Card Fraud and Skimming Attacks ( BSP Memorandum Order No. M-2014-040 )

October 03, 2014

October 3, 2014


TO : All BSP-Supervised Institutions
SUBJECT : Card Fraud and Skimming Attacks 


Electronic payment cards (i.e., ATM debit, credit and prepaid cards) are still vulnerable to skimming attacks given the continued use of magnetic stripe technology. Pending migration of the entire payment card network to EMV 1 by 01 January 2017, electronic payment cards remain largely defenseless against modern fraud techniques unless multiple layers of protection are adopted by BSP-Supervised Institutions (BSIs).

To manage subject risk, BSIs are reminded to consider the specific controls to mitigate exposure from skimming attacks outlined under Annex "A" — Appendix 75f of Circular No. 808 dated 22 August 2013, namely:

 Installation or implementation of additional controls to ATM and POS machines, such as anti-skimming solution, tamper-resistant keypads or video surveillance;

 Establishment of detection process and alert mechanisms for timely and appropriate incident response and action; and

 Use of transaction alerts on withdrawals and other transactions exceeding certain defined thresholds.

Abovementioned controls highlight the BSI's need to (a) protect ATM and POS machines and (b) have proactive systems and processes in place to prevent, detect, manage or respond to card skimming incidents. Also, BSIs need to strengthen their customer awareness programs as a first line of defense against fraudsters reiterating the precautionary measures under Annex "C" — Appendix 75f of Circular No. 808.

A. Security Controls for Automated Teller Machines (ATMs) and Point of Sale (POS) Devices

BSIs shall put in place adequate safeguards as card skimming attacks may happen at various points in payment card processing, such as ATMs, payment kiosks and POS terminals. Following are the minimum security measures required for ATM facilities and POS devices pursuant to Annex "A" — Appendix 75f of Circular No. 808 with the corresponding additional recommended controls necessary given the evolving nature of the skimming attacks:

1. Automated Teller Machines

Pertinent Provisions
Recommended Control Measures
Locate ATM's in highly visible BSIs are expected to enhance their risk
  areas; management processes to include the
Provide sufficient lighting at and conduct of a thorough risk assessment, which
  around the ATMs; and considers, specific ATM model, ATM location,
Where ATM crimes (e.g., robbery, volume of transactions and such other factors
  vandalism, skimming) are high in a necessary to identify those ATMs requiring
  specific area or location, the BSI additional controls. For those classified as
  should install surveillance camera high risk, installation of robust anti-skimming
  or cameras which shall view and solutions and/or additional security devices
  record all persons entering the and measures shall be necessary. The results
  facility. Such recordings shall be of the risk assessment shall likewise be used
  preserved by the BSI for at least to identify specific or vulnerable ATM models
  thirty (30) days. due for replacement.
Implement ATM programming Logical controls, such as transaction alert
  enhancements like masking/non- systems and/or notifications, shall also be
  printing of card numbers. considered by BSIs to ensure risks are
    appropriately mitigated or managed.
Educate customers by advising Consumer education remains one of the key
  them regularly of risks associated defenses against fraud, identity theft and
  with using the ATM and how to security breach. Concerned BSIs shall
  avoid these risks; accordingly enhance their consumer
Post a clearly visible sign near the awareness initiatives in response to the
  ATM facility which, at a minimum, business environment. More than protection
  provides the telephone numbers of  of the Personal Identification Number (PIN)
  the BSI as well as other BSIs' and the measures outlined in Annex "C" —
  hotline numbers for other Appendix 75f of Circular 808, advisories on
  cardholders who are allowed to how to check for skimming devices shall also
  transact business in the ATM, and be released and posted in ATM premises.
  police hotlines for emergency cases.  
Conduct and document periodic Periodic security inspection is a necessary step
  security inspection at the ATM to ensure that ATMs are not compromised.
  location. Other than security officers, BSIs shall
    consider requesting assistance of branch
    personnel in ensuring ATMs remain safe for
    the consumers. Inspection shall be
    documented and performed on a periodic
    basis, the frequency of which depends on the
    results of the risk assessment.
    To further promote confidence in the use of 
    ATMs, BSIs shall post in their ATM premises
    information that ATM machines are regularly
    checked for the presence of skimming devices.
Educate BSI personnel to be To manage reputational risk, adequate
  responsive and sensitive to handling and containment of consumer
  customer concerns. concerns and complaints shall be undertaken
    by highly-trained BSI personnel. A well-
    defined customer complaint resolution
    process must be in place specifying prompt
    notifications as well as the conduct of 
    investigations aimed at resolving issues and
    complaints within a reasonable timeframe.

2. Point-of-Sale Devices

Pertinent Provisions
Recommended Control Measures
The party providing POS terminal Similar to ATMs, physical security controls
  must always increase the physical shall be in place for POS devices with the
  security around the vicinity of such added concern on connectivity to minimize
  POS terminal and on the POS risk of interception in the established
  terminal itself, among others, by communication link. Risk assessment of POS
  using POS terminal that minimizes terminals considering the location, volume
  the possibility of interception on and amount of transactions and other risk
  such terminal or in its factors should also be undertaken.
  communication network.  
    Likewise, POS devices shall be configured to
BSI deploying POS devices at assist in ensuring confidentiality of sensitive
  merchant locations must information so as to minimize opportunity for
  familiarize the merchant with the card skimming.
  safe operation of the device. The  
  acquiring institution must ensure In addition to physical and logical controls,
  that the POS devices as well as BSIs should exercise proper oversight of their
  other devices that capture accredited merchants and enforce baseline
  information do not expose/store controls in minimizing card skimming and
  information such as the PIN fraud risks such as hiring practices and
  number or other information background checks of employees handling
  classified as confidential. It must payment card processing.
  also ensure that a customer's PIN  
  number cannot be printed at the  
  point of sale for any reason  

B. Prevention, Detection, Management and Response Relative to Skimming Incidents

1. Prevention

Other than the minimum security requirements for ATMs and POS, Annex "A" — Appendix 75f of Circular No. 808 requires the study, analysis and assessment of ATM crimes to determine root cause and problem areas.

Lessons learned from BSI's or another BSI's experience shall be used to promote changes, measures or process improvements to prevent recurrence or occurrence of incidents to the BSIs.

2. Detection

In addition to consumer complaints handling, Annex "A" — Appendix 75f of Circular No. 808 requires the implementation of fraud detection systems with behavioral scoring and correlation capabilities to identify and curb fraudulent activities even prior to completion of the transaction or knowledge of the consumer. The system will enable BSIs to effectively monitor actions by cardholders that deviate from usual card usage patterns which may subsequently lead to investigation.

3. Management and Response

BSIs should establish processes necessary for the timely investigation and resolution of card fraud and skimming related cases. Such processes shall include determining, within a reasonable timeframe, the party liable for the loss and equitable compensation for affected customers once fraud has been established. Pursuant to this objective and Annex "A" — Appendix 75f of Circular No. 808, the BSP enjoins BSIs to implement collaboration and information sharing practices. Practices shall include sharing of CCTV video images whenever available, without extra financial charges, subject to data confidentiality agreements and related industry-wide policies and procedures. BSIs' policies and procedures should be harmonized to conform to this information sharing mechanism. Participation in industry collaboration and information sharing efforts such as the Inter-network Anti-Fraud Committee (IAFC) and the Information Security Officers' Group (ISOG) is also highly encouraged. In some instances, BSIs may need to seek assistance and cooperate with law enforcement agencies for prompt resolution of cybercrime cases, especially if these involve public safety and security.

BSIs that fail to adopt the abovementioned controls/measures to mitigate card fraud and skimming attacks may be subject to monetary and non-monetary sanctions provided under Subsection X176.9 of Circular No. 808.

For information and guidance. EHCcIT

(SGD.) CHUCHI G. FONACIERSector-in-Charge


1. EMV (stands for Europay, MasterCard and Visa) is a global standard for credit, debit and prepaid payment cards based on chip card technology. Chip cards are a more secure alternative to traditional magnetic stripe payment cards.