Mastercard, WorldPay and AmEx were among the payment processors who took part in a ‘cyber war game’, in a bid to test their systems amid rising IT security threats. The payment companies held their first joint cybersecurity war games to test their systems’ readiness for simultaneous attacks, uncovering differences in their defences including even how to define a crisis.
JPMorgan Chase, Mastercard, American Express, WorldPay and Fidelity National Information Services were among the 18 payment processors from the US and the UK that took part in the cyber war game exercises, which were held at IBM’s test centre in the US.
Financial firms have led spending on cybersecurity as high-profile attacks exposing customer data and theft of funds raised pressure on the industry. Executives and regulators are concerned that a systemic attack on the plumbing of the financial system could disrupt the global economy, and cooperation between the industry and government agencies is increasing.
“We put competitors in the same room together, which initially they were hesitant to do,” said Rob Johnston, chief information security officer for FIS and one of the organisers. “But they realised pretty fast how valuable such a gathering is. When there are multiple breaches in an organised attack, it’s better to coordinate the response.”
The participants discovered that they had varying definitions of a crisis related to breaches as well as differing approaches in how they reach out to law enforcement. Agreeing on a common definition and streamlining cooperation with government agencies will be goals for the payments industry, Johnston said. The sector will also seek a more formal way of sharing information on threats, he said.
Some of the payments firms are members of the Financial Services Information Sharing and Analysis Center, known as FS-ISAC, a forum for banks, broker-dealers and insurance companies to share data on threats. Banks and brokerage firms have been holding cyber war games regularly since 2011, testing the U.S. capital markets’ readiness for attacks.
“It’s interesting to see that payment processors are actively testing their systems to see how prepared they are for a cyber-attack,” says David Emm, Prinicpal Security Reeacher at Kasperky Lab.
“In today’s digital age, online fraud is a very real threat. With almost every area of our daily lives now online, fraudsters are using a host of sophisticated and varied cyber-threats to target victims, and make them drop their guard. There are a variety of different types of credit card fraud; from combining cold-calling with phishing emails to targeted attacks that are being initiated through payment system endpoints and through the exploitation of customers’ credentials and confidential data.”