How feasible are the new payment security rules

06 Dec, 2018

The central bank’s specific guidelines on digital payment security which were issued last week merit a closer look (see the table for a snapshot of those rules). In this piece, the practicality of some of the measures will be addressed from the banking perspective. A subsequent piece will look at the opportunities for the local IT industry to get involved in beefing up digital payment security in Pakistan.

The buck stops at a bank’s BOD to approve measures to boost their digital payments security. Normally, this would involve identifying risks and incurring costs commensurate with those risks. But now that some specific measures have been identified by the SBP – along with clear deadline for action – the banks better get cracking. Let’s look at some of those measures through the dual lens of cost and effectiveness.

Banks are required to “immediately carryout extensive vulnerability assessment & penetration testing to identify weaknesses in their Alternate Delivery Channels (ADCs) & payment systems including but not limited to Card Systems, RTGS, SWIFT, Internet/mobile banking & agent-based/Branchless Banking” – along with “independent 3rd party review/assessment” of the same.

Banking veteran and digital payments expert S.M. Arif told BR Research that such exercises won’t carry high reliability as most institutions aren’t professionally competent to make independent assessment. “It’s not a single entity’s job and most entities don’t have end-to-end assessment skills, including the Big-5 consulting representatives in Pakistan. This could only be done in partnership with professional companies,” he said. He doubts that most of the institutions will revisit their current security architecture at this level – unless there is a security-centric approach in conducting this exercise, rather than a profit-centric approach. Even if they do go to this level after putting in place cross-sectional teams, a fairly-extensive “Assessment Only Exercise” will take between 3-5 months – without fixing any gaps.

As per Qasif Shahid, CEO and founder of Finja, a Fintech startup, it won’t cost banks much to take measures like deploying real-time fraud monitoring tools and alert mechanisms and monitoring card-related/online account usage on 24/7 basis.

“Depending on the solution a bank plans to acquire, a Transaction Monitoring System to cover all payment verticals having real-time fraud monitoring capabilities & direct integration can cost between $0.7-1 million. The 24/7 usage monitoring is being referred to Online Authorization (OLA) or Fraud Detection Unit (FDU). That exists in most banks – and if not, a structure of 5-8 staff with one manager can be placed,” he told BR Research.

The SBP has also required of the banks to start sending free-of-cost transaction alerts to customers over both Sms & email from January 1, 2019. This measure will raise a bank’s cost – one transaction alert SMS costs around 22 paisas; previously some, not all, banking customers used to pay a monthly fee of between Rs50-100 for such alert. And it may not solve the problem.

“Alerts are only good if they are delivered to the recipient in time. Most Institutions have not covered their SLA’s on priority Index. Nor has the SBP laid down 90 percent delivery/time-limit threshold criteria for assured delivery,” Arif noted. He suggests that a more cost-effective model could be where customers activate/lock their own accounts through a trigger of their own choice (USSD, Sms, email or mobile app), followed by two-factor authentication.

Another of contentious SBP guidelines is for the banks to immediately start activating or re-activating online banking services (including internet/mobile banking) after biometric verification at their branches. This is a bolt from the blue for the over-worked branch staff.

Shehryar Hydri, Secretary General, Pakistan Software Houses Association (P@SHA), has a different view. “Biometric records for existing customers may sound tedious but it will help their trust levels in the long run, as any fraud on their accounts will be paid for by the bank. It’s good that this biometric requirement does not include Branchless Banking (BB) as the slow-moving conventional banking is slowly pushing the new generation of consumers towards BB,” he told BR Research.

Qasif of Finja said that “At present, biometric is being used for branch customers and chances are that most of ADC customers have already gone through biometric verification but still it needs to be checked on case-to-case basis. However, in case of biometric requirement before the activation of online banking; it may be a duplication of a single check.”

Arif suggested that biometric verification would be impractical for active commercial clients, as people have to visit a branch and many people have more than one account. “This will only make sense if one Universal application is deployed across industry at all banks and branches so one can activate at any branch. After that two-factor authentication must be applied; otherwise this will cause even bigger exposure.”

By June 30, 2019, all card-issuing banks are required by the SBP to have all their existing payment cards replaced with EMV chip-and-PIN payment cards. As per Arif, it will be sensible to use this expensive feature for only those cards that have average balance above Rs50,000, for several reasons.

“The EMV-chip card and its logical authentication features will pose an upfront cost of about $60 million ($1.5-2.6 per card for 23 million card accounts). In current environment, EMV-chip debit cards will be like Nadra chip cards where cost has been incurred upfront but does not have its usage. Besides, they will not solve Internet CNP (card-not-present) problem, or ATM card-skimming fraud, as currently not all ATMs are EMV-chip enabled,” he cautioned.

In case of financial loss to a customer on account of frauds/hacks, banks are now required to compensate customers within two business days. As per Qasif, a two-day turnaround time may not be sufficient anywhere locally or abroad as a complete investigation or review of such incidents is a time-taking exercise.

“In case of off transaction whereby other bank’s terminal is compromised, issuer will completely be dependent on the acquiring bank to come up with an authentic information that their platform was compromised and to what extent customer data has been compromised or stolen,” he explained.

To reduce the banks’ exposure to cyber risks, the SBP has directed all banks to “review existing agreements with Payment Schemes to identify clauses that may expose them to potential financial, legal & operational risks due to cyber-attacks/crimes.” Here, Arif feels that individual banks don’t have the necessary “leverage” to review such agreements and urges the SBP or any other national body to step in and help review such agreements.

While there is noticeable dismay in the banking sector on the new rules, the bitter pill will need to be swallowed now for the financial system to remain secure in the long run. The P@SHA secretary general, who is critical of the banks’ past compliance to IT security, hoped that measures like free Sms and email alerts, awareness campaigns, new chip cards, card-blocking options, and being informed and compensated within 48 hours will give more confidence to digital and online customers as well as help transfer best practices at the merchant level.

Copyright Business Recorder, 2018

Read Comments