State Bank of Pakistan (SBP) on Friday issued regulations for payment card security to curtail the risk of card-skimmig.
Referring to PSD Circular No. 05 of 2016, the SBP said that in light of the progress made by industry on implementation of central bank’s instructions issued vide the afore-mentioned circular, it has now been decided that:
- In order to curtail the risk of card-skimming, existing magnetic stripe cards and fallback to magnetic stripe on EMV cards shall be blocked by Card Service Providers (CSPs) at host end. For customers travelling abroad, CSPs shall have the functionality to turn on fallback upon specific customer request. Further, CSPs shall ensure that their cardholders activate their new EMV Chip and PIN cards well before the deadline of June 30, 2021 to avoid any inconvenience.
- CSPs after implementing EMVCo’s 3DSecure protocol may enable e-commerce transactions by default on their card portfolios for both local and cross-border e-commerce transactions. Accordingly, for all 3DSecure compliant CSPs, requirement of customer consent, as per clause 4.2.3. (b) of PSD Circular No. 5 of 2016 shall be considered as complied with. However, CSPs shall ensure that they fully inform their customers about the risks of using their cards for cross border e-commerce transactions.
- CSP’s shall provide their customers with the option to activate, enable and disable their cards using mobile banking applications and internet banking portals. Furthermore, options to enable cards for usage on various channels like ATMs, POS and e-commerce shall also be available through mobile and internet banking channels. However, the use of at least Two Factor Authentication (2FA) shall be mandatory.
- In order to enhance customer experience and reduce checkout time on payment counters/terminals, CSPs may relax the requirement of Multi Factor Authentication (MFA) as required vide Section 4.2. (b) of PSD Circular No. 05 of 2016 for card present transactions (including contactless payments either through a card or through mobile devices) up to Rs. 3,000 per transaction. However, CSPs shall ensure that they fully inform their customers and adequately protect them from undue liability arising out of any potential misuse of this facility.
- For refund payments pertaining to both card present and card not present transactions, CSPs shall immediately credit their respective customer account upon the receipt of funds.
- To facilitate their customers, CSPs shall provide them the facility of lodging their complaints and disputes using mobile apps and internet banking portals without the need for physically visiting their premises. For expedited investigation and resolution of complaints/disputes, CSPs shall arrange for obtaining necessary data/information from their customers digitally or through their call centers.
The card service providers shall bring the above measures and the changes being introduced to the knowledge of their customers by running awareness campaigns on print, digital and social media. They shall also ensure that customers are fully facilitated while using their payment cards.
CSPs are advised to meticulously comply with the instructions contained herein by June 30, 2021. Failure to do so shall attract penal action under relevant laws and regulations.