By Ashraf Abbas

 

  1. Introduction:

The introduction of contactless payment systems in Nigeria represents a leap forward in the nation’s financial landscape, promising swift, convenient, and secure transactions. However, this transformative shift towards contactless payments is not without its challenges, and one of the paramount concerns is the cybersecurity landscape surrounding these innovative payment methods. This article explores the contactless payment adoption, guidelines provided by the Central Bank of Nigeria to provide minimum standards and requirements for the operations of contactless payments and cybersecurity concerns in the Nigerian context.

 

  1. The Contactless Payment Revolution:

Contactless technology enables an alternative payment method whereby payment instruments are used without physical contact with devices. Nigeria has been at the forefront of the digital transformation sweeping across the continent. With a burgeoning population and increasing smartphone penetration, the demand for innovative and efficient financial solutions has never been greater. The introduction of contactless payments aligns seamlessly with this digital revolution, promising a frictionless experience for users and businesses engaging in financial transactions.

Nigeria, with its dynamic economy and tech-savvy population, has eagerly embraced the convenience of contactless payments. Enabled by technologies like Near Field Communication (NFC), these systems allow users to make transactions with a simple tap or wave, eliminating the need for physical contact with cards or devices.

 

  1. CBN’s GUIDELINES FOR CONTACTLESS PAYMENTS IN NIGERIA

Improving on the 17th October, 2022 exposure draft of the Guidelines on Contactless Payment in Nigeria for stakeholder consideration. The CBN has now published the final version of the Draft Guidelines and a Circular on Transaction Limits for Contactless Payments 2023.

The Final Guidelines retain the provisions set out in the Draft Guidelines, however, the CBN has introduced new provisions in the final guidelines which includes:

Minimum Security Standards: stakeholders shall ensure that their terminals, applications, and processing systems comply with:

  1. a) ISO 14443, an international standard for identification cards, contactless integrated circuit cards and proximity cards specifications; and
  2. b) all required Payment Scheme and Card Scheme certifications for contactless cards and terminals.

Compulsory Routing of Transactions: All acquirers are required to route all POS contactless payment transactions through the Payment Terminal Service Aggregator, that is, the Nigeria Inter-Bank Settlement System Plc (NIBSS) and ensures that NIBSS monitors and maintains oversight over contactless payment transactions.

Opt-out by Customers: Issuers shall provide an opt-out option for customers who no longer desire contactless payment products.

Documentation Requirements: Switching companies that process contactless payments shall enter service level agreements with relevant stakeholders in accordance with the minimum requirements stipulated by the CBN.  Such service level agreements must specify in clear terms, the responsibilities of each party, operational rules and procedures, and liabilities of parties in the event of loss of funds arising from negligence of any of the parties.

Upgrades to POS Software: Payment Terminal Service Providers (PTSPs) are required to upgrade or update the software of PoS terminals used for contactless payments regularly, otherwise such PoS terminals shall not be permitted to process contactless transactions.

Security Breach Reporting: All stakeholders are to report incidences of fraud, breaches, and other security events immediately. These reports will need to be made to CBN within 24 (twenty-four) hours after the occurrence of such incident.

 

 

  1. Cybersecurity Concerns:

While contactless payment affords users increased convenience and is faster, one major concern is the risk of fraud, card skimming and others as hackers can intercept the payment data to carry out fraudulent transactions.

a. Data Interception and Skimming:

The wireless nature of contactless transactions opens the door to potential data interception and skimming. Cybercriminals may attempt to intercept transaction data during communication between the payment device and the point-of-sale (POS) terminal.

b. Card Cloning and Fraud:

The risk of unauthorized access and card cloning is heightened in contactless transactions. Malicious actors may attempt to clone contactless cards, leading to fraudulent transactions and financial losses for both users and financial institutions.

c. Lack of Two-Factor Authentication:

Many contactless transactions rely on a single-factor authentication, such as tapping a card or device. The absence of robust two-factor authentication may leave users vulnerable to unauthorized access and fraudulent activities.

 

5. Regulatory Frameworks:

a. Central Bank of Nigeria (CBN) Guidelines:

The regulatory landscape, particularly guidelines from the Central Bank of Nigeria, plays a crucial role in shaping the security standards of contactless payment systems. Adherence to these guidelines is essential for the secure deployment and operation of such systems.

Related News

b. Compliance Challenges:

Ensuring compliance with evolving regulatory standards presents a challenge, as the cybersecurity landscape is dynamic. Fintech companies and traditional financial institutions must continually adapt to meet the regulatory requirements set forth by the CBN.

 

 6.   Infrastructure Vulnerabilities:

a. Network Security:

The reliance on networks for transaction processing introduces vulnerabilities. Securing the communication channels between payment devices and backend systems is critical to preventing unauthorized access and data breaches.

b. Point-of-Sale (POS) Terminal Security:

The security of POS terminals is paramount. Vulnerabilities in these terminals could be exploited by attackers to compromise the integrity of transactions or gain unauthorized access to sensitive information.

 

7. Consumer Awareness and Education:

a. Phishing and Social Engineering:

Cybersecurity threats often exploit human vulnerabilities. Lack of awareness among consumers may make them susceptible to phishing attacks and social engineering tactics, leading to unauthorized access or disclosure of sensitive information.

b. Secure Device Usage:

Educating consumers on the secure use of contactless payment-enabled devices, including smartphones and wearables, is crucial. This involves promoting practices such as regular software updates and the use of secure PINs or biometric authentication.

 

8. Collaboration and Innovation:

a. Fintech Collaboration:

Collaboration between fintech innovators, traditional banks, and regulatory bodies is essential for developing and implementing robust cybersecurity measures. Fintech companies can bring innovation, while traditional banks provide stability and experience.

b. Innovation in Security Technologies:

Ongoing innovation in security technologies, such as advanced encryption methods and biometric authentication, is crucial to staying ahead of emerging cybersecurity threats in the contactless payment ecosystem.

 

9. Conclusion:

As Nigeria strides boldly into the era of contactless payments, the cybersecurity concerns that accompany this transformation cannot be overlooked. Balancing the benefits of speed and convenience with robust security measures requires a concerted effort from all stakeholders. By fostering collaboration, staying vigilant against evolving threats, and prioritizing user education, Nigeria can navigate the contactless frontier with confidence, ensuring that the promise of innovation is accompanied by a resilient and secure financial ecosystem.

 

 

Ashraf Abbas is a highly skilled and accomplished professional with extensive experience in the technology sector. He is a seasoned tech writer and recognized as a mentor and coach, guiding aspiring individuals in the tech industry to reach their full potential.

With a passion for research, Ashraf continuously delves into emerging trends and developments in the ever-evolving tech landscape. His expertise in cybersecurity encompasses a broad spectrum of domains, including threat analysis, cloud computing, and incident response. With a commitment to excellence and a dedication to staying at the forefront of technological advancements, Ashraf is poised to make significant contributions to the advancement of cybersecurity practices in Africa and beyond.