Nigeria's Central Bank proposes ATM security guidelines
June 29, 2003
NIGERIA -- The Central Bank of Nigeria (CBN), in its Draft Guidelines on Electronic Banking, has warned all Nigerian banks offering ATMs that they will be held responsible for cases of fraud resulting from card skimming and counterfeiting.
According to a report in ThisDay News, the Central Bank recently sent the proposed guidelines to about 40 banks across the country.
The CBN is encouraging banks to move toward smart cards, according to ThisDay News.
"In view of the demonstrated weaknesses in the magnetic stripe technology, banks should adopt the chip (smart card) technology as the standard within five years. For banks that have not deployed ATMs, the expectation is that chip-based ATMs would be deployed," according to the proposed guidelines.
The guidelines specify that banks may deploy hybrid (both chip and magnetic stripe) card readers to enable the international cards that are still primarily magnetic stripe to be used in Nigerian ATMs.
The guidelines also require all ATMs not located on bank premises must be placed in a manner to assure the safety of the customer using the ATM. "Appropriate lighting must be available at all times and a mirror must be placed around the ATM to enable the individual using the ATM to determine the locations of persons in their immediate vicinity," the guidelines said.
Other points in the guidelines include:
ATMs must be situated in such a manner that passers-by cannot see individuals at ATMs entering their PINs.ATMs must be bolted to the floor and surrounded by structures to prevent removal.Precautions must be taken to ensure that any network connectivity from the ATM to the bank or switch is protected to prevent the connection of other devices to the network.Non-bank institutions may own ATMs. Such institutions must enter into an agreement with a bank for the processing of all ATM transactions. If an ATM is owned by a non-bank institution, processing banks must ensure that the card readers, and other devices that capture/store information on the ATM, do not expose data such as the PIN. The funding (cash in the ATM) and operation of the ATM should be the bank's sole responsibility.ATMs at bank branches should be situated to permit access at reasonable times. Banks must ensure that when the ATM is accessed after banking hours, access is granted to the ATM by the use of a card, thereby limiting access to non-ATM customers. Banks should provide adequate security to ensure the safety of those using the ATM after banking hours.Cameras used to record the activity of a customer at the ATM must not be able to record keystrokes of such a customer.A telephone should be available to the customer to report incidents at the ATM, including inability to withdraw cash or other failures. The telephone lines must be manned at all times when the ATM is operational.
