BSP says no extension for Sept. 30 deadline for banks’ multi-factor authentication shift
THE CENTRAL BANK will not extend the end- September deadline for banks and credit card issuers to adopt tighter standards for client verification, as the regulator looks to improve cybersecurity at a time of increasing use of digital payment platforms.
BSP Circular 958 issued in April requires banks and credit card issuers to put in place a multi-factor authentication (MFA) system for online transactions. The measure seeks to verify a client’s identity using at least two different methods before one can proceed with high-value fund transfers or payments.
The new requirement seeks to prevent cases of the so-called “cardnot- present” fraud, where hackers use more sophisticated attacks via the Internet or through app- based platforms to steal money.
“We have been receiving a lot of queries, [ but] we won’t extend the deadline so it’s still Sept. 30, 2017,” Melchor T. Plabasan, deputy director of the BSP’s Core Information Technology Specialist Group, said during the banking and finance session of the 2017 Cybersecurity Summit last week.
All BSP-supervised entities have been required to set up internal protocols for the MFA since May, while stricter verification standards are to be fully implemented by the fourth quarter.
Mr. Plabasan, however, said additional guidelines will be released ahead of next month’s deadline to allow some room for banks to continue offering digital services, but in a limited capacity.
“If you’re not yet ready for MFA… the one possibility would be disabling certain features or transactions which are considered high risk or sensitive as defined in Circular 958,” the BSP official told an audience of bank information technology specialists.
Among the most common ecommerce transactions are bills payment, online shopping, purchase