ST. PETERSBURG, Fla. — Credit union clients of FIS will be expected to take on a greater role in helping guard information security and prevent information security breaches, according to Greg Schaffer, the company's chief information security officer.

Schaffer's comments at the Card Services for Credit Unions annual meeting comes on the heels of the NCUA sharing a regulatory letter critical of the company's security practices and advising credit unions to evaluate their relationship with FIS.

Schaffer did not address that issue but explained that the information security world has changed from a model of setting up rigid perimeters around networks to keep data safe to one of preventing data theft when networks are breached – and carrying the expectation that they will be breached.

Schaffer said breaches are inevitable given the millions of lines of computer code that have been written to run the variety of different applications and programs that use the Internet and other online communication in some way. 

“How many people in the room have written dozens or even hundreds of documents that might have a comma out of place or be missing a period or have an extra period,” Schaffer said.

“Now imagine that across millions of lines of code, and every misplaced colon or other symbol might be just enough to open up a vulnerability that someone could exploit,” he said.

The focus instead must be on setting up the systems and other measures which will prevent someone who breaches the system from making off with any data, he said, and that means knowing much more about potential vulnerabilities across different parts of the entire payment system, including financial institutions such as credit unions.

Schaffer used the example of a sophisticated phishing attack which convinces a credit union member to click on a link which could open up a vulnerability which might compromise not only the credit union's online environment but also that of FIS or other information service providers.

To help prevent this, Schaffer said FIS would focus on helping client credit unions better train payment executives about information security risks, especially those executives who have the power to alter or change a credit union's information technology or payment systems. 

The processor will also help client credit unions improve their ability to monitor their systems for potential data breaches and to respond more effectively in cooperation with FIS when a breach occurs, Schaffer said.

He declined to add any details about the effort but promised the company would have more information forthcoming in the near future.

CSCU is the association of credit unions that process cards with FIS, which handles that work for about 5,400 credit unions.