October 3, 2014

BSP MEMORANDUM NO. M-2014-040

 

Electronic payment cards (i.e., ATM debit, credit and prepaid cards) are still vulnerable to skimming attacks given the continued use of magnetic stripe technology. Pending migration of the entire payment card network to EMV 1 by 01 January 2017, electronic payment cards remain largely defenseless against modern fraud techniques unless multiple layers of protection are adopted by BSP-Supervised Institutions (BSIs).

To manage subject risk, BSIs are reminded to consider the specific controls to mitigate exposure from skimming attacks outlined under Annex "A" — Appendix 75f of Circular No. 808 dated 22 August 2013, namely:

• Installation or implementation of additional controls to ATM and POS machines, such as anti-skimming solution, tamper-resistant keypads or video surveillance;

• Establishment of detection process and alert mechanisms for timely and appropriate incident response and action; and

• Use of transaction alerts on withdrawals and other transactions exceeding certain defined thresholds.

Abovementioned controls highlight the BSI's need to (a) protect ATM and POS machines and (b) have proactive systems and processes in place to prevent, detect, manage or respond to card skimming incidents. Also, BSIs need to strengthen their customer awareness programs as a first line of defense against fraudsters reiterating the precautionary measures under Annex "C" — Appendix 75f of Circular No. 808.

A. Security Controls for Automated Teller Machines (ATMs) and Point of Sale (POS) Devices

BSIs shall put in place adequate safeguards as card skimming attacks may happen at various points in payment card processing, such as ATMs, payment kiosks and POS terminals. Following are the minimum security measures required for ATM facilities and POS devices pursuant to Annex "A" — Appendix 75f of Circular No. 808 with the corresponding additional recommended controls necessary given the evolving nature of the skimming attacks:

1. Automated Teller Machines

	Pertinent Provisions	Recommended Control Measures
•	Locate ATM's in highly visible	BSIs are expected to enhance their risk
	areas;	management processes to include the
•	Provide sufficient lighting at and	conduct of a thorough risk assessment, which
	around the ATMs; and	considers, specific ATM model, ATM location,
•	Where ATM crimes (e.g., robbery,	volume of transactions and such other factors
	vandalism, skimming) are high in a	necessary to identify those ATMs requiring
	specific area or location, the BSI	additional controls. For those classified as
	should install surveillance camera	high risk, installation of robust anti-skimming
	or cameras which shall view and	solutions and/or additional security devices
	record all persons entering the	and measures shall be necessary. The results
	facility. Such recordings shall be	of the risk assessment shall likewise be used
	preserved by the BSI for at least	to identify specific or vulnerable ATM models
	thirty (30) days.	due for replacement.
•	Implement ATM programming	Logical controls, such as transaction alert
	enhancements like masking/non-	systems and/or notifications, shall also be
	printing of card numbers.	considered by BSIs to ensure risks are
		appropriately mitigated or managed.
•	Educate customers by advising	Consumer education remains one of the key
	them regularly of risks associated	defenses against fraud, identity theft and
	with using the ATM and how to	security breach. Concerned BSIs shall
	avoid these risks;	accordingly enhance their consumer
•	Post a clearly visible sign near the	awareness initiatives in response to the
	ATM facility which, at a minimum,	business environment. More than protection
	provides the telephone numbers of	of the Personal Identification Number (PIN)
	the BSI as well as other BSIs'	and the measures outlined in Annex "C" —
	hotline numbers for other	Appendix 75f of Circular 808, advisories on
	cardholders who are allowed to	how to check for skimming devices shall also
	transact business in the ATM, and	be released and posted in ATM premises.
	police hotlines for emergency cases.
•	Conduct and document periodic	Periodic security inspection is a necessary step
	security inspection at the ATM	to ensure that ATMs are not compromised.
	location.	Other than security officers, BSIs shall
		consider requesting assistance of branch
		personnel in ensuring ATMs remain safe for
		the consumers. Inspection shall be
		documented and performed on a periodic
		basis, the frequency of which depends on the
		results of the risk assessment.
		To further promote confidence in the use of
		ATMs, BSIs shall post in their ATM premises
		information that ATM machines are regularly
		checked for the presence of skimming devices.
•	Educate BSI personnel to be	To manage reputational risk, adequate
	responsive and sensitive to	handling and containment of consumer
	customer concerns.	concerns and complaints shall be undertaken
		by highly-trained BSI personnel. A well-
		defined customer complaint resolution
		process must be in place specifying prompt
		notifications as well as the conduct of
		investigations aimed at resolving issues and
		complaints within a reasonable timeframe.

2. Point-of-Sale Devices

	Pertinent Provisions	Recommended Control Measures
•	The party providing POS terminal	Similar to ATMs, physical security controls
	must always increase the physical	shall be in place for POS devices with the
	security around the vicinity of such	added concern on connectivity to minimize
	POS terminal and on the POS	risk of interception in the established
	terminal itself, among others, by	communication link. Risk assessment of POS
	using POS terminal that minimizes	terminals considering the location, volume
	the possibility of interception on	and amount of transactions and other risk
	such terminal or in its	factors should also be undertaken.
	communication network.
		Likewise, POS devices shall be configured to
•	BSI deploying POS devices at	assist in ensuring confidentiality of sensitive
	merchant locations must	information so as to minimize opportunity for
	familiarize the merchant with the	card skimming.
	safe operation of the device. The
	acquiring institution must ensure	In addition to physical and logical controls,
	that the POS devices as well as	BSIs should exercise proper oversight of their
	other devices that capture	accredited merchants and enforce baseline
	information do not expose/store	controls in minimizing card skimming and
	information such as the PIN	fraud risks such as hiring practices and
	number or other information	background checks of employees handling
	classified as confidential. It must	payment card processing.
	also ensure that a customer's PIN
	number cannot be printed at the
	point of sale for any reason
	whatsoever.

B. Prevention, Detection, Management and Response Relative to Skimming Incidents

1. Prevention

Other than the minimum security requirements for ATMs and POS, Annex "A" — Appendix 75f of Circular No. 808 requires the study, analysis and assessment of ATM crimes to determine root cause and problem areas.

Lessons learned from BSI's or another BSI's experience shall be used to promote changes, measures or process improvements to prevent recurrence or occurrence of incidents to the BSIs.

2. Detection

In addition to consumer complaints handling, Annex "A" — Appendix 75f of Circular No. 808 requires the implementation of fraud detection systems with behavioral scoring and correlation capabilities to identify and curb fraudulent activities even prior to completion of the transaction or knowledge of the consumer. The system will enable BSIs to effectively monitor actions by cardholders that deviate from usual card usage patterns which may subsequently lead to investigation.

3. Management and Response

BSIs should establish processes necessary for the timely investigation and resolution of card fraud and skimming related cases. Such processes shall include determining, within a reasonable timeframe, the party liable for the loss and equitable compensation for affected customers once fraud has been established. Pursuant to this objective and Annex "A" — Appendix 75f of Circular No. 808, the BSP enjoins BSIs to implement collaboration and information sharing practices. Practices shall include sharing of CCTV video images whenever available, without extra financial charges, subject to data confidentiality agreements and related industry-wide policies and procedures. BSIs' policies and procedures should be harmonized to conform to this information sharing mechanism. Participation in industry collaboration and information sharing efforts such as the Inter-network Anti-Fraud Committee (IAFC) and the Information Security Officers' Group (ISOG) is also highly encouraged. In some instances, BSIs may need to seek assistance and cooperate with law enforcement agencies for prompt resolution of cybercrime cases, especially if these involve public safety and security.

BSIs that fail to adopt the abovementioned controls/measures to mitigate card fraud and skimming attacks may be subject to monetary and non-monetary sanctions provided under Subsection X176.9 of Circular No. 808.

For information and guidance. EHCcIT

(SGD.) CHUCHI G. FONACIERSector-in-Charge

Footnotes

1. EMV (stands for Europay, MasterCard and Visa) is a global standard for credit, debit and prepaid payment cards based on chip card technology. Chip cards are a more secure alternative to traditional magnetic stripe payment cards.