The State Bank of Pakistan (SBP) Wednesday issued fresh guidelines on security of digital payments to safeguard banks and their customers from potential losses due to cyber crimes and online banking frauds.
Last month, hackers have, reportedly, defrauded some Rs 2.1 million from customers'' accounts of a Pakistani bank after attacking its database. Therefore, the State Bank issued these directives to prevent cyber crimes and online banking frauds, especially payment cards.
As per the directives, in case of a financial loss to customers due to cyber crime and online banking fraud, all banks and Microfinance Banks (MFBs) will compensate them within two business days.
All card issuing banks & MFBs have also directed to replace all existing payment cards (except social transfer cards) with EMV chip-and-PIN payment cards latest by June 30, 2019. In addition, banks & MFBs will upgrade their systems to enable the customers to activate or block their cards for online/cross-border transactions as and when required by them latest by March 31, 2019.
According to SBP, banks & MFBs will immediately carry out extensive vulnerability assessment and penetration testing to identify potential weaknesses in their Alternate Delivery Channels (ADCs) and payment systems but not limited to Card Systems, RTGS, SWIFT, Internet/mobile banking and agent-based/Branchless Banking, etc, and the assessment reports along with action plans and timelines to address the vulnerabilities should be submitted to SBP latest by March 31, 2019.
In addition to the internal assessments, banks & MFBs have been asked to arrange independent 3rd party review/assessment of their ADCs and payment systems and submit report by December 31, 2019.
With effect from January 1, 2019, all banks will send free of cost transaction alerts to their customers through both SMS and email for all international and domestic digital transactions including but not limited to ATM, POS and Internet banking transactions. Such transaction alerts will be generated and relayed to customers immediately after the execution of transaction.
All banks will activate/reactivate online banking services including internet/mobile banking for their customers after biometric verification at any branch of their bank. Banks/MFBs will be solely responsible for ensuring customer authentication for activation of any ADC and any loss of customer funds due to false activation of any ADCs will be compensated by the respective banks & MFBs.
All card issuing/acquiring banks will make arrangements to monitor on 24/7 basis activity and deploy real-time fraud monitoring tools and alert mechanisms, preferably provided by their Payment Schemes, to detect potential fraudulent activities on their Card Systems latest by January 31, 2019.
All banks have also been directed to immediately review their existing agreements with Payment Schemes to identify clauses that may expose them to potential financial, legal and operational risks arising due to cyber-attacks/crimes and take appropriate risk mitigation measures with the approval of their Board/senior management.
All banks are advised to take full coverage of Payment Schemes'' cyber security threat intelligence and advisories including update of indicators of compromise (IOCs) and ensure immediate compliance with preventive actions advised by the Payment Schemes from time to time. A detailed log of such advisories and the actions taken will be maintained and properly audited.
Banks & MFBs, in consultation with Payment Schemes and third-party technology service providers will make arrangements to ensure that latest security patches are installed on their digital payments infrastructure including customer touch points like ATMs and POS machines, etc.
To prevent frauds in online transactions, banks/MFBs will enable EMVCo''s 3D Secure Security Protocol. A detailed plan for the implementation of EMVCo 3-D Secure for all applicable card payments will be submitted to SBP latest by January 31, 2019.
Banks/MFBs will start assessing the feasibility of implementing Payment Card Industry Data Security Standards (PCI DSS) and Payment Application Data Security Standard (PA DSS) for their digital payment systems and adoption of the same standards by their third-party technology service providers. Banks/MFBs will also submit their assessment reports in this regard to PSD latest by January 31, 2019.
Acquiring banks have been asked to educate their POS retailers as well as their employees regarding risks of theft of customer''s card data at POS terminals as well as mechanism to monitor such risks. Further, the acquirer banks will discourage the practice of card swiping at merchant''s non-POS terminals especially when the merchant is not PCI DSS compliant.
In case, if it comes to the knowledge of any bank & MFB that their customers'' data has been compromised, they will immediately take steps to protect their customers from further losses and inform them within 48 hours about the steps being taken by the bank/MFB in this regard. In case of a financial loss to customers due to such incidents, the bank/MFB will compensate them within two (02) business days. Further, banks/MFBs will report such incidents to the SBP within 48 hours.
In addition to the above instructions, banks & MFBs will ensure meticulous compliance of SBP''s instructions with regard to safety and security of digital transactions and failure to comply with the above instructions will lead to penal action by SBP including but not limited to the suspension of non-compliant digital payment products and services of the banks/MFBs.
Comments
Comments are closed.