When the Bangko Sentral ng Pilipinas (BSP) issued Circular 808 in August 2013 - a set of guidelines on information technology risk management (ITRM) that prepares financial institutions to avoid, handle and resolve instances of fraud - many financial institutions were thrown into flux. The intent of the circular was laudable. At the same time the project implied significant challenges involving much effort, cost and time for all financial institutions (FI) regardless of the size of their ATM network and cardholder base.
To address the growing incidence of counterfeit card fraud, a major requirement was to implement the EMV (EuroPay, MasterCard, and VISA) standard for Integrated Circuit Cards. Later-model ATMs and POS terminals would need an upgrade in both hardware and software. Equipment acquired earlier would need to be replaced. Much software would require modification and new ATM cards would have to be issued, replacing the 65 million already in the hands of bank customers.
Separately, the circular stipulated that starting January 2015, all ATMs must be on the 3DES (Triple DES) data encryption standard, one that was in place globally about 15 years before.
The situation was further complicated by the announcement by Microsoft that support for Windows XP, the operating system software for almost 96% of all ATMs worldwide, would cease in April 2013. Thus all ATM operators need to implement the newer Windows 7.
An illustration of the complex implications of the circular is a financial institution or an FI with a large ATM network and ATM cardholder base describing funding for the necessary upgrade as "costing more than buying another bank".
One other large financial institution or FI has ordered 1,600 ATMs to both upgrade and replace existing units.
On the other hand, some financial institutions or FIs state that the move to EMV is "simple" and can be performed with little fuss. The industry will know the truth in time, with winners and those playing catch-up.
For Electronic Network Cash Tellers, Inc. (ENCASH), the country's first independent ATM and RTM deployer, it could not take the risk of obsolescence for its more than 300 ATMs mainly because many Filipinos, as well as foreign visitors in the countryside depend on its services for financial inclusion. From the very start of its operations, the company ensured that its ATMs were all 3DES compliant. However, ENCASH still needs to ensure that the software and hardware of its ATMs would be EMV compliant and not vulnerable to fraudulent attacks.
Since the implementation of Circular 808, ENCASH embarked on a roadmap that would bring to fruition its target to be the first ATM network with full EMV compliance by the end of 2016. As part of its plan, ENCASH received board approval to upgrade its ATM switch and it sought the participation of its partners to raise the funds needed to upgrade its ATMs.
By the last quarter of 2014, the company will begin its ATM upgrades. The company also plans to begin its PCI-DSS, VISA and MasterCard certifications by 2015. ENCASH envisions that its ATM network will be EMV and PCI-DSS certified by end 2016, ahead of the 2017 target of the BSP.