Banks face long road to 100% EMV migration
By Madhusha Thavapalakumar
Even though the recent skimming attacks on cards have accelerated efforts by banks to increase the number of EMV cards, the industry is still a long way from 100% EMV (Europay, Mastercard, and Visa) migration.
Speaking to The Sunday Morning Business, a spokesperson from the Payment Card Industry Association of Sri Lanka (PCIASL) said that “even if all issuers and acquirers show a keen interest, it would still take another six to nine months”.
Several skimming attacks at ATMs were reported to the Finance Sector Computer Security Incident Response Team (FINCSIRT) from Colombo and its suburbs over the long weekend. However, users of EMV cards were unaffected by these attacks.
A majority of local banks already commenced the process of migration to EMV Chip technology when the skimming attacks took place, but adoption is expected to accelerate following this incident and the consumer uproar.
Skimming is a type of Automated Teller Machine (ATM) card theft where a small device is used to steal credit card information in an otherwise legitimate credit or debit card transaction. An EMV card is a card with an embedded microchip and associated technology designed to enable secure payment at compatible point of sale (POS) terminals, which can prevent skimming.
However, the PCIASL Spokesperson noted that EMV adoption is an expensive investment and the exact cost would vary based on the technology adopted and the vendors selected.
However, PCIASL said that migrating to the backend systems to adopt EMV technology would not be viable unless banks convert all their magnetic strip cards to EMV Chip cards and upgrade devices such as ATMs and Point of Sales (POS) for EMV capability.
According to the PCIASL, even 100% EMV adoption by banks would not prevent fraudulent transactions which happen during online purchases, and the complete elimination of fraudulent and risky transactions would only be possible if transactions outside EMV technology were banned, although it would be an impractical measure.
However, he added: “Such actions could result in certain transactions not going through due to a failure or a malfunction of the chip in the card or the transaction processing device. This will have a negative impact on customer sentiments as a certain percentage of transactions are bound to fail. At this point of time, we have no information about other markets which have blocked fallback transactions fully.”
Meanwhile, LankaClear Chief Executive Officer/General Manager Channa de Silva stated that the migration of card payment industry into EMV from its old magnetic strip system would largely prevent skimming, although the magnetic strip would still be considered a fallback option to perform transactions in situations where the EMV gets scratched or fails to be read.
He told The Sunday Morning Business that, as a further measure towards reducing skimming activities, the Central Bank of Sri Lanka (CBSL) planned to obligate customers to register for SMS alerts for card transactions with their respective banks, so that customers would instantly be notified following every transaction.
“If skimming happens, the customers get notified so that they can contact the bank and cancel their cards. What happens right now is most of the customers are not registered for SMS alerts.”
CBSL also advised ATM operators to have CCTV fixed to monitor suspicious activities.
De Silva also noted that as a secondary option against ATM skimming, Sri Lanka planned to install anti-skimming devices in ATMs to minimise tampering and risks of fraudulent transactions.
According to him, a small number of new ATMs already had this device fixed.
“There is a new technology called anti-skimming. There is a small device that can be connected to the ATM which will prevent people from skimming,” he said.
An anti-skimming device is a semi-transparent plastic exterior that protrudes from the card acceptance slot to prevent perpetrators from easily attaching skimmers.
De Silva also noted that ATM skimming is a criminal activity which happens even in developed countries and cannot be eliminated entirely.
“If you look at skimming, it cannot be stopped 100%. Skimming is a common thing that happens in the US and Europe. What we can do is we can reduce or minimise it while keeping the general public vigilant,” he added.
Meanwhile, following complaints of fraudulent transactions, the PCIASL and Sri Lanka Banks’ Association, in a brief joint statement issued on Tuesday (05), stated: “This was a result of some card data that has been compromised through ATM skimming activities, where cloned cards had been created to make these fraudulent withdrawals.”
In addition, they informed the public that the ATM networks and cards were safe for transacting but advised the public to subscribe for the SMS transaction alert facility through their respective banks.