Banks and MasterCard have urged the central bank to review its directive to route all card transactions from the new year through the National Payment Switch of Bangladesh in a bid to mitigate risks of cyber attacks.
Their concern stems from the NPSB’s lack of PCI-DSS certification, a global security standard for organisations that handle branded cards.
The standard was created by the five major payment brands JCB, American Express, Discover, MasterCard and Visa to increase controls around cardholder data to reduce fraud.
All major banks are in the process of getting PCI-DSS certification, while the largest issuers are already certified, according to the Association of Bankers Bangladesh, a platform for chief executives of scheduled banks.
“The certified banks are not comfortable in routing their card transactions through a non PCI-DSS complaint network of NPSB,” said Anis A Khan, chairman of ABB, in a letter to the Bangladesh Bank governor last month.
Furthermore, the NPSB, as of now, has the capacity to handle transactions of magnetic stripe cards and not the more secured and the latest EMV chip cards, which the BB has asked to be introduced by June next year.
Accordingly, almost all card issuers in Bangladesh have started sending out EMV cards to their customers.
But transactions made with the EMV cards that have already been issued are also being routed through the NPSB in line with the central bank instruction, leaving them exposed to possible data breach risks, the ABB said.
Even a transaction from an EMV card routed to NPSB but treated as mag-stripe transaction increases compromise risk, said MasterCard Bangladesh it its letter to SM Moniruzzaman, deputy governor of the Bangladesh Bank.
“We have made significant investments to secure the cards, but if the switch itself is not secured our entire effort will go in vain,” Khan said.
Besides, the move to route all card transactions through the NPSB will create a single point of system failure for domestic transactions, the ABB said.
“A single node system is an easy target for hackers and fraudsters.”
Similar moves like this in other countries have exposed the market to repeated and targeted cyber-attacks and delayed the introduction of world-class safety and security features, according to the letter.
ABB has also cited the neighbouring India as a reference point for the BB to emulate. The Reserve Bank of India has its own payment network, along with international payment brands, and cards are issued based on customer’s discretion.
The effectiveness of security attacks has a direct bearing on the general population’s confidence and adoption of various forms of non-cash payments, MasterCard said in its letter.
Subsequently, the two organisations will sit with Moniruzzaman today and tomorrow to address their dissatisfaction about the BB move.
Contacted, Subhankar Saha, BB executive director and spokesperson, declined to comment on the matter.
Source: The Daily Star.