by Jack Robertson
UK payments infrastructure faces an escalating range of cyber threats. Worryingly, 43% of UK businesses suffered a cyber breach in the past year. With payments systems now classified as critical national infrastructure (CNI), their defences are being tested like never before. As geopolitical tensions rise and attackers move from espionage to active disruption, the question is no longer whether UK payments will face attack, but whether current defences can withstand it. Payment systems process over £350 billion daily through networks like Faster Payments and CHAPS, making them attractive targets for nationstates seeking economic disruption and criminals pursuing financial gain. Ransomware attacks have doubled, affecting fewer than 0.5% of businesses in 2024 to 1% in 2025, with an estimated 19,000 organisations affected. Meanwhile, 67% of fraud reported in the UK is now cyber-enabled, highlighting the digital transformation of financial crime.
The threat landscape has further shifted from opportunistic attacks to sophisticated, persistent campaigns. Nation-state actors now view payment infrastructure as a strategic target for economic warfare. In early 2023, pro-Russian hacktivist groups launched coordinated denial of service (DDoS) attacks against financial institutes across Europe.
These actors are no longer content with data theft. “The rapid acceleration of artificial intelligence (AI) and quantum technologies is greatly expanding the risks facing UK payment systems,” says Justin Barrow, senior associate at Burges Salmon. “Frameworks like Cyber Security Information Sharing Partnership (CiSP) and the Financial Sector Cyber Collaboration Centre (FSCCC) are strong. The challenge is ensuring they adapt effectively to emerging technology threats.”
National Cyber Security Centre (NCSC) data shows 430 incidents requiring assistance in 2024, up from 371 the previous year, demonstrating the escalating threat landscape. The financial sector was hit hardest, with phishing remaining the dominant attack method, affecting 93% of businesses and 95% of charities that suffered breaches.
Attackers increasingly pre-position within infrastructure, establishing persistent access before activating disruptive capabilities during periods of heightened tension. Real-time payment systems are especially vulnerable because of their always-on, interconnected design. This makes it difficult for security teams to strengthen protection without disrupting service delivery.
UK financial services have embraced sophisticated threat simulation through programmes like CBEST, which has evolved far beyond traditional penetration testing. 2024 marked CBEST’s 10th anniversary, with the Bank of England’s (BoE) latest findings showing that threat intelligence-led assessments are now the regulatory standard.
Max Savoie, payments regulation lawyer at Ashurst, says the Financial Conduct Authority (FCA) treats CBEST reports as best practice and “expects firms to take them into account in the continual review and development of the firm’s cyber-resilience controls.”
The rapid acceleration of artificial intelligence (AI) and quantum technologies is greatly expanding the risks facing UK payment systems.
John Macpherson, global head of cyber risk at Ashurst, says regulators are becoming far more advanced in their understanding of technical controls: “We see regulators across many jurisdictions becoming a lot more advanced in their understanding of technical and operational controls and the role that control effectiveness plays in measuring residual risk.”
But he warns of a critical gap: “Many organisations fall into the trap of not being strategic and programmatic about their testing program. Nine times out of ten, the control failures that contribute to large cyber attacks are already known to an organisation through internal or external assessments—they just haven’t been remediated fast or completely enough.”
The STAR-FS framework expands testing beyond CBEST, building on the success of the BoE-established framework by widening the scope to incorporate banks, building societies, insurers, and other FCA-regulated organisations. This recognises the UK financial system’s interconnected nature and makes advanced resilience testing more accessible to a wider range of institutions.
Threat intelligence sharing has evolved from informal cooperation to structured collaborative defence, with financial institutions now operating sophisticated real-time intelligence networks. David Capezza, interim chief risk officer for Visa Europe, says its 24/7 cybersecurity fusion centres act as global hubs for threat monitoring and intelligence sharing, with Europe’s based in London.
Visa monitors billions of transactions daily and says its AI tools prevented nearly £23 billion in fraud last year. Yet challenges remain. Barrow notes: “The sector requires clearer visibility of coordination mechanisms to build confidence in collective threat response capabilities.” This transparency gap highlights the ongoing tension between security through obscurity and the need for industry-wide coordination.
John Macpherson, global head of cyber risk at Ashurst, emphasises the importance of bidirectional sharing: “Actioning threat intelligence is an everyday event and sharing relevant data with security agencies should be encouraged with the confidence that security agencies should be prohibited from providing that information to regulators for regulatory enforcement action.”
Global networks like the Financial Services Information Sharing and Analysis Centre (FS-ISAC) complement UK-specific initiatives, creating cross-border threat data flows that enable coordinated responses to international campaigns. Such frameworks are increasingly vital as criminals use AIgenerated deepfakes and advanced social engineering, which demand industry-wide intelligence sharing to counter.
The classification of payments infrastructure as CNI has introduced new regulatory powers with significant compliance implications. In September 2024, the UK government designated data centres as ‘Critical National Infrastructure’, recognising their central role in financial services and payments.
Rhiannon Webster, data protection and cybersecurity laws specialist at Ashurst, notes the government plans to give the secretary of state new regulatory powers: “The government has set out its scope and ambition, which includes consideration for equipping the secretary of state with a new power to issue a direction to a regulator on national security grounds.” This represents a fundamental shift in regulatory approach. Webster anticipates increased prescription: “It is likely that over the coming years the government will request the FCA and Payment Systems Regulator (PSR) to require more stringent and prescriptive security measures on payment firms.”
“The designation of data centres as CNI has significant implications for the payments industry, recognising their essential role in supporting finance and banking whilst acknowledging vulnerability to cyberattacks,” notes Barrow. “However, the underlying data centre infrastructure represents just one component of the broader technology stack.”
The forthcoming Cybersecurity and Resilience Bill, due in 2025, will extend regulation to managed service providers and supply chains that affect payment systems.
Barrow adds, “The sector would benefit from sharper risk assessment by technology type to better manage increasing complexity—distinguishing between risks from proprietary banking systems versus distributed ledger technology, for example. Firms might consider regularly reassessing their operating models and counterparty risks as these evolve.”
dapibus leo.
Looking ahead, quantum computing represents both threat and opportunity. Quantum algorithms could break today’s encryption, but work on accelerating. Payment systems must begin implementing post-quantum cryptography to maintain security as quantum computing matures.
AI-powered defence systems show promise for real-time threat detection and response. Visa’s Capezza says behavioural analytics can spot threats such as account takeovers or bot attacks, and notes work to expand tokenisation with biometric verification.
Resilience also means ensuring continuity. Capezza says Visa can reroute transactions during outages and use AI-powered stand-in processing to keep payments flowing even if bank systems fail. The upcoming Cyber Security and Resilience Bill will also mandate stronger supplier risk management, embedding supply chain security into law for critical infrastructure and digital providers.
The government has set out its scope and ambition, which includes consideration for equipping the secretary of state with a new power to issue a direction to a regulator on national security grounds.
UK payments systems face unprecedented cyber threats but are developing sophisticated defence mechanisms. Enhanced red-teaming, more advanced intelligence sharing, and tougher regulation are already strengthening resilience. However, continuous adaptation remains essential as threat actors and attack methods evolve.
The sector must balance security imperatives with innovation requirements. “The government has recognised through both the Garner review and subsequent national payments vision work that regulatory complexity creates disproportionate burdens, particularly for smaller payment service providers,” observes Barrow. Success depends on maintaining proportionate, risk-based approaches that protect critical infrastructure without stifling the innovation that drives UK payments leadership.
With over £1 billion stolen through unauthorised and authorised fraud in 2024 and ransomware attacks continuing to escalate, the urgency for comprehensive cyber resilience has never been greater. Regulation, industry collaboration, and new technology offer hope—but securing payments will demand constant vigilance and sustained investment.
The time for incremental change has passed. Payment professionals must act now: strengthening risk assessments, intelligence capabilities, and readiness for tougher regulation. In this arms race between attackers and defenders, standing still means falling behind.
