Remove vulnerabilities to cybersecurity, SBP directs banks

KARACHI: The State Bank of Pakistan (SBP) has directed all the banks to immediately conduct self and a third-party audit of their cybersecurity and remove vulnerabilities.

“Failure to comply with the…instructions will lead to penal action by SBP including but not limited to the suspension of non-compliant digital payment products and services of the banks/MFBs (Microfinance Banks),” the central bank said in a notification on Wednesday.

Banks would remain liable to compensate their customers in case they lose money due to the cyber security breach in future, it said.
“In case of a financial loss to customers due to such incidents, the bank/MFB shall compensate them within two business days,” it added.

The central bank issued the much-needed instructions to the banks following a cyberattack on the country’s banking system late last month in which a bank reported a loss of Rs2.6 million. Reacting to the development, majority of the banks in the country switched off international payment schemes on their debit and credit cards temporarily or for an indefinite period.

“Banks/MFBs (Microfinance Banks) shall immediately carry out extensive vulnerability assessment and penetration testing to identify potential weaknesses in their Alternate Delivery Channels (ADCs) and payment systems including but not limited to card systems, RTGS (Real-time gross settlement systems), SWIFT (international wire transfers code), internet and mobile banking and agent-based and branchless banking etc,” the SBP said.

It further stated that the assessment reports along with action plans and timelines to address the vulnerabilities should be submitted to Payment Systems Department (PSD) latest by March 31, 2019. The banks shall arrange independent third party review/assessment of all the payment mechanism and submit such assessment reports to PSD latest by December 31, 2019.

Chip-based PIN code cards

“All card-issuing banks/MFBs shall replace all existing payment cards (except social transfer cards) with EMV (Europay, MasterCard, Visa) chip-and-PIN payment cards latest by June 30, 2019,” it emphasised.

Earlier, it was learnt that Pakistanis are still relying on decade-old magnetic stripe payment card/swiping technology and financial transactions are processed without entering PIN code on such payment cards that remains a huge source for the potential cyber security breach in future.

To prevent frauds in online transactions, the central bank demanded the commercial banks/MFBs to enable EMVCo’s (Europay, MasterCard, Visa) 3D Secure Security Protocol. “A detailed plan for the implementation of EMVCo 3-D Secure for all applicable card payments shall be submitted to PSD latest by January 31, 2019.”

With effect from January 1, 2019, banks/MFBs area have been asked to send free of cost transaction alerts to their customers through both SMS and email (where email IDs are available) for all international and domestic digital transactions including but not limited to ATM, POS (Point of Sales) and internet banking transactions.

Source: The Express Tribune