Viewpoint: Why Better Payments Security Requires More Sharing
Payments people start biting their nails when they hear “share more with more.” They’ve been conditioned to keep payments information from ever being shared. But that’s in the context of protecting legitimate payments system users from losing money while a fraudulent party benefits. At 7,000 members, the Financial Services Information Sharing and Analysis Center (FS-ISAC) is currently the largest financial services trade association in the world. I attended its fall summit last October, a month fittingly designated National Cybersecurity Awareness Month, and heard plenty about sharing. The mission of FS-ISAC is “always strength in sharing.” This year’s summit focused on “expanding the trust.”
Payments people are used to looking for fraud by way of chargebacks and returns, one payment-channel silo at a time. Shhh. Don’t let ACH people share information with wire people, and vice versa—the risk department will let us know if there is an issue. Of course, payments fraud is a constantly changing battle, and we must remain vigilant. However, who is prepared to recognize payment events that from a bird’s-eye view may look legitimate but, when analyzed, point to a threat of mass destruction?
Recent distributed denial-of-service (DDoS) attacks highlight the scale of network bandwidth that can be unleashed on connected systems. Payments are just that, a network of systems that connect every aspect of our economy. There are countless examples of services or goods not being rendered when payments aren’t received. Liquidity failures do tend to cause a state of panic. Even attacking one specific sector such as payroll processing on the first of the month could lead to disaster. As my colleague pointed out in a July 2016 blog, cash is alive and well, but payments systems today rely totally on telecommunications, which rely on our power grid.
Admiral James Stavridis, the keynote speaker at the FS-ISAC Summit, echoed the importance of expanding trust, along with the need to increase the resiliency of the nation in the event of a cyber-incident. Stavridis provided many encouraging solutions, one being that it’s time for a cyber-force branch of the military. The United States Air Force was formed as a separate branch of the military in September 1947 under the National Security Act of 1947 as aerial warfare advanced. Stavridis proposed that now is the time for us to consider that cyber-incidents could be used as weapons of mass destruction. He applauded the current combat against cybercrime, yet encouraged new thought on what could be in store and how quickly it could arrive.
How do payments people continue down the path of protecting individual players while simultaneously protecting the nation from a crippling cyber-incident? It could be just a matter of whom you invite to the table. As I saw with attendance at the FS-ISAC Summit, the cybersecurity conversation needs to include diverse skill sets. There has been a trend in moving information security departments away from their information technology partners and under the risk and compliance umbrella so they can remain unbiased when scrutinizing payment transaction red flags and other systems. Additionally, legal barriers are being reevaluated to ensure that law enforcement can access information, most notably by FinCEN expanding suspicious activity report requirements to include cyber-events.
There is a growing sense that payment security equates to cybersecurity and national security. With Stavridis and others promoting the movement for “expanding the trust,” new ideas continue to emerge. Hopefully, the technologies and strategies that are made to wow us (for example, the Internet of Things, machine learning and the distributed ledger) also can serve to unite and protect us.
Jessica Washington is a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed.
In Viewpoints, payments professionals share their perspectives on the industry. Paybefore presents many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore.