Appendix 112

GUIDELINES ON EUROPAY, MASTERCARD AND VISA (EMV) IMPLEMENTATION
(Appendix to Sec. 148 on IT Risk Management Systems)

A. Background. In response to the increasing sophistication of frauds perpetrated through magnetic stripe (magstripe), international payment networks have orchestrated the shift towards EMV chip-enabled card. The EMV is an interoperability standard for chip-bearing smart card technology defined by EMVCo in 1994, adoption of which has resulted to significant reduction in card frauds due to skimming1 and counterfeiting.

To outpace and manage fraudsters’ shift towards jurisdictions that are still using magstripe, Bangko Sentral supervised financial institutions (BSFIs) via Sec. 148 (IT Risk Management Systems) were required to migrate their entire payment network to the more secure EMV chip-enabled cards.

B. Statement of Policy. It is the policy of the Bangko Sentral to foster the development of safe, secure, efficient, and reliable retail payment systems, protect the integrity and confidentiality of customer accounts and information and uphold consumer protection.

C. Scope. These guidelines shall govern the migration to and implementation of EMV of all BSFIs with debit card issuing and acquiring functions. For credit card, only cash advance transaction at Automated Teller Machines (ATMs) shall be covered since other credit card transactions are governed by the rules of the international payment networks.

It is incumbent upon all affected BSFIs to ensure that other key players in the domestic payment network comply with these guidelines.

For purposes of the subject guidelines, payment transactions covered are limited to card present and contact transactions in ATMs, POS terminals and other similar devices. Guidelines governing card-not-present as well as contactless transactions shall be issued separately.

D. Definition of terms.

1. EMV, which stands for Europay, MasterCard and Visa, is a global standard for credit, debit and prepaid payment cards based on chip card technology. EMV chip-based payment cards, also known as smart cards, contain an embedded microprocessor, a type of small computer. The microprocessor chip contains the information needed to use the card for payment, and is protected by various security features. Chip cards are a more secure alternative to traditional magstripe payment cards.

Implementing EMV shall address the deficiencies inherent in magstripe by reducing fraud arising from counterfeit, lost and stolen card information through the following features:

a. Authentication of the chip card to ensure that the card is genuine so as to protect against counterfeit fraud for online-authorized transactions;

b. Digitally signing payment data for transaction integrity; and

c. More robust cardholder verification to protect against lost and stolen card fraud for EMV transactions in all acceptance environments.

2. Acquiring institution (acquirer) is a bank or financial institution that process credit or debit card transactions via ATM or POS terminals.

3. Bangko Sentral Supervised Financial Institutions (BSFIs) include banks, NBQB, non- bank electronic money issuers and other non-bank institutions which under existing Bangko Sentral rules and regulations and special laws are subject to Bangko Sentral supervision and/or regulation.

4. Co-branded cards are Philippine – issued cards affiliated with international payment networks.

5. Debit cards are payment cards linked to bank deposit or prepaid/electronic money (e-money) accounts.

6. Domestic payment network includes BSFIs as well as other key players such as merchants, providers of ATMs, point-of-sale (POS) terminals and similar devices, card vendors, card personalization bureaus and domestic switches responsible for processing and handling domestic transactions.

7. Domestic switches refer to Bancnet and Megalink.

8. EMV chip liability shift means that the liability and responsibility for counterfeit or fraudulent transactions shall shift to the BSFI which is not EMV-compliant.

9. EMVCo is the governing body that manages the EMV specification.

10. Hybrid cards are payment cards that have both EMV chip and magstripe.

11. International payment networks refer to the payment networks that have global establishment. For purposes of subject guidelines, recognized international networks shall refer to Visa, Mastercard, UnionPay, Diners/Discover, American Express, Japan Credit Bureau (JCB).

12. Interoperability refers to the ability of Philippine cardholders to transact at Philippine ATM and POS terminals, regardless of network affiliation or branding of the card.

13. Issuing institution (issuer) is a bank or non-bank financial institution that issues payment cards, whether proprietary or co-branded, to consumers.

14. Payment cards are cards that can be used by cardholders and accepted by terminals to withdraw cash and/or make payment for purchase of goods or services, fund transfer and other financial transactions. Typically, payment cards are electronically-linked deposit, prepaid or loan/credit accounts.

15. Philippine domestic EMV specification refers to the specification or standards based on EMV that shall be adopted in the Philippine financial market for the proprietary or non-co-branded cards.

16. Proprietary cards are Philippine-issued cards without international payment network affiliation.

17. Technical fallback is a state in which a chip cannot be used and another type of entry, such as magstripe, is used to complete a transaction.

E. General rules.

In line with the declaration of policy, BSFIs, in migrating to EMV, shall consider the following:

1. BSFIs shall maintain interoperability of the domestic payment network;

2. The Philippine EMV Implementation shall use established EMV specification as follows:

a. Issuers of proprietary cards shall use the Philippine domestic EMV specification; and

b. Issuers of co-branded cards shall use the EMV specification of their affiliated international payment network.

3. At a minimum, all debit accepting devices shall acquire/accept Philippine issued proprietary cards using the Philippine domestic EMV specification of members/participants of the domestic switches;

4. The domestic payment network shall ensure continued interoperability and acceptance of Philippine EMV issued cards using the Philippine domestic EMV specification on Philippine EMV deployed acceptance devices2; and

5. BSFIs shall strengthen consumer protection by adequately handling and containing consumer concerns and complaints arising from fraudulent schemes done electronically.

F. The Philippine Domestic EMV Specification.

With the main objectives of maintaining interoperability and reducing card fraud, BSFIs shall adopt a Philippine domestic EMV specification for proprietary cards. The domestic EMV specification should:

a. Adopt the EMV specification according to EMVCo;

b. Apply to ATM and domestic debit POS transactions;

c. Support contact transactions;

d. Support online card authentication to ensure that transactions are made using a valid card;

e. Support online authorization to enable issuer to manage fraud and credit risk at the transaction level;

f. Support online PIN cardholder verification method; and

g. Support technical fallback to magstripe in the interim, without prejudice to the issuer’s decision to process/approve fallback transactions.

G. Minimum operational requirements.

1. Issuing institutions shall:

a. Ensure that they have the technical systems and network necessary to process and handle EMV transactions;

b. Support EMV data elements in authorization messages;

c. Define chip cards feature, functionality and interface capability;

d. Enhance risk management systems to leverage chip;

e. Determine the card migration strategy;

f. Update customer support and operational systems to support chip cards;

g. Be certified for network interfaces and card personalization by a certification body organized by BSFIs pursuant to this Guidelines;

h. Replace card base; and

i. Educate the consumers.

2. Acquiring institutions shall:

a. Ensure that card-accepting devices are EMV-certified to support the acquiring and routing of Philippine-issued debit cards using the Philippine domestic EMV specification;

b. Ensure that PIN-entry devices are Payment Card Industry PIN Transaction Security (PCI-PTS3) compliant; and

c. Enable a debit POS environment that supports online PIN for Philippine-issued debit cards.

3. Domestic switches shall:

a. Establish infrastructure and systems that are EMV-compliant and able to support switched EMV transactions from domestic interconnected networks;

b. Ensure continued support to existing transaction sets and functions provided to consumers;

c. Enhance efforts to educate their members on EMV collaboration and seek effective alignment of strategy and design principles; and

d. Ensure continued ability to support, in the interim, transactions in magstripe format subject to liability shift policies acceptable to Bangko Sentral, the standards of which shall be covered in subsequent guidelines.

H. Detailed guidelines, policies and processes.

BSFIs shall agree on and implement detailed technical and operational requirements, policies and procedures that are acceptable to the Bangko Sentral, the standards of which shall be covered in subsequent guidelines, and aligned with subject EMV Implementation Guidelines, covering but not limited to the following:

1. Philippine Application Identifier (AID);

2. Single Common AID, Single Common Card Personalization Profile and Single Common Technical Configuration for domestic transactions;

3. Transaction routing;

4. Testing and certification;

5. Dispute and fraud risk management; and

6. Other processes affected by the EMV migration.

I. Updated EMV migration plan

Any changes arising from the aforementioned guidelines shall be incorporated in the EMV Migration Plan and all affected BSFIs shall resubmit their updated plan to Bangko Sentral’s Core Information Technology Specialist Group (CITSG) within sixty (60) days from 24 November 2014.

All BSFIs shall support migration to EMV standards. Consequently, all cards issued and card-accepting devices should be EMV-compliant.4

(Circular No. 961 dated 02 June 2017, 936 dated 28 December 2016, 890 dated 02 November 2015, and 859 dated 24 November 2014)

Footnotes

  1. Skimming is the illegal copying of information from the magnetic stripe of a payment card to gain access to accounts.
  2. Include EMV-compliant ATMs, POS terminals and other similar devices.
  3. A security requirement of the Payment Card Industry (PCI) regarding testing of PIN-entry devices using pre-defined standards to get certification.
  4. This paragraph shall take effect on 01 January 2017.