BANKS must adopt multi-factor authentication (MFA) techniques for certain card transactions starting end-September this year as the central bank expects a surge in cyber attacks.
The mandate is under the recently approved Monetary Board (MB) amendments to existing regulations that cover BSP supervised financial institutions (BSFIs), the Bangko Sentral ng Pilipinas (BSP) said in a statement on Thursday.
“This is in response to the increasing propensity and sophistication of cyber attacks involving fund transfers, payments and other transactions via online channels,” it said.
The regulator expects cyber attackers to come up with new fraudulent schemes as the banking industry adopts the Europay Mastercard Visa (EMV) technology for automated teller machines (ATM) and credit cards over the vulnerable magnetic stripe technology.
EMV is the global standard for chip-based credit and debit transactions that makes it difficult for fraudsters to hack, compared with magnetic stripe cards. The embedded chip contains unique transaction details that are activated each time the card is used. It is also protected by additional layers of security.
“With the ongoing migration to EMV technology, cyber attackers face reduced fraud opportunities in traditional schemes which require customers to physically present their payment cards or the so-called ‘card present transactions’ in ATM and POS [point of sales]terminals,” the central bank said.
The BSP expects cyber attacks to zero-in on card-not-present (CNP) transactions in the Philippines, similar to the experience of other countries that have adopted EMV technology.
CNP transactions are done online, using internet or mobile applications such as fund transfers and bills payments internet banking, It also targets airline ticket purchases on an airline’s website, as well as online tour and hotel bookings. Online shopping and a host of other e-commerce activities using mobile internet are also popular targets.
“In this regard, the new policy mandates stronger authentication controls and measures to protect online customers as well as address the increasing cyber-threats,” the central bank said.
Plan of actions with specific timelines, as well as the status of initiatives to achieve full compliance should be readily available for BSP inspection starting next month.
The rule is consistent with initiatives to foster a secure digital financial services environment, the central bank said. Enhancing regulation aims to reinforce the BSFI’s security controls for certain types of transactions.
“In particular, MFA is mandatory for those transactions considered as sensitive communications and high-risk such as enrollment in transactional e-services, payments and fund transfers to third parties, online remittance, account maintenance and use of payment cards in e-commerce websites, among others,” it said.
Policy supports a risk-based approach which provides alternative and less stringent authentication procedures for low-risk transactions, and provides BSFIs elbowroom for flexibility in adopting MFA.
The central bank noted an MFA uses a combination of two or more authentication factors such as knowledge or something the user knows such as password and PIN. Something a user possesses has in his or her possession such as payment card, one-time password (OTP) generated through a security token or sent via SMS are also part of the process, as well as something inherent to the user such as fingerprint and retinal pattern.
“This provides for a more reliable authentication method and a stronger fraud deterrent mechanism that limits unauthorized access; and protects the integrity of customer data and transaction details,” it said.
The BSP said this contributes to increased customer confidence leading to more prevalent usage of digital financial services aligned with the National Retail Payment Systems objective of a cash-light economy by 2020.