Regulatory Alerts2022-10-26 | PSM/DIR/PUB/CIR/01/040Guidelines for Contactless Payments in Nigeria
The Central Bank of Nigeria has released draft guidelines for contactless payments in the country, with the aim of standardizing operations, encouraging innovation, and maintaining financial stability. The guidelines outline the minimum standards and requirements for stakeholders, including acquirers, issuers, payment schemes, and customers. The bank will set transaction limits for contactless payments, and stakeholders are expected to comply with the guidelines and relevant regulations to avoid sanctions.
CENTRAL BANK OF NIGERIA Central Business District, Cadastral Zone AO P.M.B. 0187. Garki Abuja.
PAYMENTS SYSTEM MANAGEMENT DEPARTMENT Tel: 09 462 38300, 09 462 38346 e-mail: psmd@cbn.gov.ng website: www.cbn.gov.ng
Psm/Dir/Pub/Cir/01/040
October 17, 2022 Circular to Banks, Other Financial Institutions and Payments Service Providers EXPOSURE DRAFT OF THE GUIDELINES FOR CONTACTLESS PAYMENTS IN NIGERIA The Central Bank of Nigeria, in furtherance of its efforts to standardise operations in the payments system, while encouraging the deployment of innovative products and sustain financial system stability, developed the draft Guidelines for Contactless Payments in Nigeria.
Contactless payments, which involves the consummation of financial transactions without physical contact between the payer and the acquiring devices, has been identified as an innovative payment option for safe and efficient conduct of lowvalue large-volume payments. The draft Guidelines was conceived to ensure that participants in contactless payments implement appropriate risk management processes and measures while keeping to best relevant standards.
The draft Guidelines is hereby exposed to all banks, other financial institutions, payments service provider and the general public for comments. The comments should reach the Director, Payments System Management Department, CBN not later than November 5, 2022.
Yours faithfully, Musa t. Jin Director, Payments System Management Department
Guidelines On Contactless
PAYMENTS IN NIGERIA C
Page 1 Of 13
O
| Contents | |
|---|---|
| 1.0 | Introduction |
| 2.0 | Scope . |
| 3.0 | Objectives |
| 4.0 | Stakeholders. |
| 5.0 | Minimum Standards . |
| 6.0 | Roles and Responsibilities of Stakeholders |
| 6.1 | Acquirers . |
| 6.2 | lssuers |
| 6.3 | Payment Schemes . |
| 6.4 | Card Schemes |
| 6.5 | Switching Companies . |
| 6.6 | Payment Terminal Services Providers (PTSPs) . |
| 6.7 | Payments Terminal Service Aggregator (PTSA) . |
| 6.8 | Merchants . |
| Terminal Owners . | |
| 6.9 | |
| 6.10 | Customers . |
| 7.0 | Value-Added Services |
| 8.0 | Contactless Payments Display |
| 9.0 | Transaction Limit . |
| Dispute Resolution Mechanism | |
| 10.0 | Sanctions and Penalties |
| 11.0 | |
| 12.0 | Reporting |
| Glossary .... | ... |
1.0 Introduction
In furtherance of its mandate to ensure the safely and stability of the Nigerian Financial System, promote a resilient and stable payments system, the CBN, pursuant to the provisions of Section 2(d) of the CBN Act 2007, and its power to make regulations for banks and other financial institutions entrenched in Section 56(2) of the Banks and Other Financial Institutions Act (BOFIA) 2020, hereby issues this Guidelines for Contactless Payments in Nigeria.
Contactless technology enables an alternative payments method whereby payment instruments are used without physical contact with devices. Contactless technology in payments provides easy, convenient, and efficient cashless options for users. Examples of contactless payment instruments include pre-paid, debit and credit cards, stickers, fobs, wearable devices, tokens and mobile electronic devices. Contactless-enabled payment terminals interact with contactless payment devices to facilitate payments.
Scope The Guidelines cover the operations of contactless payments in Nigeria.
3.0 Objectives These Guidelines provide minimum standards and requirements for the operations of contactless payments in Nigeria, as well as specify the roles and responsibilities of stakeholders involved in contactless payments in Nigeria.
Stakeholders Stakeholders in contactless payments include: Acquirers i.
and and ii.
Issuers iii. Payment Schemes Card Schemes iv.
Switching Companies v.
vi.
Merchants viii.
Terminal Owners ix.
x.
Customers and xi.
Any other stakeholder/participant(s), as designated by the Central Bank of Nigeria (CBN).
5.0 Minimum Standards
5.1 All industry stakeholders who process and/or store customers' information shall ensure that their terminals, applications and processing systems comply with the following standards, at the minimum: i. ii.
iii.
iv. v.
vi.
PA DSS - Payment Application Data Security Standard.
PCI PED - Payment Card Industry Pin Entry Device.
PCI DSS - Payment Card Industry Data Security Standard.
Triple DES - Data Encryption Standards shall be the benchmark for all data transmitted and authenticated between each party. The triple DES algorithm is the minimum standard.
AES - Advanced Encryption Standards EMV - The deployed infrastructure must comply with the minimum EMV requirements for Contactless acceptance. "/s -- ISO27001 - Information Security Management System. Other standards as may be specified by CBN from time to time.
vii. viii.
5.2 All terminals, applications and processing systems, shall comply with the standards specified by the various payment schemes.
5.3 Each operator shall maintain valid certification to these standards, and shall regularly review status of its systems, applications, networks and devices, to ensure they remain compliant at all times. 5.4 There shall be a continuous review and re-certification on compliance with these and other global industry standards, from time to time.
6.0 Roles and Responsibilities of Stakeholders Roles and responsibilities of key stakeholders include the following: 6.1 Acquirers 6.1.1 Only CBN licensed institutions shall serve as acquirers for contactless payments. 6.1.2 Acquirers who engage in contactless payments shall ensure that their applications, instruments, tokens and devices meet current standards and specifications for contactless payments.
6.1.3 Acquirers who engage in contactless payments shall ensure that all contactless enabled applications, instruments and devices deployed have been duly ceriified to process contactless payments transactions by CBN or any authorised body.
6.1.4 Acquirers shall execute contactless payments agreements/contracts with parties for utilising contactless platforms for payments. All agreements/contracts shall clearly spell out the terms and conditions, including roles, responsibilities, and rights of all parties.
6.1.5 Acquirers and processing entities shall switch all domestic contactless payments through a Nigerian switch for the purpose of seeking authorisation from the relevant issuer and shall not under any circumstance route transactions outside Nigeria.
6.1.6 To achieve interoperability, all transaction accepting devices deployed in Nigeria shall be issuer- and/or brand-agnostic. Devices enabled to accept contactless payments shall be neutral to the type of card or payments instrument used and shall have no reason to promote or favour any brand over another.
6.1.7 Acquirers who engage in contactless payments, shall be able to accept all cards or payments instruments used in Nigeria. 6.1.8 Acquirers who engage in contactless payments shall be responsible for ensuring that merchants are trained and made to put in place, reasonable processes and systems, for confirming customer identity and detecting suspicious or unauthorised usage.
6.1.9 Acquirers who engage in contactless payments shall undertake measures to prevent the use of their networks for purposes associated with money laundering and other financial crimes, as contained in the extant CBN regulation on AML/CFT/CPF.
6.1.10 Acquirers who engage in contactless payments shall conduct proper KYC on all their merchants and outlets where contactless payments are carried out.
6.1.11 Acquirers who engage contactless payments in Nigeria shall ensure that all their contactless devices are connected to an account or wallet that have Bank Verification Number (BVN).
6.1.12 Acquirers shall ensure that the limits set for contactless transactions are strictly adhered to at all times.
6.1.13 Acquirers who engage in contactless payments shall be liable for fraudulent transactions on contactless payments arising from their negligence and/or connivance.
6.1.14 Acquirers who engage in contactless payments shall, in conjunction with banks, switching companies and other stakeholders, ensure resolution of disputed contactless transactions within the timeline specified by the extant CBN dispute resolution framework.
6.1.15 Acquirers who engage in contactless payments shall ensure that the service level agreements executed with stakeholders (merchants, PTSPs etc.) meet minimum requirements set by the Bank.
6.1.16 Acquirers shall not profile terminals used for agent banking to accept contactless transactions.
6.1.17 Acquirers shall carry out periodic risk assessment of their processes and have effective measures to mitigate ML/TF/PF risks associated with contactless payments.
6.2 Issuers 6.2.1 Only CBN licensed institutions shall serve as issuers for contactless payments.
6.2.2 Issuers shall ensure that activation of contactless payments is at customer's instance, and with customer's full consent. Evidence of application and consent shall be obtained/documented before activation.
6.2.3 Issuers whose payment instruments are used for contactless payments shall ensure that their applications, instruments, tokens and devices meet current standards and specifications for contactless payments.
6.2.4 Issuers whose payment instruments are used for contactless payments shall ensure that these contactless enabled applications, instruments and devices deployed have been duly certified to be used for contactless payments by the Bank or any authorised body. 6.2.5 Issuers shall execute contactless payments agreements/contracts with parties for utilising contactless platforms for payments. All agreements/contracts shall clearly spell out the terms and conditions, including roles, responsibilities, and rights of all parties. 6.2.6 Issuers shall activate only accounts and wallets with Bank Verification Number (BVN) for contactless payments in Nigeria.
6.2.7 To achieve interoperability, issuers shall ensure that all contactless payment instruments used in Nigeria shall be neutral and agnostic as to contactless payment devices.
6.2.8 Issuers who engage in contactless payments shall inform customers of their rights and responsibilities in the use of contactless payment instruments, while confirming customer identity and detecting suspicious or unauthorised usage.
6.2.9 Issuers who engage in contactless payments shall be required to undertake measures to prevent the use of their networks for purposes associated with money laundering and other financial crimes, as contained in the extant CBN regulation on AML/CFT/CPF.
6.2.10 Issuers who engage in contactless payments shall conduct proper KYC on all their customers who use contactless payments.
6.2.11 Issuers shall ensure that the limits set for contactless transactions are strictly adhered to at all times. 6.2.12 Issuers who engage in contactless payments shall be liable for fraudulent transactions on contactless payments arising from their negligence and/or connivance. 6.2.13 Issuers who engage in contactless payments shall, in conjunction with banks, switching companies and other stakeholders, ensure resolution of disputed contactless transactions within the timeline specified by the CBN. 6.2.14 Issuers who engage in contactless payments shall ensure that the service level agreements executed with stakeholders meet minimum requirements set by the Bank.
6.2.15 Issuers shall give reasonable notice, up to a minimum of seven working days, before changes are made to the terms and conditions of contactless payments contracts.
6.2.16 Issuers shall carry out periodic risk assessment of their processes and have effective measures to mitigate ML/TF/PF risks associated with contactless payments.
formation 6.3,50 Payment Schemes 6.3.1 Payment schemes operating in Nigeria shall comply with these Guidelines and other relevant CBN Guidelines/Circulars.
6.3.2 Payment schemes shall ensure that all contactless transactions are processed online or/and submitted via current processing specifications.
6.3.3 All payment schemes that engage in contactless payments shall ensure that the systems and schemes shall be interoperable.
6.3.4 Payment schemes shall implement a documented risk management process to identify and treat risks associated with contactless payments.
6.4 Card Schemes
6.4.1 Card schemes operating in Nigeria shall comply with these Guidelines and other relevant CBN Guidelines/Circulars.
6.4.2 Card schemes shall ensure that all contactless transactions are processed online or/and submitted via current processing specifications.
6.4.3 Card schemes shall implement a documented risk management process to identify and treat risks associated with contactless payments.
Switching Companies 6.5.1 All local switching companies in Nigeria shall ensure that contactless transactions consummated by all payment instruments issued in Nigeria are successfully switched between acquirers and issuers.
6.5.2 Switching Companies shall carry out periodic risk assessment of their processes and have necessary measures to mitigate ML/TF/PF risks associated with contactless payments.
6.6 Payment Terminal Services Providers (Ptsps)
6.6.1 PTSPs shall ensure all their terminals deployed to accept contactless payments are functional at all times. Each PTSP shall establish appropriate mechanisms to remotely detect device failures, which shall be rectified or replaced within 48 hours. 6.6.2 PTSPs shall have adequate support infrastructure that ensures support coverage for merchants and users, 24/7.
6.6.3 PTSPs shall ensure that all deployed devices and terminals for contactless payments have support service contact information.
6.6.4 PTSPs shall ensure that all deployed devices and terminals for contactless payments meet all required certifications and the minimum specifications for contactless payments, defined in these Guidelines. 6.6.5 PTSPs shall prevent instrument clashes even when multiple contactless payments devices are present.
6.6.6 PTSPs shall implement a documented risk management process to identify and treat risks associated with contactless payments.
6.7 Payments Terminal Service Aggregator (PTSA) 6.7.1 The PTSA shall, on an annual basis, or more frequently, as may be required, certify POS terminals for contactless payments to ensure that the POS terminals meet standards approved for the industry. 6.7.2 PTSA shall implement a documented risk management process to identify and treat risks associated with contactless payments.
6.8 Merchants
6.8.1 Merchants who engage in contactless payments, shall ensure that deployed devices and applications are available for contactless payments of goods and services.
6.8.2 The contactless payment device shall request the customer's authorisation (such as Personal Identification Number [PIN], tokens, biometrics, etc.), where the transaction amount is greater than stipulated limits per transaction/day. 6.8.3 Merchants shall be held liable for fraudulent contactless payments arising from negligence/connivance.
6.8.4 Contactless payment transaction value and associated charges shall be clearly communicated to the customer prior to consummation of the transaction.
6.8.5 Merchants that accept contactless payments shall display the contactless symbol.
6.8.6 Merchants shall exercise due diligence in carrying out conlactless payment transactions.
5.9 Terminal Owners
6.9.1 Issuers, acquirers, merchants and PTSPs can be terminal/device owners. 6.9.2 Terminal and device owners shall ensure all terminals and devices procured by them are compliant with the appropriate minimum specifications for contactless payments terminals and devices.
6.9.3 Terminal and device owners shall implement a documented risk management process to identify and treat risks associated with contaclless payments.
6.10 Customers
6.10.1 Customers shall have the option to opt-in to contactless payments by applying and consenting to terms and conditions of contactless payments products and services.
6.10.2 Customers shall have the option to withdraw from contactless payments agreements without prior notice to the issuer.
6.10.3 Customers shall authenticate contactless payments transactions as may be required.
6.10.4 Customers shall exercise due diligence in carrying out contactless payment transactions and protect their payment instruments from unauthorised use.
Value-Added Services 7.1 Stakeholders shall obtain the Bank's approval for contactless payments products.
7.2 Stakeholders shall obtain the Bank's approval for innovative use cases and valueadded services to deepen financial inclusion and promote efficient payment system.
8.0 Contactless Payments Display Contactless payments image, symbol, tactile graphics and/or the words "contactless payment" (in Braille) shall be displayed on contactless payment instruments, contactless payment devices and locations where contactless payments are accepted.
Transaction Limit
9.1 The Bank shall determine appropriate transaction and cumulative daily limits for contactless payments from time to time. Stakeholders shall be permitted to set limits in line with the Bank's limits.
9.2 Contactless payment transactions below stipulated limits per transaction/day, may not require customers' authorisation (such as Personal Identification Number [PIN], token, biometrics, etc.).
9.3 Higher-value contactless payments shall require customer verification such as PIN, mobile code, biometric identifier, etc. 9.4 Stakeholders shall implement a risk-based approach to setting volune and transaction limits. The risks attached to a customer will be based on KYC due diligence carried out during the customer onboarding process. ' 9.5 Stakeholders shall provide customers with a choice to specify limits for the volume and value of transactions that they would perform and such limits shall not be higher than the maximum limits specified from time to time.
10.0 Dispute Resolution Mechanism
10.1 Disputes shall be resolved utilising the existing payments industry dispute resolution system.
10.2 Stakeholders or parties involved in the dispute resolution may escalate any complaints to the CBN if the dispute remains unresolved, in line with extant CBN Dispule Resolution Guidelines.
10.3. Participants in contactless payments operations shall have clear processes for dispute resolutions.
Sanctions And Penalties 11.0
11.1 Stakeholders are required to comply with the provisions of the Guidelines and other relevant regulations of the Bank.
11.2 Non-adherence to these provisions shall attract appropriate sanctions and penalties, as may be determined by the Bank.
12.0 Reporting Participants shall render monthly returns on contactless payments transactions (including volume, value, fraud data, failed transactions, etc.) to the CBN in a format that shall be prescribed by the CBN from time to time.
Glossary
| AES | Advanced Encryption Standards | ||||
|---|---|---|---|---|---|
| AML/CFT/CPF | Anti-Money | Laundering/Combating | the | Financing | ol |
| Terrorism and Countering Proliferation Financing of Weapons | |||||
| of Mass Destruction | |||||
| EMV | The deployed infrastructure must comply with the minimum | ||||
| EMV requirements for Contactless acceptance | |||||
| ISO27001 | Information Security Management System | ||||
| ML/TF/PF | Money | Laundering/Terrorist | Financing/Proliferation | ||
| Financing | |||||
| PA DSS | Payment Application Data Security Standard | ||||
| PTSP | Payments Terminal Service Provider | ||||
| PTSA | Payments Terminal Service Aggregator | ||||
| PCI PED | Payment Card Industry Pin Entry Device | ||||
| PCI DSS | Payment Card Industry Data Security Standard | ||||
| Triple DES | Data Encryption Standards | ||||
| Higher-value | Higher-value contactless payments are transactions that | ||||
| contactless payments | exceed the limits and require verification/authentication. |
Payments System Management Department, Central Bank of Nigeria October 2022.
.
Page 13 of 13 September 30, 2022 Ref: CIRCULAR TO BANKS AND OTHER FINANCIAL INSTITUTIONS
Transaction Limits On Contactless Payments
Following the issuance of the Guidelines on Contactless Payments in Nigeria and in cognisance of the risks associated with contactless payments, the Bank hereby defines transaction limits above which verification and authorisation are required. Transaction limits for contactless payments through accounts/wallets in Nigeria shall be as follows:
| SIN | FREQUENCY | LIMIT WITHOUT VERIFICATION (N) |
|---|---|---|
| 1 | Transaction Limit | 5,000 |
| 2 | Daily Cumulative Limit | 30,000 |
Higher-value contactless payments are transactions that exceed the above stated limits and shall require appropriate verification and authorisation. For these transactions, existing KYC requirements and limits on the electronic payment channels shall apply.
Please be guided accordingly.
Musa I. Jimoh Director, Payments System Management Department