Data shows there’s reason to be concerned about payment processors’ technology and security

There has been growing concern about mounting systemic risk from the increasing number of payment processing companies.

A recent FT article expressed concern that a cyber event affecting a high volume payments company could disable large parts of the economy without notice. And Christine Lagarde, head of the International Monetary Fund, said last week that whilst big tech innovation may help modernise financial markets, it could also make financial systems vulnerable by putting payment and settlement systems under the control of a handful of technology giants.

To make matters worse there has been significant consolidation within the sector, which in turn creates the complexity of IT structure that makes it more difficult to protect against a cyber event. Furthermore, the regulation of payments processing isn’t as robust as the regulatory system that governs other elements of the global financial system, like banks, so monitoring and enforcement of the cyber defences and technology used by payment processors is challenging.

What does the data show? To establish a data-driven understanding we analysed over 2,000 payment processors in our database containing the security and technology posture of millions of interconnected companies worldwide.

About 5% of roughly 2,000 payment processors have a greater than 90% probability of experiencing a cyber event over the next 12 months, according to Corax data and predictive calculations. That proportion is 1% and 2% more than across the Financial and Technology sectors generally, and what seems to be driving that is payment processors have more technology connected to the internet, meaning much more risk inherited from greater number of companies and technology providers they’re connected with. 

Across the payment processor sector the data shows there are certainly potential ‘points of failure’ based on shared reliance on technologies types and technology vendors. And, although the technology pinch points are perhaps reassuringly consistent with our analysis of the Financial and Technology sectors more broadly, what is definitely concerning is that per company, there is an average of six security vulnerabilities designated “critical”, and, worse still, is that 2% of the technology assets of the 2,000 payment processors have the same 10 security vulnerabilities in common. That’s good news for nefarious types, bad news for everyone else, but with some coordinated effort across the sector that systemic risk could be hugely reduced.

Contact us here for the full data and analysis.