Card Fraud and Skimming Attacks ( BSP Memorandum Order No. M-2014-040 )
October 03, 2014
October 3, 2014
BSP MEMORANDUM NO. M-2014-040
TO | : | All BSP-Supervised Institutions |
SUBJECT | : | Card Fraud and Skimming Attacks |
Electronic payment cards (i.e., ATM debit, credit and prepaid cards) are still vulnerable to skimming attacks given the continued use of magnetic stripe technology. Pending migration of the entire payment card network to EMV 1 by 01 January 2017, electronic payment cards remain largely defenseless against modern fraud techniques unless multiple layers of protection are adopted by BSP-Supervised Institutions (BSIs).
To manage subject risk, BSIs are reminded to consider the specific controls to mitigate exposure from skimming attacks outlined under Annex "A" — Appendix 75f of Circular No. 808 dated 22 August 2013, namely:
• Installation or implementation of additional controls to ATM and POS machines, such as anti-skimming solution, tamper-resistant keypads or video surveillance;
• Establishment of detection process and alert mechanisms for timely and appropriate incident response and action; and
• Use of transaction alerts on withdrawals and other transactions exceeding certain defined thresholds.
Abovementioned controls highlight the BSI's need to (a) protect ATM and POS machines and (b) have proactive systems and processes in place to prevent, detect, manage or respond to card skimming incidents. Also, BSIs need to strengthen their customer awareness programs as a first line of defense against fraudsters reiterating the precautionary measures under Annex "C" — Appendix 75f of Circular No. 808.
A. Security Controls for Automated Teller Machines (ATMs) and Point of Sale (POS) Devices
BSIs shall put in place adequate safeguards as card skimming attacks may happen at various points in payment card processing, such as ATMs, payment kiosks and POS terminals. Following are the minimum security measures required for ATM facilities and POS devices pursuant to Annex "A" — Appendix 75f of Circular No. 808 with the corresponding additional recommended controls necessary given the evolving nature of the skimming attacks:
1. Automated Teller Machines
Pertinent Provisions
|
Recommended Control Measures
|
|
• | Locate ATM's in highly visible | BSIs are expected to enhance their risk |
areas; | management processes to include the | |
• | Provide sufficient lighting at and | conduct of a thorough risk assessment, which |
around the ATMs; and | considers, specific ATM model, ATM location, | |
• | Where ATM crimes (e.g., robbery, | volume of transactions and such other factors |
vandalism, skimming) are high in a | necessary to identify those ATMs requiring | |
specific area or location, the BSI | additional controls. For those classified as | |
should install surveillance camera | high risk, installation of robust anti-skimming | |
or cameras which shall view and | solutions and/or additional security devices | |
record all persons entering the | and measures shall be necessary. The results | |
facility. Such recordings shall be | of the risk assessment shall likewise be used | |
preserved by the BSI for at least | to identify specific or vulnerable ATM models | |
thirty (30) days. | due for replacement. | |
• | Implement ATM programming | Logical controls, such as transaction alert |
enhancements like masking/non- | systems and/or notifications, shall also be | |
printing of card numbers. | considered by BSIs to ensure risks are | |
appropriately mitigated or managed. | ||
• | Educate customers by advising | Consumer education remains one of the key |
them regularly of risks associated | defenses against fraud, identity theft and | |
with using the ATM and how to | security breach. Concerned BSIs shall | |
avoid these risks; | accordingly enhance their consumer | |
• | Post a clearly visible sign near the | awareness initiatives in response to the |
ATM facility which, at a minimum, | business environment. More than protection | |
provides the telephone numbers of | of the Personal Identification Number (PIN) | |
the BSI as well as other BSIs' | and the measures outlined in Annex "C" — | |
hotline numbers for other | Appendix 75f of Circular 808, advisories on | |
cardholders who are allowed to | how to check for skimming devices shall also | |
transact business in the ATM, and | be released and posted in ATM premises. | |
police hotlines for emergency cases. | ||
• | Conduct and document periodic | Periodic security inspection is a necessary step |
security inspection at the ATM | to ensure that ATMs are not compromised. | |
location. | Other than security officers, BSIs shall | |
consider requesting assistance of branch | ||
personnel in ensuring ATMs remain safe for | ||
the consumers. Inspection shall be | ||
documented and performed on a periodic | ||
basis, the frequency of which depends on the | ||
results of the risk assessment. | ||
To further promote confidence in the use of | ||
ATMs, BSIs shall post in their ATM premises | ||
information that ATM machines are regularly | ||
checked for the presence of skimming devices. | ||
• | Educate BSI personnel to be | To manage reputational risk, adequate |
responsive and sensitive to | handling and containment of consumer | |
customer concerns. | concerns and complaints shall be undertaken | |
by highly-trained BSI personnel. A well- | ||
defined customer complaint resolution | ||
process must be in place specifying prompt | ||
notifications as well as the conduct of | ||
investigations aimed at resolving issues and | ||
complaints within a reasonable timeframe. |
2. Point-of-Sale Devices
Pertinent Provisions
|
Recommended Control Measures
|
|
• | The party providing POS terminal | Similar to ATMs, physical security controls |
must always increase the physical | shall be in place for POS devices with the | |
security around the vicinity of such | added concern on connectivity to minimize | |
POS terminal and on the POS | risk of interception in the established | |
terminal itself, among others, by | communication link. Risk assessment of POS | |
using POS terminal that minimizes | terminals considering the location, volume | |
the possibility of interception on | and amount of transactions and other risk | |
such terminal or in its | factors should also be undertaken. | |
communication network. | ||
Likewise, POS devices shall be configured to | ||
• | BSI deploying POS devices at | assist in ensuring confidentiality of sensitive |
merchant locations must | information so as to minimize opportunity for | |
familiarize the merchant with the | card skimming. | |
safe operation of the device. The | ||
acquiring institution must ensure | In addition to physical and logical controls, | |
that the POS devices as well as | BSIs should exercise proper oversight of their | |
other devices that capture | accredited merchants and enforce baseline | |
information do not expose/store | controls in minimizing card skimming and | |
information such as the PIN | fraud risks such as hiring practices and | |
number or other information | background checks of employees handling | |
classified as confidential. It must | payment card processing. | |
also ensure that a customer's PIN | ||
number cannot be printed at the | ||
point of sale for any reason | ||
whatsoever. |
B. Prevention, Detection, Management and Response Relative to Skimming Incidents
1. Prevention
Other than the minimum security requirements for ATMs and POS, Annex "A" — Appendix 75f of Circular No. 808 requires the study, analysis and assessment of ATM crimes to determine root cause and problem areas.
Lessons learned from BSI's or another BSI's experience shall be used to promote changes, measures or process improvements to prevent recurrence or occurrence of incidents to the BSIs.
2. Detection
In addition to consumer complaints handling, Annex "A" — Appendix 75f of Circular No. 808 requires the implementation of fraud detection systems with behavioral scoring and correlation capabilities to identify and curb fraudulent activities even prior to completion of the transaction or knowledge of the consumer. The system will enable BSIs to effectively monitor actions by cardholders that deviate from usual card usage patterns which may subsequently lead to investigation.
3. Management and Response
BSIs should establish processes necessary for the timely investigation and resolution of card fraud and skimming related cases. Such processes shall include determining, within a reasonable timeframe, the party liable for the loss and equitable compensation for affected customers once fraud has been established. Pursuant to this objective and Annex "A" — Appendix 75f of Circular No. 808, the BSP enjoins BSIs to implement collaboration and information sharing practices. Practices shall include sharing of CCTV video images whenever available, without extra financial charges, subject to data confidentiality agreements and related industry-wide policies and procedures. BSIs' policies and procedures should be harmonized to conform to this information sharing mechanism. Participation in industry collaboration and information sharing efforts such as the Inter-network Anti-Fraud Committee (IAFC) and the Information Security Officers' Group (ISOG) is also highly encouraged. In some instances, BSIs may need to seek assistance and cooperate with law enforcement agencies for prompt resolution of cybercrime cases, especially if these involve public safety and security.
BSIs that fail to adopt the abovementioned controls/measures to mitigate card fraud and skimming attacks may be subject to monetary and non-monetary sanctions provided under Subsection X176.9 of Circular No. 808.
For information and guidance. EHCcIT
(SGD.) CHUCHI G. FONACIERSector-in-Charge
Footnotes
1. EMV (stands for Europay, MasterCard and Visa) is a global standard for credit, debit and prepaid payment cards based on chip card technology. Chip cards are a more secure alternative to traditional magnetic stripe payment cards.