Question & AnswerQ&A (BSP MEMORANDUM NO. M-2014-040)
The memorandum addresses the vulnerability of electronic payment cards, such as ATM debit, credit, and prepaid cards, to skimming attacks due to the continued use of magnetic stripe technology.
EMV stands for Europay, MasterCard, and Visa, a global standard for credit, debit, and prepaid payment cards based on chip card technology. EMV chip cards are more secure alternatives to traditional magnetic stripe cards and are significant for reducing card fraud including skimming attacks.
The deadline for the migration of the entire payment card network to EMV technology was set for January 1, 2017.
Minimum security measures for ATMs include locating ATMs in highly visible areas, providing sufficient lighting, installing surveillance cameras in high-crime areas, implementing robust anti-skimming solutions for high-risk ATMs, programming enhancements like masking card numbers, customer education, posting telephone hotlines, periodic security inspections, and training BSI personnel for customer concern management.
Controls for POS devices include increasing physical security around the terminal, using POS terminals that minimize interception possibilities, familiarizing merchants with safe device operation, ensuring devices do not store or expose confidential information such as PINs, and enforcing baseline controls such as merchant employee background checks.
BSIs must conduct studies, analysis, and assessment of ATM crimes to determine root causes, use lessons learned from incidents to promote changes and process improvements to prevent recurrence, and implement additional ATM and POS controls as necessary based on risk assessments.
BSIs are required to implement fraud detection systems with behavioral scoring and correlation capabilities to identify and curb fraudulent activities prior to transaction completion or consumer knowledge.
BSIs must establish timely investigation and resolution processes, determine party liability within a reasonable timeframe, provide equitable compensation to affected customers, and participate in collaboration and information sharing initiatives.
Customer education is a key defense against fraud, requiring BSIs to regularly advise customers about risks, how to detect skimming devices, and preventive measures to protect their card and PIN security.
BSIs that do not adopt the prescribed controls may be subject to monetary and non-monetary sanctions as provided under Subsection X176.9 of Circular No. 808.
BSIs are encouraged to share CCTV video images, participate in industry-wide collaboration efforts such as the Inter-network Anti-Fraud Committee (IAFC) and Information Security Officers Group (ISOG), and cooperate with law enforcement agencies especially in cases involving public safety and security.