CBS-9 Credit Card Issuing and Acquiring Services
![[OR] [MBT] [E3] [CBS] [9] [SuPS] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/85351d9a-b59d-4b31-ac51-4affa7fd70e1.png)
As part of Metrobank’s Operational Resilience framework, identifying severe but plausible scenarios is a critical step in stress testing the resilience of its Credit Card Issuing and Acquiring Services (CBS-9).
Severe but plausible scenarios are realistic yet extreme situations that could disrupt operations beyond normal contingencies, assessing the organisation’s ability to continue delivering critical services within impact tolerances.
These scenarios consider cyber, ICT, operational, and third-party risks and are used to validate Metrobank’s response capabilities and recovery measures.
By anticipating these events, Metrobank ensures proactive management of vulnerabilities across its credit card lifecycle, from application and issuance to merchant settlement and fraud monitoring.
![Banner [Table] [OR] [E3] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/f4f3c007-e864-48cd-8bc1-0242c8b7fd86.png)
Table P5: Identify Severe but Plausible Scenarios for CBS-9
|
Sub-CBS Code |
Sub-CBS |
Severe but Plausible Scenario |
Impact / Effect |
Proactive Risk Management Action |
Link to Integration of Cyber and ICT Risks |
|
9.1 |
Credit Card Application and Onboarding |
Prolonged outage in the customer onboarding platform due to database corruption or malware attack |
Inability to process new credit card applications; customer dissatisfaction; reputational damage |
Implement secure data backup and recovery processes; conduct regular vulnerability scanning; enable redundancy in onboarding platforms |
Aligns with ICT risk management for data integrity and availability; integrates cyber risk through endpoint protection and secure coding standards |
|
9.2 |
Card Issuance and Fulfilment |
Third-party card production vendor suffers a ransomware attack, halting fulfilment |
Delay in issuing cards to customers; breach of SLA; reputational impact |
Maintain alternate vendors and business continuity agreements; validate incident response readiness of third parties |
Integrated through third-party cyber due diligence and ICT continuity monitoring |
|
9.3 |
Transaction Authorisation and Processing |
Network or payment switch failure caused by a DDoS cyberattack or a hardware malfunction |
Authorisation failures leading to transaction decline across ATMs and POS; financial and reputational loss |
Implement DDoS mitigation, transaction rerouting, and high-availability infrastructure |
Direct integration with cyber resilience and ICT network redundancy strategies |
|
9.4 |
Merchant Acquiring and Onboarding |
Major API or portal outage due to a software patch error during system upgrade |
Merchant onboarding delays; inability to process new merchant accounts |
Deploy patch management testing in staging environments; enforce change control procedures |
Integrated with ICT change management and cyber security validation processes |
|
9.5 |
Merchant Transaction and Settlement Services |
Payment gateway compromise leading to unauthorised access or data tampering |
Delayed or incorrect settlements; potential data breach liabilities |
Implement encryption of payment data; enhance transaction reconciliation controls |
Integration with cyber and ICT incident response and data loss prevention systems |
|
9.6 |
Cardholder Servicing and Collections |
CRM and collections system downtime due to internal system failure or cyber intrusion |
Disrupted customer service and payment collections; potential rise in delinquencies |
Maintain mirrored CRM systems; automate alerts for system degradation; provide alternate service channels |
Integrated through ICT business continuity plans and cyber intrusion detection |
|
9.7 |
Fraud Detection and Security Monitoring |
Failure of the fraud detection system caused by AI model corruption or malware infiltration |
Increased undetected fraudulent transactions; financial and regulatory exposure |
Establish failover for fraud analytics engines; perform continuous model validation |
Integrated with cyber risk governance for fraud detection and ICT resilience testing |
|
9.8 |
Compliance and Regulatory Management |
Data breach exposing regulatory reporting or KYC data due to an insider threat or an API vulnerability |
Regulatory penalties; compliance breaches; reputational impact |
Conduct periodic security awareness and access control audits; enhance data encryption for KYC and regulatory reports |
Integrated with cyber compliance monitoring and ICT security audit frameworks |
![Banner [Summing] [OR] [E3] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/446ccb83-e056-40d0-aae5-834d73c13f43.png)
The identification of severe but plausible scenarios for Metrobank’s Credit Card Issuing and Acquiring Services reinforces its ability to anticipate and mitigate operational disruptions. Each scenario represents a realistic threat that tests Metrobank’s resilience across technology, people, process, and third-party dependencies.
Integrating cyber and ICT risk management within these scenarios ensures that digital and system vulnerabilities are not viewed in isolation but as integral components of the bank’s operational resilience strategy.
By proactively managing these risks and embedding them into scenario testing exercises, Metrobank strengthens its capability to maintain critical financial services continuity and uphold customer trust under the most challenging circumstances.
![[OR] [MBT] [E3] [CBS] [9] [DP] Credit Card Issuing and Acquiring Services](https://no-cache.hubspot.com/cta/default/3893111/7b2ea4c9-1299-4e60-a149-6c31912dd8f1.png)
![[OR] [MBT] [E3] [CBS] [9] [MD] Map Dependency](https://no-cache.hubspot.com/cta/default/3893111/40bb72bb-5111-440d-8adb-eb87f4ec1d5f.png)
![[OR] [MBT] [E3] [CBS] [9] [MPR] Map Processes and Resources](https://no-cache.hubspot.com/cta/default/3893111/2ec68e79-e822-44b3-bc6e-d8842015c697.png)
![[OR] [MBT] [E3] [CBS] [9] [ITo] Establish Impact Tolerances](https://no-cache.hubspot.com/cta/default/3893111/a25c5343-8362-4595-904c-3634b82c3cd9.png)
![[OR] [MBT] [E3] [CBS] [9] [ST] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/01715f59-24f7-415e-9b5a-991b9213f22e.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
