In order to safeguard banks and their customers from potential losses due to cyber-crimes and online banking frauds, the central bank directed that all banks shall deploy real-time fraud monitoring tools and alert mechanisms, preferably provided by their payment operators, to detect potentially-fraudulent activities on their card systems latest by January 31, 2019.
These banks shall develop Standard Operating Procedures (SOPs) for threat reporting and escalation as well as actions to be taken in case suspicious activity is reported or identified.
Recently, BankIslami’s data was accessed illegally and the money of many customers have been siphon off from their account. Subsequently, a majority of the banks suspended the service of the international transaction through their debit and credit cards.
Banks in consultation with Payment Schemes ( Visa Inc., MasterCard, UnionPay, and etc) and third-party technology service providers shall make arrangements to ensure that latest security patches are installed on their digital payments infrastructure including customer touchpoints like ATMs and POS machines etc. as soon as they are released.
Banks shall make arrangements to monitor on 24/7 basis usage/activity regarding payments made through their cards or through online transactions on their internet banking platforms. Banks/MFBs shall have arrangements in place to immediately contact (through multiple communication channels) and coordinate with designated people of Payment Schemes for taking appropriate action in case any abnormality in transaction patterns is observed.
Banks shall immediately review their existing agreements with Payment Schemes to identify clauses that may expose them to potential financial, legal and operational risks arising due to cyber-attacks/crimes and take appropriate risk mitigation measures with the approval of their Board/senior management
The central bank has come up with a security plan for banks to secure the electronic payment services for their customers.
Assessment of Electronic Payment System
SBP instructed banks to immediately carry out extensive vulnerability assessment and penetration testing to identify potential weaknesses in their Alternate Delivery Channels (ADCs) and payment systems including but not limited to Card Systems, RTGS, SWIFT, Internet/mobile banking and agent-based/Branchless Banking etc.
The assessment reports along with action plans and timelines to address the vulnerabilities shall be submitted to the Payment Systems Department (PSD) latest by March 31, 2019.
In addition to the internal assessments, banks/MFBs shall arrange independent 3rd party review/assessment of their Alternate Delivery Channels (ADCs) and payment systems including but not limited to Card Systems, RTGS, SWIFT, Internet/mobile banking and agent-based/Branchless Banking etc. These assessment reports shall be submitted to PSD latest by December 31, 2019.
Deployment of 3D Security Protocol
To prevent frauds in online transactions, banks/MFBs shall enable EMVCo’s 3D Secure Security Protocol. A detailed plan for the implementation of EMVCo 3-D Secure for all applicable card payments shall be submitted to PSD latest by January 31, 2019.
3D Security Protocol (Three Domain Secure) is a messaging protocol that involves three domains, such as the bank, technology that processes the transaction and the issuing bank. This is why the new 3D Secure specification includes EMV as the answer to mitigate fraud during online transactions.
Banks/MFBs shall start assessing the feasibility of implementing Payment Card Industry Data Security Standards (PCI DSS) and Payment Application Data Security Standard (PA DSS) for their digital payment systems and adoption of the same standards by their third-party technology service providers. Banks/MFBs shall submit their assessment reports in this regard to PSD latest by January 31, 2019.
In case, if it comes to the knowledge of any bank/MFB that their customers’ data has been compromised, they shall immediately take steps to protect their customers from further losses and inform them within 48 hours about the steps being taken by the bank/MFB in this regard.
All card-issuing banks shall acquire/upgrade the capability to enable their customers to activate or block their cards for online/cross-border transactions as and when required by them, latest by March 31, 2019.
All card-issuing banks shall replace all existing payment cards (except social transfer cards) with EMV chip-and-PIN payment cards latest by June 30, 2019.