(September 29, 2009) A payments-industry security group formed earlier this year is going through the rather dry procedures of establishing a charter and electing leaders. But one of its first projects could get pulses beating a little faster: a simulated mass attack on databases containing payment card and demand-deposit account information.

The exercise is planned for three days next February and will be open to banks, payment processors, retailers, and other businesses, according to William B. Nelson, president and chief executive of the Financial Services Information Sharing and Analysis Center, or FS-ISAC. The Dulles, Va.-based non-profit body, which formed a decade ago to promote better sharing of security information among financial institutions and law-enforcement officials, formed a payments subgroup last spring called the Payments Processor Information Sharing Council. The PPISC first convened in early May and is now establishing a governing committee and planning activities, including the simulated database attack.

The event actually will involve a series of simulated attacks against databases of card processors, banks, retailers, and other businesses. Unlike certain tests commissioned by individual firms, however, the simulation will not attempt to break into anyone’s database, Nelson tells Digital Transactions News. “It will all be pretend,” he says. Instead, participants will be given scenarios and provide information to the test directors by e-mail.

The purpose of the exercise is to let participants know how attacks happen and learn how the damage might be reduced if victims share information about hackings at their companies, according to Nelson. “My goal is to make organizations aware, going forward, of the need to really share threat vulnerability and incident information,” says Nelson. “The key is if something bad happens to your competitor, it affects you. You’re going to be next.” Robert O. Carr, chief executive of merchant acquirer Heartland Payment Systems Inc. and a PPISC backer, decried the lack of information sharing in the payments industry after his company sustained a huge hack (Digital Transactions News, April 30).

PPISC will be contacting processors, retailers, and banking trade groups asking for participants in the test. “The exciting thing about it, we could literally have thousands of institutions participate,” says Nelson.

The group also is planning a separate, smaller exercise, what Nelson calls a “deep dive.” Participants will scan their computer systems for executable programs and other electronic signatures that hackers leave.

PPISC member companies now include 12 of the top 15 merchant acquirers representing more than 75% of the nation’s electronic payment transaction volumes, the organization says. The group is considering a draft charter and taking nominations for elections in October of a steering committee that will consist of a chairman, vice chairman, and three at large-members.

PPISC members met earlier this month near Washington, D.C. with representatives of the U.S. Secret Service, the departments of Homeland Security and Justice, and the U.S. Postal Inspection Service.