When thieves use PoS to do their business
Recently, there have been reported cases of robbers snatching people’s Automated Teller Machine (ATM) cards to withdraw money; using Point of Sale (PoS) device to accomplish their criminal acts.
The process is usually the same. The robbers break into the house at midnight or anytime of the day. And with guns held to their heads, victims are ordered to furnish their ATM cards, as well as disclose their pin numbers, which are then confirmed with a PoS device before the cards are taken away. The robbers then proceed to withdraw as much cash as possible before daybreak, when the incident is reported and cash withdrawal stopped.
All this may sound incredible, as it seems to defeat the purpose of Central Bank of Nigeria’s (CBN) cashless policy, aimed at reducing the volume of physical cash in the system and protect bank customers in their transactions.
The CBN in exercise of its powers in Section 47 (3) of the CBN Act 2007 (as amended) issued guidelines on the maintenance of adequate and reasonable financial services for the public, to ensure high standards of conduct and management throughout the banking system, as regards the Point of Sale device, popularly known as PoS.
At all times, the device will be compliant to global industry standards, which shall be subject to review- Payment Application Data Security Standard (PA DSS); Payment Card Industry Pin Entry Device (PCI PED); Payment Card Industry Data Security Standard PCI DSS; Data Encryption Standards (Triple DES), as minimum standard; and the deployed infrastructure must comply with the minimum EMV requirements.
All these are aimed at forestalling and tracing fraud, as well as enthroning a regime of efficient payment system.
Among the numerous PoS Card Acceptance Services’ stakeholders include the Merchant Acquirers- CBN licensed financial and non-financial institutions that have agreement with the relevant card scheme to contract with merchants to accept payment cards as means of payment for goods and services.
The next is the Merchant- the organisation or entity (company) that contracts with a Merchant Acquirer for accepting payment by means of payment card or any other electronic payment instrument.
The other is the Cardholder- any person to whom a payment card (debit or credit card) is issued and whose account will eventually be debited for settlement of transactions performed with the payment card. And in some cases, will be debited in the case of fraud and outright robbery.
In one of the guidelines, a merchant shall be held liable for fraud with the card (transactions) arising from its negligence, connivance, among others.
With this rigorous process, can PoS robbers actually get away?
A top source in one of the top three banks in the country explained that this is hardly possible, as obtaining a PoS from any bank goes with high level Know Your Customer (KYC) requirements, a recognition of the role and huge payments value the electronic channel would facilitate.
He said: “Each PoS is associated with a registered company. The real promoters of the company are made to undertake responsibilities, in case a fraud is committed with the device.
“Every card transaction with the PoS usually drops a “footage,” popularly called “Alert”, with the description of the merchant, which can be used to trace complaints.
“When people come for banking relationship, we will not know their motive, which is why there is a guideline to almost every policy direction. And when people fulfil those requirements, you have no reason to hold back the service, until they breach it.
“In the case of PoS, there is a face behind each device, despite the fact that it is registered with a company’s name and account. So, robbery with PoS is not a loss that cannot be resolved.”
The Director of Banking and Payments System, CBN, ‘Dipo Fatokun, also explained that the nature of PoS operations is such that you can only access the cash by going to the bank or using the ATM to make withdrawal. The next thing is to make a transfer to other accounts, but the money will keep revolving in the banking system.
He said: “The most foolish armed robber would know that using PoS to rob people is a direct way of surrendering himself to security agencies, as the transaction record will detail the profile of the merchant and/or the merchant acquirer.”
So, how can people protect themselves from the ugly experience?
He urged every bank customer to be abreast of his or her bank’s contact centre details, which works 24 hours, to lodge complaints early enough, once the hoodlums leave the scene.
Another source close to the regulator said what the robbers might likely do with the PoS is just use it to confirm ATM card password of their victims, before leaving the place.
“All the complaints so far recorded are more of withdrawal at the Automated Teller Machines with or without cards,” he said. “While non-card frauds are gradually fading, card frauds are mostly possible when details are compromised like the case of robbery.”
The sources noted that in such instances, neither the bank nor the regulator is to blame, as it is purely a case of security breach, but added that in case of further inquisition, banks may explain how effective their cameras around the ATM are.
Stating that some criminals’ job is to always find the weak point in any new IT device so as to exploit such to their advantage, a bank source said nothing is impossible, when a collaborator within is involved.
He said: “You know that most crimes are committed with an inside collaborator. So, there is no device or application that is totally safe and impenetrable in the real sense of it. The PoS is not an exception.”