PROTECTING CUSTOMERS' INFORMATION: WILL OPERATORS EMBRACE GLOBAL STANDARDS?

By Babajide Komolafe
There are people who have vowed never to have anything to do with electronic payment again, no matter the preaching about the benefits. They are bank customers who have fallen victim to electronic payment fraud or e-fraud, and lost huge sums of money in the process.

Their bitterness is aggravated by the callous manner some banks usually respond to their plight. 'Oh you must have compromised your PIN (personal identification number) by giving it to somebody or by allowing somebody to access it', these banks tell such people.

It is not peculiar to Nigeria, e-fraud popularly known as ATM fraud is a global phenomenon. The amount lost to this fraud by customers and electronic payment services run into billions of dollars.

The first step to successful perpetration of this kind of fraud is to have access to the information of the customer, including the PIN, account number etc. The information is then used to produce a duplicate ATM card of the customer which is then used to access and steal his/her money.

The information can also be used to access the money to make purchases or transfers via the internet and Point of Sale terminals (PoS). That is why e-fraud thrives during transition from cashless to electronic payment dominated economy, as Nigeria is doing.

For most of part of the transition, most people are not yet familiar with the operations of electronic payment channels, and also their vulnerability to fraudsters vis-a-vis handling of their cards and PIN. Also because it is a new system, there are loopholes, vis-a-vis regulation and infrastructure that can be easily exploited by fraudsters.

Globally, so much effort has been devoted to checkmating these fraudsters, and much of the effort is channelled towards preventing them from accessing customer information. This is done by ensuring that electronic payment systems and operations have the necessary security measures for protection of customers' information.

The aim is to ensure that no one can illegally access these systems and channels to steal information of customers transacting businesses over them. This effort have over time culminated to what is called Payment Card Industry Data Security Standards (PCIDSS).

PCIDSS is the global minimum standard for protecting customers or users of electronic payment services from e-fraud. Any electronic payment system or channel that does conform to this standard is highly vulnerable to fraud. Unfortunately, only one per cent of electronic service providers in Nigeria have systems that conform to this standard.

Consequently, 60 per cent of the electronic payment system infrastructure in Nigeria is vulnerable to fraud. Very disturbing! This is despite the directive by the CBN that all operators comply with this standard by December 31,  2012.

This embarrassing vulnerability of e-payment to fraud in Nigeria and the need to conform to PCIDSS was the focus of two major industry gatherings last week. The first was a workshop on PCIDSS and the Cashless Nigeria organised by Phillips Consulting International and the Central Bank of Nigeria (CBN). The Second was the meeting of the Nigeria E-Fraud Forum (NEFF).

In her remarks at the NEFF meeting, Managing Director, Standard Chartered Bank, Mrs. Bola Adesola, said that every new system has its vulnerability and this should be addressed.  'There is a lot of collaboration internationally to fight against fraud and Nigeria cannot afford to be left out,' she said.

At the workshop on PCIDSS,  Mr Musa Itopia, Head of Payments System Oversight Office of CBN said that  there are three major reasons why electronic payment operators in Nigeria have not conformed to PCIDSS and hence the high level of vulnerability to fraud.

The first is lack of management buy-out, the second is budgetary constraint and the third is dearth of Qualified Security Assessors (QSAs) to help them upgrade their system to conform to the standards. The way forward according to Emmanuel Obaigbon, Chairman, NEFF is collaboration and sensitisation.

He said: 'The new standard, PCIDSS, will aid the security of electronic payment in the country, as it is associated with the management of privileged identities and controlling insiders and administrators from accessing sensitive data.   'The move is a proactive process towards enlightening Nigerians, especially those in the financial sector on measures to mitigate fraud associated with electronic payments.'

According Mr. Emeka Emuwa, Chairman, Enterprise Bank, the industry needs to be ahead of fraudsters.  'We must also be sure that fraudsters will follow the new form of payment both physically and logically. As the fraudsters are planning, we need to develop our skills and plan.'

Encouraging operators to embrace the standard, Mr Adewale Obadare,  Managing Director, Digital Encode Limited, a security solution company,  said: 'Compliance with PCIDSS helps to mitigate risks associated with prevalent use of banks' cards and payment channels. There is a growing cloud community of fraudsters hoping to hack new electronic payment platforms. With this trend, PCIDSS has been mandated for all merchants or banks that store, process and or transmit cardholder data.

'Managing and monitoring access to the electronic payment environment while locking down administrative privileges is crucial to protecting sensitive data within this expanded threat environment. Many organisations are still trying to catch up on PCI 2.0 requirements, and those exploring virtualisation will now need to fully understand new hurdles to meeting audit requirements and protecting sensitive customer data and financial information'.