CBS-9 Credit Card Issuing and Acquiring Services
![[OR] [MBT] [E3] [CBS] [9] [ST] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/01715f59-24f7-415e-9b5a-991b9213f22e.png)
Scenario testing is an essential part of Metrobank’s operational resilience framework, ensuring that the Credit Card Issuing and Acquiring Services (CBS-9) can withstand and recover from severe but plausible disruptions.
By simulating real-world stress events — such as system outages, cyberattacks, fraud surges, and third-party failures — the bank can validate its ability to maintain continuity of critical operations, protect customer trust, and comply with regulatory requirements.
The approach integrates cyber and ICT risks into scenario design to reflect evolving digital and security challenges within credit card operations.
![Banner [Table] [OR] [E3] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/a45e9708-7139-4f4e-8e0e-41179f5cacc3.png)
Table P6: Perform Scenario Testing for CBS-9
|
Sub-CBS Code |
Sub-CBS |
Recommended Scenario Test Themes |
Impact / Effect |
Evidence of Proactive Risk Management Action |
|
9.1 |
Credit Card Application and Onboarding |
System outage or data corruption in the digital application platform; a cyber phishing attack targeting applicants’ personal data |
Disruption to new card issuance; customer dissatisfaction; potential data breach |
Periodic penetration testing and data integrity audits; onboarding process redundancy through alternate digital channels |
|
9.2 |
Card Issuance and Fulfillment |
Vendor printing plant outage or logistics failure; compromised card data during fulfillment |
Delay in card delivery; breach of customer confidence |
Dual sourcing strategy for card production vendors; encrypted data transfer for card personalization; backup logistics provider |
|
9.3 |
Transaction Authorization and Processing |
Core payment switch failure; DDoS attack on the authorisation server |
Inability to process transactions; service downtime; revenue loss |
Cyber incident simulation with red team exercises; deployment of backup transaction routes and real-time failover systems |
|
9.4 |
Merchant Acquiring and Onboarding |
System integration error with new merchant platforms; KYC data compromise |
Delay in merchant activation; potential compliance breach |
Regular onboarding simulation with mock merchants; third-party integration testing and data encryption verification |
|
9.5 |
Merchant Transaction and Settlement Services |
Payment gateway failure; delayed settlement from third-party processor; ransomware attack on settlement database |
Financial reconciliation delays, merchant cash flow issues, and reputational impact |
Cyber resilience tabletop tests with acquiring partners; periodic settlement failover tests; secure offsite data replication |
|
9.6 |
Cardholder Servicing and Collections |
Contact centre outage; compromise of customer records; surge in delinquency during system unavailability |
Disruption to customer assistance; potential regulatory non-compliance |
Crisis communication and call rerouting simulation; BCP for collections system; enhanced endpoint security protocols |
|
9.7 |
Fraud Detection and Security Monitoring |
Compromise of the fraud monitoring system; AI-based fraud engine failure; insider data manipulation |
Increased fraudulent transactions, customer loss and reputational risk |
Continuous cyber risk drills; simulated data exfiltration response; review of real-time anomaly detection backups |
|
9.8 |
Compliance and Regulatory Management |
Regulatory reporting tool failure; inaccurate or delayed submission due to data loss |
Regulatory penalty; breach of compliance obligations |
Compliance reporting scenario walk-throughs; backup regulatory reporting platform; encryption and secure audit trail validation |
Integration of Cyber and ICT Risks
Each scenario incorporates cyber and ICT risk dimensions, acknowledging that digital infrastructures underpin every sub-component of Metrobank’s credit card business. This ensures that tests not only validate business continuity but also assess resilience against technology-driven threats, aligning with Metrobank’s enterprise risk management and operational resilience framework.
![Banner [Summing] [OR] [E3] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/11895c06-91e9-4cec-acb6-4356741952e4.png)
Through structured scenario testing, Metrobank validates its ability to sustain the Credit Card Issuing and Acquiring Services under stress, ensuring that disruptions — whether operational, cyber, or third-party in nature — do not breach customer trust or regulatory expectations.
The results from these scenario tests provide actionable insights, drive continuous improvement, and reinforce a proactive culture of risk management.
Integrating cyber and ICT risk scenarios ensures resilience not only at the business process level but across the entire digital ecosystem supporting credit card operations.
![[OR] [MBT] [E3] [CBS] [9] [DP] Credit Card Issuing and Acquiring Services](https://no-cache.hubspot.com/cta/default/3893111/7b2ea4c9-1299-4e60-a149-6c31912dd8f1.png)
![[OR] [MBT] [E3] [CBS] [9] [MD] Map Dependency](https://no-cache.hubspot.com/cta/default/3893111/40bb72bb-5111-440d-8adb-eb87f4ec1d5f.png)
![[OR] [MBT] [E3] [CBS] [9] [MPR] Map Processes and Resources](https://no-cache.hubspot.com/cta/default/3893111/2ec68e79-e822-44b3-bc6e-d8842015c697.png)
![[OR] [MBT] [E3] [CBS] [9] [ITo] Establish Impact Tolerances](https://no-cache.hubspot.com/cta/default/3893111/a25c5343-8362-4595-904c-3634b82c3cd9.png)
![[OR] [MBT] [E3] [CBS] [9] [SuPS] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/85351d9a-b59d-4b31-ac51-4affa7fd70e1.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
