Merchant and Financial Services Cybersecurity Partnership


The Partnership has succeeded in its goal to work collaboratively across the payments system to enhance security in order to protect customers and their data from cyber threats. The Partnership has resulted in a strong and productive relationship across the merchant and financial industries. Both industries are stronger together than we are divided and to keep the trust of our customers, we must work collaboratively to improve overall security. The following are the planned deliverables as the Partnership wraps up its work.

Since February 2014, the Partnership comprised of more than 250 senior executives from financial services and merchant companies and staff from associations have met nearly 50 times by conference call or in-person in various groups, heard from over 45 experts (e.g., Office of the Comptroller of the Currency, EMVCo, Federal Bureau of Investigations, Lockheed Martin, PCI Data Security Council, Ponemon Institute, Verizon 2014 Data Breach Report), participated in numerous outreach events including the 2014 Merchant-Financial Services Cybersecurity Summit on Sept 10, and sought consensus on difficult policy issues.

Working Groups Planned Deliverables:

1. Threat Information Sharing
• Secure an agreement between the FS-ISAC and the R-CISC to have a formal administrative link and establish protocols for sharing information between the financial services sector and the merchant sector.
Convene periodic threat information sharing forums.

2. Cyber Risk Mitigation
• Host a joint “table top” cyber exercise with financial and merchant institutions to simulate a significant attack against a processor or multiple processors simultaneously that degrades ability to conduct commerce.
• Leverage NIST’s ongoing workshops to implement and refine the voluntary NIST Cybersecurity Framework and drive its usage along with existing work with the FSSCC, FS-ISAC and other relevant bodies. Also, develop compendium listing of leading practices.
• Develop a paper on breach notification response programs.

3. Advanced Card Present and Card Not Present Security Technology
• Outline recommendations for merchants, issuers, acquirers, and processors to collaborate more in the development of technology standards to ensure the safety and security of the payment system.
• Outline principles for protecting the payments system, focusing on technologies that minimize the value of payments information if it is stolen, lost or breached and on customer authentication.

4. Cyber Security and Breach Notification
• Present to congressional leaders joint principles supporting cyber threat information sharing legislation

For more information please contact:

Andrew Kennedy,