Card Security Concerns Do Not Dampen CSCU Meeting
ST. PETERSBURG, Fla. — An undercurrent of concern about how card processor FIS was handling some of its ongoing information security problems was not enough to dissuade 321 payment executives from 131 credit unions that use the processor from meeting April 25-29 to celebrate card success and strategy.
The card processor for the majority of credit union debit and credit card programs received a supervisory letter from federal banking regulators that the NCUA then shared with credit unions that process their transactions with the company.
That letter, what it might mean and what FIS was doing about the problems it identified, were the topics of widespread speculation at the meeting but relatively little public comment from the company.
On background, executives with CSCU said the company had been warned by federal regulators that it could only speak directly about the letter with executives from processing credit unions and with no one else. FIS has not yet released a statement about why it was declining to answer questions publicly.
CSCU had made room on its meeting schedule to allow security officials from FIS to address the topic, but the first meeting had to be stopped when it became clear that most of the questions from credit union executives concerned topics that FIS could not address publicly. FIS executives later took questions from CU executives in a meeting that was closed to the press.
But while he avoided the topic of the letter, Greg Schaffer, FIS’ new chief information security officer, fielded some questions about what the company was doing to address information security.
In particular, he addressed how FIS’ credit union clients will be expected to take on a greater role in helping guard information security and prevent information security breaches.
Schaffer explained to assembled executives that the information security world has changed from a model of setting up rigid perimeters around networks to keep data safe to one of preventing data theft when networks are breached–and carrying the expectation that they will be breached.
Schaffer said breaches are inevitable given the millions of lines of computer code that have been written to run the variety of different applications and programs that use the Internet and online communication in some way.
“How many people in the room have written dozens or even hundreds of documents that might have a comma out of place or be missing a period or have an extra period,” Schaffer said. “Now imagine that across millions of lines of code, and every misplaced colon or other symbol might be just enough to open up a vulnerability that someone could exploit,” he said.
The focus instead must be on setting up the systems and other measures that will prevent someone who breaches the system from making off with any data, he said. And that means knowing much more about potential vulnerabilities across different parts of the entire payment system, including financial institutions such as credit unions.
Schaffer used the example of a sophisticated phishing attack that convinces a credit union member to click on a link which could open up a vulnerability that might compromise not only the CU’s online environment but also that of FIS or other information service providers.
To help prevent this, Schaffer said FIS would focus on helping client credit unions better train payment executives about information security risks, especially those executives who have the power to altar or change a credit union’s information technology or payment systems. The processor will also help client credit unions improve their ability to monitor their systems for potential data breaches and to respond more effectively in cooperation with FIS when a breach occurs. Schaffer declined to add any details about the effort but promised the company would have more information forthcoming in the near future.
But as important as the security questions were, they could not dampen the conference’s overall attitude of optimism about prospects for greater credit union growth in payments.
Wayne Best, Visa’s chief economist, told the executives that while the United States economy is not out of the woods yet, it is much improved from where it was and will likely keep improving, albeit sluggishly, as long as no crisis from overseas arises.
Best put his comments in the context of the improving economic situation still be vulnerable to possible shocks from outside the country and moving sluggishly overall. This environment means that card issuing credit unions will have to segment their card offerings and promotions much more tightly than they have in the past in order identify and take advantage of payment opportunities, he explained.
The group also heard from Kristin Christian, the woman considered most responsible for Bank Transfer Day. She told the group that she has become a unofficial lobbyist for raising the legislative cap on member business lending.
Christian told the payments executives that she had been lobbying her fellow social media activists to support the effort to repeal the MBL cap and she put the effort in the context of what she called an effort between credit unions and the millennial generation to renew the economy through expanded small business opportunities.