Page 32 - GS250501
P. 32
ChapterTitle
Insights and Expertise
The UK's push for That means having contingency plans in place, identifying
single points of failure and testing their ability to recover
resilience – If your from cyberattacks, system failures or supplier outages.
But merchants must take note too. If a payment provider
payment provider experiences an outage, the business accepting payments
suffers just as much. Customers won't distinguish be-
tween a provider's system failure and a merchant's inabil-
fails, so do you ity to process transactions - they'll just take their business
elsewhere.
Now is the time for merchants to ask the right questions:
• Does my payment provider have failover mecha-
nisms? Can they switch between multiple acquiring
banks if their primary system goes down?
• Do they comply with PS21/3 regulations? A provid-
er's failure to meet resilience standards could mean
disruptions that directly impact revenue.
• What's their track record in handling disruptions?
Have they implemented scenario testing and risk
management strategies?
Choosing a resilient payment provider means greater sta-
bility, fewer failed transactions and a smoother experience
for customers—a key differentiator in today's competitive
marketplace.
By Ryta Zasiekina
Concryt Operational resilience:
UK versus U.S. approaches
f your payment provider went down tomorrow,
would your business be able to keep running In the United States, there's no direct equivalent to the
smoothly? Would customers still be able to check UK's PS21/3 regulation, which is a formal legal man-
I out, or would you be scrambling to explain why date requiring financial services firms to maintain es-
transactions aren't going through? sential services through major disruptions.
These are the kinds of questions UK merchants, acquirers By comparison:
and payment providers should already have answers to,
because on March 31, 2025, PS21/3, the Financial Conduct • PCI DSS is an industry standard, not a law. It's
enforced contractually by card networks and ac-
Authority's (FCA) operational resilience regulation, is in
effect. quirers, with penalties for noncompliance.
• FFIEC guidance and OCC regulations require
This isn't just another regulatory hoop to jump through. banks and some financial institutions to main-
It's about ensuring that payments keep flowing even when tain business continuity plans, but these are
things go wrong. Whether you're a payment provider re- largely guidelines, not sweeping legal require-
sponsible for securing transactions or a merchant rely- ments.
ing on those services, failing to meet resilience standards
could mean lost sales, frustrated customers and long-term • State-level laws (like New York's DFS Part 500)
reputational damage. cover cybersecurity and incident response but
don't fully replicate PS21/3's operational resil-
What PS21/3 means for merchants ience framework.
For banks, payment processors and fintech firms, PS21/3
requires them to prove that they can keep essential ser- U.S. merchants can still apply lessons from PS21/3 to
vices running even during severe disruptions. strengthen their own resilience strategies and provid-
er evaluations.
32
