The Central Bank of Nigeria (CBN), pursuant to its powers guaranteed by the Central Bank of Nigeria Act and in furtherance of its mandate to ensure the safety and stability of the Nigerian financial system as well as the promotion of a resilient and stable payments system, launches on the 27th of June,2023, a new set of guidelines for contactless payments in Nigeria.
Contactless payment technology provides an efficient payment option and consists of using payment instruments without physical contact with devices, thereby constituting an efficient and convenient cashless payment method for users whether it is in the form of prepaid debit and credit cards, stickers, fobs, tokens or mobile electronic devices operating in interaction with contactless payment devices.
This article will thus be looking at the guidelines governing the operation of contactless payment services in Nigeria.
Tekedia Mini-MBA edition 14 (June 3 – Sept 2, 2024) begins registrations; get massive discounts with early registration here.
Tekedia AI in Business Masterclass opens registrations here.
Join Tekedia Capital Syndicate and invest in Africa’s finest startups here.
What is the scope of the contactless payment guidelines?
The guidelines specifically cover the operations of contactless payments in Nigeria.
What are the objectives of these guidelines?
The guidelines were introduced to provide minimum standards and requirements for the operations of contactless payments in Nigeria as well as to specify the roles and responsibilities of stakeholders involved in contactless payments in Nigeria.
Who are the relevant stakeholders/participants in the contactless payment service chain/framework as identified by the guidelines?
The contactless payment system consists of :-
– Acquirers
– Issuers
– Payment schemes
– Card schemes
– Switching companies
– Payment Terminal Service Providers (PTSPs)
– Payment Terminal Service Aggregators (PTSAs)
– Merchants
– Terminal owners
– Customers
– Any other stakeholder as designated by the CBN.
What are the minimum standards for contactless payments set by the CBN guidelines?
The following are the minimum standards for contactless payments set by the CBN Guidelines :-
- PA DSS – Payment Application Data Security Standards
- PCI PED – Payment Card Industry PIN Entry Device
- PCI DSS – Payment Card Data Security Standard
- Triple DES – Data Encryption Standards shall be the benchmark for all data transmitted and authenticated between each party
- AES – Advanced Encryption Standards
- Minimum EMV requirements for contactless acceptance
- All required scheme certifications for contactless cards and terminals
- ISO 27001- Information Security Management System
- ISO 1443 – Identification cards, contactless integrated circuit cards and proximity card specifications
-Regarding these minimum standards, all terminals, applications and processing systems shall comply with the standards specified by the various payment schemes.
-Also, each operator shall maintain valid certification compliance with these standards and shall regularly review the state of its systems, applications, networks and devices,to ensure they remain compliant at all times.
– Contactless devices shall be configured to work within a maximum of 2 cm from the terminal to manage the risk of data interception.
What are the prescribed roles and responsibilities of identified contactless payment stakeholders and participants under the CBN Guidelines?
Acquirers
– Only CBN Licensed institutions shall serve as acquirers for contactless payments in Nigeria.
– Acquirers who engage in contactless payments shall ensure their applications, tokens & devices meet current standards and specifications for contactless payments.
– Acquirers who engage in contactless payments shall be able to accept all cards or payment instruments used in Nigeria.
– Acquirers and processing entities shall switch all domestic contactless payments through a Nigerian switch for the purpose of seeking authorisation from the relevant issuer and shall not under any circumstance route transactions outside Nigeria.
– All acquirers’ contactless devices shall be connected to an account or wallet with a Bank Verification Number (BVN).
Issuers
– Only CBN Licensed institutions shall serve as issuers for contactless payments in Nigeria.
– Issuers shall ensure that activation of contactless payment is at the customer’s instance and with his full consent with evidence of this consent obtained before activation.
– Issuers shall provide opt-out options for customers who may no longer desire contactless payment products.
– Issuers shall ensure that all contactless payment instruments used in Nigeria shall be neutral and agnostic as to contactless payment devices to ensure interoperability.
Payment Schemes
– Payment schemes operating in Nigeria shall comply with these guidelines & other relevant CBN guidelines/circulars.
– Payment schemes shall ensure that all contactless transactions are processed online and/or submitted via current processing specifications.
– All payment schemes that engage in contactless payments shall ensure that the systems and schemes shall be interoperable.
– Payment schemes shall implement a documented risk management process to identify and treat risks associated with contactless payments.
Card Schemes
– Card schemes shall ensure that all contactless transactions are processed online and submitted via current processing specifications.
– Card schemes shall implement a documented risk management process to identify and treat risks associated with contactless payments.
Switching Companies
– Switching companies shall ensure that contactless transactions consummated by all payment instruments issued in Nigerian are successfully switched between acquirers and issuers.
– Switching companies shall carry out periodic risk assessment of their processes and have necessary measures to mitigate ML/TF /PF(Money-laundering/Terrorism Financing/Proliferation Financing) risks associated with contactless payments.
– Switching companies shall ensure that where they process contactless payments, these are executed with stakeholders meeting minimum requirements set by the CBN.
PTSPs
– PTSPs shall establish appropriate mechanisms to remotely detect device failures which shall be rectified or replaced within 48 hours.
– PTSPs shall have adequate support infrastructure that ensures support coverage for merchants and users 24/7.
– PTSPs shall ensure that all deployed devices and terminals for contactless payment have support service contact information.
– PTSPs shall prevent instrument clashes even when multiple contactless payment devices are present.
PTSAs
– PTSAs shall annually or more frequently, as may be required, certify POS terminals for contactless payments to ensure that the POS terminals meet standards approved for the industry.
– PTSAs shall implement a documented risk management process to identify and treat risks associated with contactless payments.
Merchants
– Merchants who engage in contactless payments shall ensure that deployed devices and applications are available for contactless payments of goods and services.
– The contactless payment device used by a merchant shall request the customer’s authorisation such as a Personal Identification Number (PIN), tokens or biometrics where the transaction amount is greater than stipulated limits per transaction/day.
– Merchants shall be held liable for fraudulent contactless payments arising from their negligence/connivance.
– Contactless payment transaction value and associated charges shall be clearly communicated to the customer prior to consummation of the transaction.
Terminal Owners
– Issuers,acquirers, merchants and PTSPs can be terminal/device owners.
– Terminal & device owners shall implement a documented risk management process to identify and treat risks associated with contactless payments.
– Terminal owners shall ensure all terminals and devices procured by then are compliant with the appropriate minimum specifications for contactless payment terminals and devices.
Value Added Services
– Stakeholders shall obtain the bank’s approval for contactless payment products.
– Stakeholders shall obtain the CBN’s approval for innovative use cases and value added services to deepen financial inclusion and promote efficient payment systems.
Customers
– Customers shall have the option to opt-in to contactless payments by applying and consenting to terms and conditions of contactless payment products and services.
– Customers shall have the option to withdraw from contactless payment agreements.
– Customers shall authenticate contactless payment transactions as may be required.
What do the guidelines say on contactless payment services display?
The guidelines provide that contactless payment service images, symbols, graphics and/or the words “contactless payment” (in Braille) shall be displayed on contactless payment instruments, devices and locations where contactless payments are accepted.
What are the transaction limits for contactless payment services in Nigeria?
Consult your lawyer on this.
What are the acceptable dispute resolution mechanisms under the guidelines?
– Disputes shall be resolved utilizing the existing payments industry dispute resolution system.
– Stakeholders or parties involved in dispute resolution may escalate any complaint to the CBN if the dispute remains unresolved in line with extant CBN dispute resolution guidelines.
What are the provisions of the guidelines on reporting and sanctions?
Participants under the guidelines are required to render periodic returns on contactless payment transactions (including volume, value, fraud data, failed transactions,etc.) to the CBN in a format prescribed by it from time to time.
Participants are also required to immediately report incidences of fraud, breaches and other security events.
Non-adherence to the guidelines shall attract appropriate sanctions and penalties as may be prescribed by the bank.