EMV (stands for Europay, MasterCard and Visa) is the global standard for credit, debit, and prepaid card payments using the chip card technology. EMV chip-based payment card is a more secure alternative to traditional magnetic stripe payment cards.
The magnetic stripe on traditional credit, debit and prepaid cards contains unchanging (static) data which can be easily copied by fraudsters via a simple and inexpensive skimming device. Unlike a magnetic stripe card, every time an EMV card is used for payment, the chip on the card generates a unique transaction code that cannot be used again. This feature, known as dynamic authentication, makes it difficult, if not virtually impossible, and costly for fraudsters to counterfeit EMV cards.
In terms of customer experience, EMV chip-compliant cards are read in what is called “card dipping” mechanism instead of the usual swiping of magnetic stripe cards. Because of the additional validation and data flows for the EMV chip-compliant card, the process may not be as quick as the swiping process. Hence, the customer must be patient and understand the trade-off between security and performance. The infographic below shows the EMV chip card acceptance/validation process:
The EMV chip technology has been proven effective in significantly reducing counterfeit fraud, skimming and other related attacks perpetrated in magnetic stripe payment cards. Consequently, fraudsters have shifted their efforts to countries which are still highly reliant on the magnetic stripe technology, such as the Philippines. Thus, it is imperative for the Philippines to adopt EMV technology to address the increasing rate of counterfeit fraud, safeguard the interests of the public and promote interoperability with international payment networks. Towards this end, the BSP has put in place the necessary regulatory and supervisory framework to enable the migration of the entire payment network to EMV technology. This is fundamental to BSP’s mandate to foster the development of safe, secure, efficient and reliable retail payment systems and uphold consumer protection.
Requires BSP-Supervised Financial Institutions (BSFIs) to shift from magnetic stripe technology to EMV chip-compliant cards, point-of-sale (POS) terminals and automated teller machines (ATMs).
Provides the EMV implementation guidelines which set forth BSP’s supervisory expectations with respect to the management of risks while migrating the payment network to the EMV platform.
Provides guidance on the adoption of chip and Personal Identification Number (PIN) as the primary cardholder verification method for EMV compliant Philippine-issued debit cards.
Requires BSFIs to submit quarterly reports indicating the status of their EMV migration activities and compliance to the BSP.
Establishes the EMV Card Fraud Liability Shift Framework (ECFLSF) which sets forth the general principles in the allocation of liability and resolution of disputes on fraudulent transactions arising from counterfeit cards.
All BSFIs with card issuing and acquiring functions are primarily responsible for migrating their payment card products and card-accepting devices/terminals to EMV technology in compliance with pertinent BSP regulations. Activities to migrate to EMV include the replacement of terminals (e.g. ATMs), replacement of the software that drives these terminals (i.e. hosts), as well as the replacement of the payment cards (e.g. ATM/debit card and prepaid card) previously issued.
Key players in the domestic payment network should also prepare their respective systems, terminals, and network to support EMV technology. These include merchants, providers of ATMs, POS terminals and similar devices, card vendors, card personalization bureaus and domestic switch (BancNet) responsible for processing and handling domestic transactions. Since most of these players normally partner/coordinate with issuing/acquiring BSFIs, it is incumbent upon all affected BSFIs to ensure that these key players comply with BSP guidelines on EMV technology.
To protect their accounts from fraudulent transactions arising from counterfeit and skimming attacks, debit, credit and prepaid cardholders should cooperate with their issuing banks in the replacement of their magnetic stripe cards with EMV chip-compliant cards. Consumers are advised to update their contact details with their banks to ensure they receive timely notifications and other advisories (e.g. when they will be issued a replacement chip-based card).
01 January 2017 – the deadline for all BSFIs to migrate to EMV technology all Philippine-issued debit, prepaid and credit cards, ATMs, POS terminals, and other similar devices and underlying payment platforms and applications.
While the EMV infrastructure and environment are still in the process of achieving full stability, customers may still use their magnetic stripe cards after 1 January 2017. However, non- or partially- compliant BSFIs shall be subject to ECFLSF. This means that the BSFIs which have not yet or have only partially adopted the EMV technology shall be held responsible for losses associated with the use of a counterfeit card in a card-present environment. The BSP may impose additional enforcement actions pursuant to BSP Circular No. 875 dated 15 April 2015 on BSFIs that fail to demonstrate conscientious effort towards full EMV compliance.
A BSFI that has enabled secure EMV technology shall be protected from financial liability arising from losses on counterfeit card fraud. The liability for this type of fraud shall shift to the BSFI which is not or is only partially compliant with the EMV requirement.
The allocation of liability for counterfeit fraud is summarized as follows:
While EMV technology has been effective in minimizing counterfeit fraud and skimming, it is not a silver bullet or a one-time solution. However, it is far more secure than magnetic stripe technology which is virtually defenseless against card skimming. Given the rapidly evolving cyber-threats and the increasing ability of fraudsters to circumvent existing controls, BSFIs should continuously monitor developments and assess risks pertinent to their payment networks and systems. Likewise, BSFIs should ensure that an interplay of technology, people and processes on top of adequate governance and risk management mechanisms are in place to effectively address emerging payment systems risks and threats.
For customer-related complaints, the Financial Consumer Protection Department (FCPD) is the primary contact person in BSP. FCPD may be reached via the following channels: