Secure payments

Worldpay is a behemoth in the world's payment industry. Every day, the group processes more than 30 million online payment transactions via point-of-sale terminals, smartphones and computers. The Växjö-based subsidiary Worldpay Sweden primarily focuses on card payments for poker sites an online casinos.

Security is absolutely business-critical, and the transactions are monitored minute-by-minute, 365 days of the year. "When companies like ours handle money, they have to be prepared for all forms of cyber threats," says Tobias Axelsson, CSO of Worldpay Sweden. Yet, he is not alone when it comes to assaying these threats. He and around 20 colleagues work at the office in Växjö with the development of payment systems in order to prevent potential security breaches.

COOPERATION WITH EUROPOL, MI5 & THE CIA

All security managers at Worldpay attend regular meetings to keep abreast of the security situation, share experiences and update each other regarding that taking place in the area. And, if required, there are even more powerful resources at their disposal.

"The group cooperates closely with the British intelligence service MI5, Europol and America's CIA. Among other things, they assist in criminal profiling. This work is invaluable to us in extortion cases, where they assist us in determining the likelihood of a threat being carried out."

When Worldpay receives international threats, it is imperative to determine which of these should receive additional attention. In addition to criminal profiling, the organisation's security technicians have learnt to distinguish between empty threats and those that may pose greater risk.

"One of the things we try to figure out is whether the perpetrator has specifically researched us as an organisation. If so, it is fundamentally more serious, since they have dedicated more resources than those who send out a flood of emails. For extortion cases, we have also developed a method of appraising the demanded sum in relation to the threat. This provides insight into how professional and experienced the perpetrator may be."

Customer perspective

On the whole, Worldpay devotes a great deal of time to rooting out weaknesses in the software programs. Sometimes, a patch or rewrite to eliminate the weakness is not good enough, and the entire program must be replaced. This is not always simple or straightforward, since Worldpay, as a payment processor, is stringently governed by security standards and certifications. 

"Furthermore, we must see things from our customers' perspectives," emphasises Tobias. "We may not be able to replace a program if an end-customer, such as a poker player, uses an older, incompatible device. Our customers, quite simply, will not accept this, because they know that the poker player will switch to a different provider. No one in the industry wants to lose customers."

Notwithstanding, security is one of Worldpay Sweden's strongest competitive advantages.

"We devote massive resources to security, certainly ten times more than the average company, and customers have faith in us owing to our exemplary track record. But this also means that we cannot become complacent. All it takes is a single intrusion to destroy customer faith in our company, and this may take years to repair."
In light of this, transactions need to be monitored day and night. Fraud or intrusion attempts must be detected early. And Worldpay Sweden has opted to outsource this to their Växjö neighbour: Combitech's Security Operations Centre (SOC).

TIME FOR THE MOST CRITICAL SECURITY ISSUES

An advantage of outsourcing round-the-clock monitoring is that it leaves time for the company to focus on organisational matters, which everyone, including Tobias, values greatly.

"It means that I can spend more time on the best parts of my job, like HR," says Tobias. "Many companies forget that this is one of the most important security issues.

"Stressed-out workers can make mistakes. This may involve neglecting procedures, disseminating information over the phone, inserting an unfamiliar USB drive or, in the worst case, consciously doing something that can damage the company."