Payments & Prepping: The invisible thread holding society together

Most of us only notice payments when they go wrong. It’s the same story with other parts of the infrastructure we rely on. We take it for granted until the lights flicker, the water pressure drops, the broadband cuts out, or the card machine freezes at the checkout. But those moments of disruption reveal just how much we depend on the hidden systems that keep daily life running.

Payments, in particular, run through nearly every part of how we live and connect. From topping up a travel card, to sending a birthday gift through a mobile app, to paying for groceries, we rarely stop to consider just how often we interact with these systems, or what would happen if they suddenly stopped working.

Yet, it’s not a hypothetical scenario. According to figures from the Treasury Select Committee, the UK’s nine largest banks have collectively experienced more than 800 hours of unexpected outages across two years. When payments stop, life pauses with them. People can’t buy food, transfer wages or pay bills. Charities miss out on donations. Businesses can’t pay suppliers. 

And it’s not just banks. The 2024 CrowdStrike update failure, which triggered global disruption and more than $1 billion in costs, showed how a single upstream provider can impact services at scale. Payments weren’t the only casualty, but they were among the most visible. The fragility of the wider infrastructure is hard to ignore.

The outlook from business leaders reflects this. In a recent global survey of senior IT and business executives, 88% said they expect another major incident on the scale of the July 2024 outage within the next 12 months. A majority admitted they’ve focused too much on security and not enough on service disruption. The shift in mindset is clear, organisations are realising that preparation and continuity planning can’t be an afterthought.

The case for preparing ahead of time

During the pandemic, so-called ‘preppers’ were one step ahead. They had supplies set aside, fallback plans mapped out and a clear idea of how to respond, well before supermarket shelves were stripped bare. It’s a mindset the payments industry could learn from. Planning ahead shouldn’t be unusual. It should be the norm.

There’s a parallel in other industries too. Take airlines, which have long operated under the assumption that failures will happen – and their systems, training, and culture reflect that. It’s the essence of ‘black box thinking’: building resilience through routine testing, incident analysis, and continuous improvement. They don’t wait for catastrophe to act; they prepare for it in advance. Payments may not be life or death, but the principle is the same – resilience is built before it’s needed.

Banks, fintechs and processors now operate within fragile, interconnected supply chains. From cloud providers to infrastructure vendors and card schemes, the biggest risks aren’t always in your own systems, but in the services that you depend on. As reliance on third parties grows, so does the need to design resilience into every layer of the stack.

Legacy infrastructure makes that harder. When one part fails, it often brings the rest with it. That’s why modular design matters. It allows issues to be isolated, traffic to be rerouted, and faults to be fixed without pulling everything down at once. It also lets businesses scale at their own pace and upgrade without introducing new points of failure.

But resilience depends on operations as much as architecture. The ability to respond quickly, whether to an outage or a surge in demand, often comes down to how teams plan, test and communicate. Modular systems can support agility, but it’s clear ownership and forward thinking that turn plans into action.

Trust is hard-won and easily lost

The CrowdStrike incident wasn’t payments-specific, but the impact on payments was immediate and obvious. People noticed when they couldn’t transact. When systems go down at critical times – like payday – it’s not just a tech failure, it was a trust failure. Keeping payments flowing is essential to maintaining confidence in the system.

Security and accountability must be built into every part of the ecosystem. That means not just processors and banks, but also the wide range of vendors that keep services running behind the scenes. Everyone has a stake and a role to play.

Some firms argue that overhauling infrastructure is too expensive. But staying still comes with a cost too, and that cost is rising. System failures are more common, fraud is more advanced, and customers have little tolerance for downtime. Regulators have taken notice.

The EU’s Digital Operational Resilience Act (DORA), which came into effect on 17 January 2025, sets a new bar. It requires financial firms to prioritise risk management, stress testing and third-party oversight. DORA builds on existing frameworks like PSD2 (the Second Payment Services Directive, which focuses on secure electronic payments) and GDPR (the General Data Protection Regulation that governs data privacy). But it demands more. The message is clear: resilience is a must-have.

Delaying improvements only makes them harder later. Downtime now erodes trust. Inaction now risks long-term consequences.

Meeting compliance doesn’t mean you're ready. Real preparedness means understanding your architecture, rehearsing what happens when things fail, and making sure everyone – not just IT – knows how to respond.

For the largest firms, fines often fail to make an impact. Treating resilience as a competitive advantage, something that earns trust and wins business, may prove far more effective.

Resilience means more than tech fixes

Beyond technology and regulation, the economy itself is an increasing source of risk. Take President Trump’s renewed tariff regime, with up to 145% on Chinese goods and 10% on many others triggering fresh uncertainty across global markets. Volatility in currency rates, supply chain disruption and shifting rules can all hit payments infrastructure hard. Firms need systems that can adapt to this new reality.

Another factor that’s easy to overlook is the human one. Technology is only part of resilience. The rest comes from how people plan, coordinate and communicate when things go wrong. Cross-functional collaboration, regular testing and well-documented processes all play a part.

Regulators are taking this into account. It’s no longer just about systems passing audits; it’s about how entire organisations respond in the moment.

When payments work, nobody notices. That’s how it should be. But the challenge of making that happen is getting harder. As external threats grow and expectations rise, businesses can’t afford to treat resilience as an afterthought.

Preppers don’t wait for trouble before preparing. Neither should we. Resilience doesn’t just depend on the plans you make; it starts with the tech stacks you build.