Title
BSP Fraud Controls on ATMs and POS Devices
Law
Bsp Memorandum No. M-2014-040
Decision Date
Oct 3, 2014
The Philippine law, BSP Memorandum Order No. M-2014-040, requires banks to implement multiple security measures, including the migration to EMV technology, to protect electronic payment cards from skimming attacks until January 1, 2017, or face potential sanctions.
card fraud
skimming attacks
electronic payment cards
A

Mandatory Controls for BSIs to Mitigate Skimming Risks

BSIs are required to apply specific security controls as per Annex aAa - Appendix 75f of Circular No. 808. These include:

  • Installing anti-skimming solutions and tamper-resistant keypads on ATMs and POS machines.
  • Deploying video surveillance where appropriate.
  • Establishing detection and alert mechanisms for timely incident response.
  • Using transaction alerts for withdrawals and other high-value transactions.
  • Strengthening consumer awareness programs on fraud precautionary measures.

Security Controls for ATMs

BSIs must implement minimum security measures along with recommended controls addressing evolving skimming techniques:

  • Locate ATMs in visible, well-lit areas.
  • Install surveillance cameras in high-risk locations with recordings preserved for at least 30 days.
  • Conduct thorough risk assessments to identify ATMs requiring enhanced controls or replacement.
  • Introduce ATM programming enhancements such as masking card numbers and transaction alert notifications.
  • Educate customers on ATM risks, safe usage, and how to identify skimming devices.
  • Post visible signage with important phone numbers including emergency and BSI hotlines.
  • Perform and document periodic security inspections involving security officers and branch personnel.
  • Train BSI personnel for sensitive and prompt handling of customer complaints and fraud cases.

Security Controls for POS Devices

BSIs must ensure physical and logical security of POS terminals as follows:

  • Increase physical security around POS devices, including secure communication channels to prevent interception.
  • Conduct risk assessments for POS devices based on location, transaction volume, and other risk factors.
  • Acquaint merchants with safe operation of POS devices.
  • Configure POS devices to prevent storage or exposure of confidential customer information like PIN.
  • Prohibit printing of PIN numbers at the point of sale.
  • Implement merchant oversight including employee background checks to minimize fraud risks.

Prevention of Skimming Incidents

BSIs must study and analyze ATM crime incidents to determine root causes and problematic areas, using lessons learned to improve processes and prevent recurrence.

Detection of Fraudulent Activities

BSIs are required to implement fraud detection systems with behavioral scoring and correlation capabilities to identify and halt fraudulent transactions even before consumer awareness or transaction completion.

Management and Response to Skimming Incidents

BSIs should establish robust procedures for timely investigation, determination of liability, and equitable compensation related to card fraud:

  • Facilitate collaboration and information sharing among BSIs, including sharing CCTV footage without extra charge subject to confidentiality agreements.
  • Harmonize internal policies to support industry-wide anti-fraud information sharing.
  • Participate actively in industry groups like the Inter-network Anti-Fraud Committee (IAFC) and Information Security Officers Group (ISOG).
  • Cooperate with law enforcement agencies when necessary, particularly in cybercrime cases affecting public security.

Sanctions for Non-Compliance

BSIs failing to implement the prescribed controls and measures may face monetary and non-monetary sanctions as provided under Subsection X176.9 of Circular No. 808.


Analyze Cases Smarter, Faster
Jur helps you analyze cases smarter to comprehend faster, building context before diving into full texts. AI-powered analysis, always verify critical details.

About Privacy Terms