MANILA, Philippines - A plan to replace all existing automated teller machine (ATM) cards is in the works with monetary authorities and the banking industry looking at tighter security features to “minimize” hacking incidents.
“In principle, new cards are needed and the ATM itself needs to be recalibrated for the new cards,” BSP managing director Johnny Noe Ravalo told The STAR in an e-mail last week.
“Because of the nature of the change, it will take some time to get this fully operational,” he added.
Lorenzo Tan, president of the Bankers Association of the Philippines (BAP), confirmed the plan, saying banks would be ordered to issue cards with the new security feature known as Europay MasterCard Visa (EMV) electronic chips.
“The BSP is looking at mandating EMV compliance for ATMs and cards. The latest ATMs can comply with this, but the older versions will entail upgrade costs,” Tan said in a text message.
According to data from the Philippine Deposit Insurance Corp., there were a total of 41.787 billion bank accounts last year, of which 40.115 billion are in pesos that usually entail the use of ATM cards.
There are no official data available on how many ATM cards have been issued, but industry players peg the number between 25 to 30 million. Central bank data, on the other hand, showed there were 12,285 ATM outlets nationwide as of end-2012.
BSP deputy governor Nestor Espenilla Jr. said the new order is still undergoing consultation with the rest of the banking industry. Afterwards, it would be finalized and forwarded to the policymaking Monetary Board for approval.
“The policy proposals, if adopted, will contain time lines (for adjustment to the new system), Espenilla said in a text message.
The plan is an offshoot of a spate of hacking incidents on ATM users. Such incidents are usually reported to the BSP.
Previously, Espenilla was quoted as saying that the central bank is “aware” of the scam and that it had already alerted the banks about it. Should it push through, the move to require lenders to use EMV cards marks a first for the BSP to tackle the fraud.
Initial moves to counter hacking have been made by the industry. First, they decided to install “shields” to cover the hands of depositors typing in their personal identification number (PIN) from small cameras that may have been installed by hackers.
A detecting device was also installed where ATM cards are inserted. Card readers are said to have been installed by scammers to detect card data, allowing them to inquire about balances and withdraw funds later on.
But EMV-enabled cards are expected to tackle the problem from head to toe. Visa country manager Iain Jamieson, who oversees six million Visa ATM cards in the country, said an ATM card with EMV is “much more secure” than what local banks are issuing now.
The main difference is the place where data is stored. In a regular ATM card, data is easily detected through a black “magnetic stripe” found on the back of the card. In an EMV card, a “chip” is used.
“The strength of a chip card is that the data is dynamic, meaning it changes every time the card is used making it impossible to copy,” Jamieson said in a text message.
Currently though, only credit cards use EMV chips and about 90 percent of point-of-sale (POS) machines in the country can read them.
Jamieson noted the Philippines is the only country in Southeast Asia which does not have EMV in ATM cards. In the same way, “very few” ATM outlets can read EMV-enabled cards, making it really necessary to reformat them.
“The ATM migration however needs to be carefully planned by the local banking industry as the expense of migrating...is considerably more expensive than migrating a POS device,” he explained.
The BSP policy is expected to detail how banks should deal with the costs of upgrade – on whether they will be allowed to pass them to depositors or not.
Big banks have started preparing for the adoption of EMV-compliant cards ahead of the BSP issuance.
“We expect to be EMV certified by the fourth quarter. Rollout on all ATMs will follow shortly after,” BDO Unibank Inc. president Nestor Tan said. BDO is the largest local bank in asset terms.
For its part, Metropolitan Bank & Trust Co. – the third largest – said in a statement the lender’s transition to EMV is “under development.” It declined to elaborate.
But while EMV may make ATM cards less prone to hacking, BAP admitted they are not exactly scam-free and said depositor vigilance remains key.
“EMV can minimize fraud unless there is a new scam that will be developed through time,” BAP’s Tan said.