Stricter authentication for online transactions to start Sept. 30

MANILA, Philippines — Banks are set to adopt stricter authentication measures for online transactions starting Sept. 30 to foster a secure digital financial services environment and protect consumers against cyber attacks, the Bangko Sentral ng Pilipinas (BSP) said.

BSP Deputy Governor Chuchi Fonacier said the adoption of multi-factor authentication techniques for certain transactions, as contained in Circular No. 958 issued last April, would push through as scheduled.

 “Looks like the adoption of multi-factor authentication will push through,” she said.

The circular was issued due to the increasing propensity and sophistication of cyber-attacks involving fund transfers, payments, and other transactions via online channels.

With the ongoing migration to EMV (Europay, MasterCard, and Visa) technology, the BSP said cyber-attackers face reduced fraud opportunities in traditional schemes which require customers to physically present their payment cards or the so-called “card present transactions” in ATM and/or POS terminals. 

Similar to the experience of other countries that have adopted EMV technology, the BSP is expecting an upsurge of cyber-attacks targeting card-not-present (CNP) transactions in the Philippines that intends to fully shift to the National Retail Payment System (NRPS) by 2020. 

CNP transactions are normally done via online through internet or mobile applications such as fund transfers and payment of utility bills; buying airline tickets; online booking of hotels, tours and tickets; online shopping for products and services; and a host of other activities in e-commerce websites and other online or mobile platforms. 

The stronger authentication controls and measures are aimed at protecting online customers as well as addressing the increasing cyber-threats.

The enhancement to the regulation aims to reinforce the adoption of more stringent security controls for certain types of transactions by BSP supervised financial institutions. 

In particular, multi-factor authentication is mandatory for those transactions considered as sensitive communications and/or high-risk such as enrollment in transactional e-services, payments and fund transfers to third parties, online remittance, account maintenance and use of payment cards in e-commerce websites, among others. 

The process makes use of a combination of two or more authentication factors such as knowledge or something the user knows such as password, PIN; possession or something the user has in his/her possession such as payment card, one-time password generated through a security token or sent via SMS; and inherence or something that is inherent to the user such as fingerprint and retinal pattern.