Payment Security Risk: What You Don’t Scope May Hurt You

Financial services executives were stunned last year when hackers compromised payments security systems at the bank of Bangladesh and transferred over $81 million USD to overseas accounts.  Since then, Citihub has seen numerous companies initiate projects to identify payment system risks and strengthen payments security.  Projects vary by the size of the institution and where they begin, but they commonly include leadership input from the business units, IT, fraud operations, payments security and legal and compliance.

Stay current on your favourite topics


To date, corporations have focused their payment security efforts on highly visible systems which have been publicly exploited so many have become synonymous with SWIFT.  The publicity generated by the hack of the Bank of Bangladesh has led to increased scrutiny on SWIFT-based payments systems and triggered the creation of a Customer Security Program by SWIFT (read our earlier blog).  However, not all payments are made using SWIFT technology.

In serving clients, we’ve been asked to provide guidance on the security of payment systems and found most companies don’t take the time to define their payment systems, which is fundamental to understanding the full scope of risk.

 How do you define a payments system?

Not asking this question prior to project execution can lead to project failure and unaddressed risks. The definition of a payment system must become the cornerstone of any assessment and remediation effort and the answer is not as trivial as it may seem.  Citihub defines a payment system as any internal or external system which is used to transfer cash or enable cash transference (or does so with minor modifications).

When a bank applies this definition to payments technology and business processes, it becomes clear that preventing the compromise of a payment system requires an understanding of end-to-end payment flow. Initiation, authorization, confirmation receipt and reconciliation, and related technology components must also be reviewed.

Banks must also dig deeper to understand the financial reporting systems that are sometimes overlooked as they can pose additional risk.  Many third-party reporting systems can have payment functionality enabled by the signatories on the account.  In some cases, this activation can even be done electronically or by an entitled business user.

Once the definition has been agreed to, banks must address the scope of their assessment and remediation project and the hidden risks associated with using a third-party payment system. In my next post, I’ll review some of the most common business process and technical risks that companies should be aware of.

Would you like to know more about our work?

The author

Khristian Gibson

Khristian Gibson

Associate Partner, New York

With 20 years’ experience in Information Security, Governance and IT Support management in major banks and hedge funds in the US and the UK, Khristian has a proven track record of delivering and governing large projects and driving strategy/vision for technical and security streams.