Ruston Miles, Founder and Chief Strategy & Development Officer, Bluefin.getty​Payments are no longer limited to traditional checkout experiences. They’re being built directly into the platforms and environments where transactions happen. This shift is accelerating, with S&S Insider estimating the embedded payments market to reach $192.9 billion by 2032.Much of the conversation around this growth centers on how embedded payments deepen platform value. But as businesses expand how they monetize and engage customers, a structural gap is exposed: the infrastructure securing these transactions hasn’t kept pace with how widely and quickly they’re being deployed.As payments move across a growing mix of systems, endpoints and intermediaries, sensitive data is traveling through fragmented environments without a consistent model to govern data protection, introducing risks many organizations aren’t yet fully equipped to manage.To capture the benefits of embedded payments without introducing new vulnerabilities, infrastructure must evolve alongside them, beginning with a more deliberate approach to how security is designed into the payment flow.The biggest risks are at the edges of the ecosystem.Embedded payments are taking shape at the edges of the ecosystem: within SaaS platforms, marketplaces and applications that weren’t designed to manage distributed, multi-party payment flows. These environments prioritize speed and user experience, often treating security as a downstream responsibility. The result is foundational gaps in how payment data is protected from the outset.These gaps widen as embedded payments extend beyond digital use cases into environments that span both online and in-person experiences. The inclusion of physical devices, EMV (Europay, Mastercard and Visa) transactions and semi-integrated point-of-sale systems expands where sensitive data is captured, processed and transmitted, introducing additional points of exposure across the payment flow.As payment data moves across front-end applications, middleware, third-party application programming interfaces (APIs) and physical endpoints, control becomes fragmented. No single layer consistently governs how that data is protected across its lifecycle, leading to inconsistent tokenization and unclear ownership of compliance and risk across platforms, processors and merchants.These consequences are often invisible until something goes wrong. By the time an incident surfaces, payments are already embedded within the architecture, and retrofitting security, especially across devices and distributed systems, becomes operationally disruptive, expensive and difficult to scale.Security can’t be deferred or confined to a single layer. It must be built into the entire payment environment—from hardware and encryption to key management and every system that touches payment data.How To Secure Embedded PaymentsFrom the moment data is captured through the full transaction lifecycle, organizations need embedded protections that can work with how and where payments occur. The following principles help practically guide this shift: 1. Protect data from the moment it’s captured.Risk begins at the point of interaction, where payment data first enters the system. Point-to-point encryption (P2PE) secures this entry point by encrypting card data immediately, an essential safeguard in card-present environments where devices introduce additional exposure.As embedded payments extend across both digital and physical channels, protection must also go beyond initial capture. Device-level encryption, secure key injection and validated P2PE implementations help ensure sensitive data remains protected as it moves through the system.Securing data at the source limits how far it can travel in usable form, reducing exposure as embedded payment environments continue to expand.2. Eliminate raw payment data exposure across systems.As payment data moves across embedded environments, reducing where it exists becomes critical. The more systems that handle raw data, the greater the risk of exposure across applications, APIs and logs. Strong architectures minimize or eliminate its presence altogether.​Format-preserving tokenization replaces primary account numbers with non-sensitive equivalents, ensuring most systems never handle usable payment data. Because applications interact with tokens rather than live card data, exposure is limited even when systems are compromised.3. Centralize control, key management and visibility.In embedded payment environments, security often breaks down because control is distributed across too many systems. Without a centralized approach, discrepancies emerge in how data is encrypted, tokenized and managed as it moves across the payment flow.​Establishing a unified control layer (independent of processors, gateways or endpoints) creates consistency in how sensitive data is protected across channels. This approach allows security policies to be applied once and enforced everywhere, rather than relying on each system to handle it correctly in isolation.​Equally important is visibility. Understanding how payment data moves across systems and maintaining a clear chain of custody reduces ambiguity around ownership, strengthens compliance and ensures accountability across platforms, partners and merchants. With a centralized view, organizations can better track and manage payment data as it flows through increasingly complex ecosystems.Security enables scale.As embedded payments expand, the systems supporting them become more complex and exposed. When security is treated as an add-on, risk compounds quickly and architectural constraints take hold, making them difficult to unwind.That’s why security must be built into the foundation of payment infrastructure from the start. Doing so creates flexibility across providers, strengthens control over data and relationships, and enables scale without constant rework.Ultimately, security determines whether scale becomes a competitive advantage or a compounding liability.​ Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?