ATM cards

Emma Okonji

Banks, financial institutions and companies licensed to operate mobile money businesses may risk losing their customers if they fail to attain the Payment Card Industry Data Security Standard (PCI-DSS) certification by January 2013, as stipulated by the Central Bank of Nigeria (CBN).

THISDAY gathered that CBN expects all banks and financial institutions involved in mobile money transactions, to reach an advanced stage in the processes of attaining PCI-DSS certification by December this year, in preparation to meet up with the January 2013 deadline.

In technical parlance, PCI-DSS is a set of requirements designed to ensure that all companies that process, store or transmit credit card information, maintain a secure environment.

A close source said CBN would advertise the names of mobile money operators  that comply  and do not comply with the Information Technology (IT) security certification standards after the January 2013 deadline.

The implication is that customers will tend to identify with banks that are IT security compliant, for fear of losing their hard earned monies.

Head, Shared Services Office at CBN, Mr. Chidi Umeano, who confirmed the January 2013 deadline, in a recent interview with THISDAY, said the compliance became necessary to enable mobile money operators have robust payment systems and channels that are not vulnerable to attacks, especially in the era of cashless Nigeria.

He however said that the compliance directive was in the best interest of banks, since no customer would want to do business with any operator that is not PCI-DSS compliant, for fear of losing money to hackers.

“CBN will sanction banks, should they fail to meet up with the compliance by 2013, and apart from imposing sanctions, I think it is in their interests to become compliant in order to protect customers’ money and to strengthen their confidence as banks. If customers know that some banks are not PCI-DSS complaint, they may decide to withdraw their loyalty to the bank and parley with the banks that are PCI-DSS certified, because no customer wants to lose his or her hard earned savings,” Umeano said.

Apart from switching companies like Interswitch and eTransact, as well as Phillips Consulting, only one bank out of the19 operational banks in Nigeria, is PCI-DSS compliant.

The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 in America to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.

The PCI -DSS is an independent body that was created by the major payment card brands such as Visa, MasterCard, American Express, Discover and JCB, and it has grown to become a global IT security regulatory body that is setting the pace for security standards.

According to Umeano, CBN would continue to insist on security measures, especially now that it is concluding arrangements to begin a nationwide rollout of cashless Nigeria with the phase two rollout, commencing January 2013 in five states and the Federal Capital Territory (FCT), Abuja.

“Security measures are ongoing. Recently CBN ordered all banks to migrate from magnetic strip cards to PIN and Chip cards, which have more and better security features, and this has reduced fraud rate to about 90 per cent. CBN is particular about bank’s compliance with PCI-DSS, and I can assure you that banks are making preparations to attain compliance from the Payment Card Industry Security Standards Council (PCI SSC). We are security conscious and we are putting more measures in place to strengthen the payment networks and protect them against hacking,” Umeano said.