, desktop, or any other machine connected to the network. Human users may have MFA, but service accounts and emergency access mechanisms can sometimes accumulate privileges over time because tightening them may risk breaking something in production.
So, we have to be careful about that as well. The new changes we are bringing in cannot apply only to newer systems, while legacy systems remain unchanged. That gap needs to be plugged before production deployment, which increases implementation time.
The third gap that I can think of at the moment is third parties, especially in a regulated lending ecosystem. We operate in an ecosystem of partner integrations and embedded finance, which we discussed earlier. A Zero Trust architecture or posture effectively stops at your own boundary.
The moment data crosses over to a partner, the situation changes. Data may be fully secured while it is with us, with all the required controls and safeguards in place. But once it passes on to a partner, we have to trust their network and trust their security maturity. We can define requirements contractually and include them in legal agreements, but it is difficult to verify and validate them regularly.
These are the three gaps that I can think of right now, and the third one is probably the most important.
CISO Forum: Cybersecurity talent in India is scarce, especially at the intersection of fintech and AI security. How are you building and retaining that capability internally at PayMe?
Vineet Daniel: As a CISO at an NBFC like PayMe, the threat model extends beyond financial inclusion. Modern identity abuse is also part of it. KYC fraud, account takeover, and API abuse are all concerns. For example, we have had instances where a person used his father’s phone and applied for a loan without the father even being aware of it.
So, I’ll give you a very honest answer. AI lowers the cost of attacks—deepfakes, KYC fraud, phishing at scale, and automated browsing attacks—but it is also a practical way to defend at that volume. No human team can review fraud signals quickly enough.
We need AI systems that work at scale and can operate in real time. At the same time, the importance of human cybersecurity personnel does not decrease; it actually increases. AI, if we think of it as an enabler, is also a threat because malicious actors may use it for purposes other than its intended use.
That is where cybersecurity personnel come into the picture. They continuously track these changes, test AI models, and identify weaknesses and risks within them.
Coming back to your question about the shortage of cybersecurity personnel, the shortage is not as severe if you can find a trusted partner to whom you can outsource parts of your cybersecurity workload. For example, you can have a cybersecurity professional within the company who oversees cybersecurity partners and vendors, and that can help resolve many of the challenges.
CISO Forum: Looking ahead 18 months, what keeps you up at night? What’s the one threat vector you believe Indian fintech CISOs are dangerously underprepared for?
Vineet Daniel: The one thing we are underprepared for—or you can say not fully prepared for—is the evolution of AI systems and the pace at which they are evolving.
The latest example is Claude Mythos, which was reportedly able to identify vulnerabilities in systems and operating systems that were being regularly patched and scanned by some of the best cybersecurity teams in the world.
I’ll repeat that—some of the best teams in the world. Yet vulnerabilities were still identified in those environments. That is what creates sleepless nights.
AI is a powerful tool. You can use it to increase efficiency, build better UI and UX for customers and consumers, and improve productivity. At the same time, it can be used to bypass security controls, carry out impersonation attacks, and create convincing deepfake voices that mimic a person’s identity.
So, those are the things that create sleepless nights—the pace of evolution of AI systems, the skills required to keep up, and the resources needed to defend against increasingly sophisticated threats.
