GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

You can protect your residuals


Industry Update

Top trends affecting payments in 2010

Best Buy boycott

Simulated onslaught to bolster security

Trade Association News


Preventing the inside job

Industry Leader

Biff Matthews –
The shoulders others stand on

Selling Prepaid

Prepaid in brief

Mercator benchmarks health of the industry

Incentivizing the seller

Game cards find heaven in 7-Eleven


Prepaid opportunity: Huge and growing

Patti Murphy
The Takoma Group

A new decade begins

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
Don't break the bank

Jon Perry and Vanessa Lang

Marketing in the next decade

Nancy Drexler
SignaPay Ltd.

One company per ISO deal

Adam Atlas
Attorney at Law

Net results

Dale S. Laszig
DSL Direct LLC

Company Profile

Payment Alliance International

New Products

Mobile trends applied to brick-and-mortar

Digital receipts with the L4150 terminal
Hypercom Corp., TransactionTree Inc.

Flexibility with a mobile terminal

Swipe It and QuickSwipe
Simply Swipe It LLC


Bounce the January blahs



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

January 25, 2010  •  Issue 10:01:02

previous next

Simulated onslaught to bolster security

On Feb. 9 to 11, 2010, payments industry organizations will take part in a cyber attack simulation exercise designed to test the security of payment networks, educate organizations on system vulnerabilities and recommend improvements to better secure those networks.

The exercise, dubbed the Cyber Attack against Payment Processes (CAPP), is being organized by the Financial Services Information Sharing and Analysis Center. Many associations throughout the financial services sector are supporting, promoting and participating in the event's planning, including the payments industry's own Payments Processor Information Sharing Council.

Princeton, N.J.-based processor Heartland Payment Systems Inc. is co-chairing the planning process. Robert O. Carr, chairman and Chief Executive Officer at HPS, and founder of the PPISC, said the exercise is "very important" to the ultimate goal of protecting data networks from security breaches.

"We've invited payments processors; we've invited retail merchants; we've invited a lot of merchant organizations, financial institutions," Carr said. "If they have a lot of electronic payments being processed through their organizations, they're encouraged to participate."

Nuts and bolts

According to John South, Chief Security Officer at HPS, the three-day exercise involves a set of "events" (cyber attack scenarios) that participants will be confronted with, followed by an evaluation of how participants' security safeguards would respond to the attacks. Anonymous surveys are included in the scenarios to give FS-ISAC and the participating associations a snapshot on the state of cyber security in financial services.

At the conclusion of the exercise, FS-ISAC will tabulate the results of the surveys to provide feedback to participating organizations on where vulnerabilities lie in payment networks.

The purpose of the exercise is therefore to allow companies to look "introspectively" - evaluate their own strengths and weaknesses from a data security standpoint, and thus take action to shore up weak points in their networks, South said.

Specifically for payments, CAPP will help show the industry "where do we really need to put, as an industry, the most effort, and whether it be in policies and practices or infrastructural development, or if it's just understanding the issues," South added.

Tim Cranny, CEO of payment security consulting firm Panoptic Security Inc., believes an exercise that confronts organizations with sophisticated attack scenarios could be "extremely valuable" to individual businesses and the industry overall.

Large processors and other high-profile targets attract the attention of "very focused individuals who, if you block the first 100 things, will try the 101st, the 102nd thing," Cranny said.

It is those types of evolving threats the exercise is designed to highlight, according to South.

"So each day there's a set of events and a set of questions to give the corporation or the entity that's participating a chance to look at their current systems," South said. "The next day - the second day - they receive a new set of events that say, 'OK, here's what evolved over the evening.'"

The same scenario occurs over day three, at the end of which FS-ISAC will tabulate the results for dissemination to CAPP participants.

The bigger picture

Carr and Cranny agree that this exercise is the first in which the payments industry is participating. Cranny believes this is a good sign.

"One thing that has held security back for a long time is that it has been a secretive, almost furtive type of process," he said. "People haven't admitted when they've had problems, haven't even admitted when they've had successes.

"There wasn't a lot of sharing information and war stories and learning from other peoples mistakes because no mistakes were ever admitted. But the bad guys are sharing very rapidly and learning from each other, so if you're going to deal with that escalating threat profile, it's a very good idea to share information and to do things like this. ... I think it is a step upward in maturity and sophistication for the industry. And it's a good thing."

Carr and Cranny also agree that payment business participants may learn some hard lessons about the state of their cyber security programs.

"I'm fairly certain that many participating companies are going to realize that they're not as prepared as they think they are," Carr said.

All types of businesses in the payments industry are invited to participate. The exercise is free of charge, and participants will receive an "after-action report" that includes best practices and threat mitigation techniques. Visit to register; the deadline is Jan. 29.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios