Regulatory Alerts2023-06-27 | PSM/DIR/PUB/CIR/001/039Guidelines for Contactless Payments in Nigeria
The Central Bank of Nigeria has issued guidelines for contactless payments in the country to standardize operations, encourage innovation, and maintain financial stability. The guidelines outline the minimum standards and requirements for stakeholders, including acquirers, issuers, payment schemes, and customers. The bank will determine transaction limits for contactless payments, and stakeholders must implement risk management processes to identify and treat associated risks.
PAYMENTS SYSTEM MANAGEMENT DEPARTMENT Tcl: 09 462 38300, 09 462 38346 c-mail: psmd@cbn.gov.ng website: www.cbn.gov.ng CENTRAL BANK OF NIGERIA Central Business District, Cadastral Zone AO P.M.B. 0187, Garki Abuja.
PSM/DIR/PUB/CIR/001/039 June 27, 2023 CIRCULAR TO BANKS, OTHER FINANCIAL INSTITUTIONS AND PAYMENTS SERVICE PROVIDERS GUIDELINES FOR CONTACTLESS PAYMENTS IN NIGERIA The Central Bank of Nigeria, in furtherance of its efforts to standardize operations in the payments system, while encouraging the deployment of innovative products and sustaining the financial system stability, developed the Guidelines for Contactless Payments in Nigeria.
Contactless payment, which involves the consummation of financial transactions without physical contact between the payer and the acquiring devices, has been identified as an innovative payment option for safe and efficient conduct of lowvalue and large-volume payments. The Guidelines was conceived to ensure that participants in contactless payments implement appropriate risk management processes and measures while keeping to best relevant standards.
All banks, Other Financial Institutions and Payments Service Providers are required to ensure strict compliance with the Guidelines.
Yours faithfully, A Musa 1. Jimo Director, Payments System Management Department CENTRAL BANK OF NIGERIA
Guidelines On Contactless Payments In Nigeria
June 2023
| Contents | |
|---|---|
| 1.0 | Introduction |
| 2.0 | Scope . |
| 3.0 | Objectives |
| 4.0 | Stakeholders |
| 5.0 | Minimum Standards |
| 6.0 | Roles and Responsibilities of Stakeholders. |
| 6.1 | Acquirers . |
| 6.2 | lssuers . |
| 6.3 | Payment Schemes . |
| 6.4 | Card Schemes |
| 6.5 | Switching Companies |
| 6.6 | Payment Terminal Services Providers (PTSPs) |
| 6.7 | Payments Terminal Service Aggregator (PTSA) |
| 6.8 | Merchants . |
| 6.9 | Terminal Owners . |
| 6.10 | Customers |
| 7.0 | Value-Added Services. |
| 8.0 | Contactless Payments Display |
| 9.0 | Transaction Limit |
| 10.0 | Dispute Resolution Mechanism |
| 11.0 | Sanctions and Penalties . |
| 12.0 | Reporting . |
| Glossary |
1.0 Introduction
In furtherance of its mandate to ensure the safety and stability of the Nigerian Financial System, promote a resilient and stable payments system, the CBN, pursuant to the provisions of Section 2(d) of the CBN Act 2007, and its power to make regulations for banks and other financial institutions entrenched in Section 56(2) of the Banks and Other Financial Institutions Act (BOFIA) 2020, hereby issues this Guidelines for Contactless Payments in Nigeria.
Contactless technology enables an alternative payments method whereby payment instruments are used without physical contact with devices. Contactless technology in payments provides easy, convenient, and efficient cashless options for users. Examples of contactless payment instruments include pre-paid, debit and credit cards, stickers, fobs, wearable devices, tokens and mobile electronic devices. Contactless-enabled payment terminals interact with contactless payment devices to facilitate payments.
2.0 Scope
The Guidelines cover the operations of contactless payments in Nigeria.
3.0 Objectives
These Guidelines provide minimum standards and requirements for the operations of contactless payments in Nigeria, as well as specify the roles and responsibilities of stakeholders involved in contactless payments in Nigeria.
4.0 Stakeholders
Stakeholders in contactless payments include: i.
Acquirers ii.
Issuers
| iii. |
|---|
Payment Schemes Card Schemes iv. v. . vi.
Switching Companies Payments Terminal Service Providers (PTSPs) Payments Terminal Service Aggregator (PTSA) Merchants viii. viii. ix.
Terminal Owners Customers and x.
Any other stakeholder/participant(s), as designated by the Central Bank of xi.
Nigeria (CBN).
5.0
Minimum Standards
5.1 All industry stakeholders who process and/or store customers' information shall ensure that their terminals, applications and processing systems comply with the following standards, at the minimum: i. ii.
iii.
iv.
PA DSS - Payment Application Data Security Standard.
PCI PED -- Payment Card Industry Pin Entry Device.
PCI DSS - Payment Card Industry Data Security Standard.
Triple DES - Data Encryption Standards shall be the benchmark for all data transmitted and authenticated between each party. The triple DES algorithm is the minimum standard.
AES - Advanced Encryption Standards V. vi.
viii.
viii.
EMV - The deployed infrastructure must comply with the minimum EMV requirements for Contactless acceptance.
ISO27001 - Information Security Management System. ISO 14443 - Identification cards, contactless integrated circuit cards and proximity cards specifications All required Scheme certifications for contactless card and terminals.
Other standards as may be specified by CBN from time to time.
ix.
x.
5.2 All terminals, applications and processing systems, shall comply with the standards specified by the various payment schemes.
5.3 Each operator shall maintain valid certification to these standards, and shall regularly review status of its systems, applications, networks and devices, to ensure they remain compliant at all times. 5.4 There shall be a continuous review and re-certification on compliance with these and other global industry standards, from time to time.
5.5 Contactless devices shall be configured to work within a maximum of 2cm from the terminal, to manage the risk of data interception.
Roles and Responsibilities of Stakeholders 6.0 Roles and responsibilities of key stakeholders include the following:
6.1 Acquirers
6.1.1 Only CBN licensed institutions shall serve as acquirers for contactless payments. 6.1.2 Acquirers who engage in contactless payments shall ensure that their applications, instruments, tokens and devices meet current standards and specifications for contactless payments.
6.1.3 Acquirers who engage in contactless payments shall ensure that all contactless enabled applications, instruments and devices deployed have been duly certified to process contactless payments transactions by CBN or any authorised body. 6.1.4 Acquirers shall execute contactless payments agreements/contracts with parties for utilising contactless platforms for payments. All agreements/contracts shall clearly spell out the terms and conditions, including roles, responsibilities, and rights of all parties.
6.1.5 Acquirers and processing entities shall switch all domestic contactless payments through a Nigerian switch for the purpose of seeking authorisation from the relevant issuer and shall not under any circumstance route transactions outside Nigeria.
6.1.6 To achieve interoperability, all transaction accepting devices deployed in Nigeria shall be issuer- and/or brand-agnostic. Devices enabled to accept contactless payments shall be neutral to the type of card or payments instrument used and shall have no reason to promote or favour any brand over another.
6.1.7 Acquirers who engage in contactless payments, shall be able to accept all cards or payments instruments used in Nigeria.
6.1.8 Acquirers who engage in contactless payments shall be responsible for ensuring that merchants are trained and made to put in place, reasonable processes and systems, for confirming customer identity and detecting suspicious or unauthorised usage. 6.1.9 Acquirers who engage in contactless payments shall undertake measures to prevent the use of their networks for purposes associated with money laundering and other financial crimes, as contained in the extant CBN regulation on AML/CFT/CPF.
6.1.10 Acquirers who engage in contactless payments shall conduct proper KYC on all their merchants and outlets where contactless payments are carried out.
6.1.11 Acquirers who engage contactless payments in Nigeria shall ensure that all their contactless devices are connected to an account or wallet that have Bank Verification Number (BVN). 6.1.12 Acquirers shall ensure that the limits set for contactless transactions are strictly adhered to at all times. 6.1.13 Acquirers who engage in contactless payments shall be liable for fraudulent transactions on contactless payments arising from their negligence and/or connivance.
6.1.14 Acquirers who engage in contactless payments shall, in conjunction with banks, switching companies and other stakeholders, ensure resolution of disputed contactless transactions within the timeline specified by the extant CBN dispute resolution framework. 6.1.15 Acquirers who engage in contactless payments shall ensure that the service level agreements executed with stakeholders (merchants, PTSPs etc.) meet minimum requirements set by the Bank.
6.1.16 Acquirers shall not profile terminals used for agent banking to accept contactless transactions.
6.1.17 Acquirers shall carry out periodic risk assessment of their processes and have effective measures to mitigate ML/TF/PF risks associated with contactless payments. 6.1.18 Acquirers shall route all POS contactless transactions through the PTSA
6.2
Issuers 6.2.1 Only CBN licensed institutions shall serve as issuers for contactless payments. 6.2.2 Issuers shall ensure that activation of contactless payments is at customer's instance, and with customer's full consent. Evidence of application and consent shall be obtained/documented before activation.
6.2.2.1 Issuers shall provide opt out option for customers who may no longer desire contactless payment products.
6.2.3 Issuers whose payment instruments are used for contactless payments shall ensure that their applications, instruments, tokens and devices meet current standards and specifications for contactless payments. 6.2.4 Issuers whose payment instruments are used for contactless payments shall ensure that these contactless enabled applications, instruments and devices deployed have been duly certified to be used for contactless payments by the Bank or any authorised body.
6.2.5 Issuers shall execute contactless payments agreements/contracts with parties for utilising contactless platforms for payments. All agreements/contracts shall clearly spell out the terms and conditions, including roles, responsibilities, and rights of all parties.
6.2.6 Issuers shall activate only accounts and wallets with Bank Verification Number (BVN) for contactless payments in Nigeria.
6.2.7 To achieve interoperability, issuers shall ensure that all contactless payment instruments used in Nigeria shall be neutral and agnostic as to contactless payment devices. 6.2.8 Issuers who engage in contactless payments shall inform customers of their rights and responsibilities in the use of contactless payment instruments, while confirming customer identity and detecting suspicious or unauthorised usage.
6.2.9 Issuers who engage in contactless payments shall be required to undertake measures to prevent the use of their networks for purposes associated with money laundering and other financial crimes, as contained in the extant CBN regulation on AML/CFT/CPF.
6.2.10 Issuers who engage in contactless payments shall conduct proper KYC on all their customers who use contactless payments.
6.2.11 Issuers shall ensure that the limits set for contactless transactions are strictly adhered to at all times.
6.2.12 Issuers who engage in contactless payments shall be liable for fraudulent transactions on contactless payments arising from their negligence and/or connivance.
6.2.13 Issuers who engage in contactless payments shall, in conjunction with banks, switching companies and other stakeholders, ensure resolution of disputed contactless transactions within the timeline specified by the CBN. 6.2.14 Issuers who engage in contactless payments shall ensure that the service level agreements executed with stakeholders meet minimum requirements set by the Bank.
6.2.15 Issuers shall give reasonable notice, up to a minimum of seven working days, before changes are made to the terms and conditions of contactless payments contracts.
6.2.16 Issuers shall carry out periodic risk assessment of their processes and have effective measures to mitigate ML/TF/PF risks associated with contactless payments.
6.3 Payment Schemes
6.3.1 Payment schemes operating in Nigeria shall comply with these Guidelines and other relevant CBN Guidelines/Circulars.
6.3.2 Payment schemes shall ensure that all contactless transactions are processed online or/and submitted via current processing specifications. 6.3.3 All payment schemes that engage in contactless payments shall ensure that the systems and schemes shall be interoperable. 6.3.4 Payment schemes shall implement a documented risk management process to identify and treat risks associated with contactless payments.
6.4 Card Schemes
6.4.1 Card schemes operating in Nigeria shall comply with these Guidelines and other relevant CBN Guidelines/Circulars.
6.4.2 Card schemes shall ensure that all contactless transactions are processed online or/and submitted via current processing specifications.
6.4.3 Card schemes shall implement a documented risk management process to identify and treat risks associated with contactless payments.
Switching Companies 6.5
6.5.1 All local switching companies in Nigeria shall ensure that contactless transactions consummated by all payment instruments issued in Nigeria are successfully switched between acquirers and issuers.
6.5.2 Switching Companies shall carry out periodic risk assessment of their processes and have necessary measures to mitigate ML/TF/PF risks associated with contactless payments.
6.5.3 Switching Companies who process contactless payments shall ensure that there is service level agreements executed with stakeholders meeting minimum requirements set by the Bank.
6.6 Payment Terminal Services Providers (Ptsps)
6.6.1 PTSPs shall ensure all their terminals deployed to accept contactless payments are functional at all times. Each PTSP shall establish appropriate mechanisms to remotely detect device failures, which shall be rectified or replaced within 48 hours. 6.6.2 PTSPs shall have adequate support infrastructure that ensures support coverage for merchants and users, 24/7. 6.6.3 PTSPs shall ensure that all deployed devices and terminals for contactless payments have support service contact information.
6.6.4 PTSPs shall ensure that all deployed devices and terminals for contactless payments meet all required certifications and the minimum specifications for contactless payments, defined in these Guidelines.
6.6.5 PTSPs shall prevent instrument clashes even when multiple contactless payments devices are present.
6.6.6 PTSPs shall implement a documented risk management process to identify and treat risks associated with contactless payments.
6.6.7 PTSPs shall upgrade/update POS software regularly and any terminal that has not been upgraded shall not be permitted to process transactions.
Payments Terminal Service Aggregator (PTSA) 6.7 6.7.1 The PTSA shall, on an annual basis, or more frequently, as may be required, certify POS terminals for contactless payments to ensure that the POS terminals meet standards approved for the industry.
6.7.2 PTSA shall implement a documented risk management process to identify and treat risks associated with contactless payments.
6.8 Merchants
6.8.1 Merchants who engage in contactless payments, shall ensure that deployed devices and applications are available for contactless payments of goods and services. 6.8.2 The contactless payment device shall request the customer's authorisation (such as Personal Identification Number [PIN], tokens, biometrics, etc.), where the transaction amount is greater than stipulated limits per transaction/day.
6.8.3 Merchants shall be held liable for fraudulent contactless payments arising from their negligence/connivance.
6.8.4 Contactless payment transaction value and associated charges shall be clearly communicated to the customer prior to consummation of the transaction.
6.8.5 Merchants that accept contactless payments shall display the contactless symbol.
6.8.6 Merchants shall exercise due diligence in carrying out contactless payment transactions.
6.8.7 Merchants shall ensure safekeeping of all contactless payments records, data and documents over a minimum period in line with extant record retention regulations and laws.
6.9 Terminal Owners
6.9.1 Issuers, acquirers, merchants and PTSPs can be terminal/device owners.
6.9.2 Terminal and device owners shall ensure all terminals and devices procured by them are compliant with the appropriate minimum specifications for contactless payments terminals and devices. 6.9.3 Terminal and device owners shall implement a documented risk management process to identify and treat risks associated with contactless payments.
6.10 Customers
6.10.1 Customers shall have the option to opt-in to contactless payments by applying and consenting to terms and conditions of contactless payments products and services.
6.10.2 Customers shall have the option to withdraw from contactless payments agreements. 6.10.3 Customers shall authenticate contactless payments transactions as may be required 6.10.4 Customers shall exercise due diligence in carrying out contactless payment transactions and protect their payment instruments from unauthorised use.
7.0 Value-Added Services
7.1 Stakeholders shall obtain the Bank's approval for contactless payments products.
7.2 Stakeholders shall obtain the Bank's approval for innovative use cases and valueadded services to deepen financial inclusion and promote efficient payment system.
8.0 Contactless Payments Display
Contactless payments image, symbol, tactile graphics and/or the words "contactless payment" (in Braille) shall be displayed on contactless payment instruments, contactless payment devices and locations where contactless payments are accepted.
9.0 Transaction Limit
9.1 The Bank shall determine appropriate transaction and daily cumulative limits for contactless payments from time to time. Stakeholders shall be permitted to set limits in line with the Bank's limits.
9.2 Contactless payment transactions below stipulated limits per transaction/day, may not require customers' authorisation (such as Personal Identification Number [PIN], token, biometrics, etc.). 9.3 Higher-value contactless payments shall require customer verification such as PIN, mobile code, biometric identifier, etc.
9.4 Stakeholders shall implement a risk-based approach to setting volume and transaction limits. The risks attached to a customer will be based on KYC due diligence carried out during the customer onboarding process.
9.5 Stakeholders shall provide customers with a choice to specify limits for the value of transactions that they would perform and such limits shall not be higher than the maximum limits specified from time to time. Customers who wish to perform transactions above the maximum limit should request in writing to the bank and provide indemnity that reflects the risks involved. The bank shall approve, subject to its internal risk management policies.
10.0 Dispute Resolution Mechanism
10.1 Disputes shall be resolved utilising the existing payments industry dispute resolution system.
10.2 Stakeholders or parties involved in the dispute resolution may escalate any complaints to the CBN if the dispute remains unresolved, in line with extant CBN Dispute Resolution Guidelines.
10.3. Participants in contactless payments operations shall have clear processes for dispute resolutions.
Sanctions And Penalties 11.0
11.1 Stakeholders are required to comply with the provisions of the Guidelines and other relevant regulations of the Bank.
11.2 Non-adherence to these provisions shall attract appropriate sanctions and penalties, as may be determined by the Bank.
Reporting 12.0
12.1 Participants shall render periodic returns on contactless payments transactions (including volume, value, fraud data, failed transactions, etc.) to the CBN in a format that shall be prescribed by the CBN from time to time.
12.2 In addition, participants are required to report immediately incidences of fraud, breaches and other security events.
Glossary
| AES | Advanced Encryption Standards | |||
|---|---|---|---|---|
| AML/CFT/CPF | Anti-Money Laundering/Combating | the | Financing | of |
| Terrorism and Countering Proliferation Financing of Weapons | ||||
| of Mass Destruction | ||||
| Card Scheme | For the purpose of these Guidelines, a payment scheme is an | |||
| approval that allows a payment service provider to execute | ||||
| transactions through cards (Debit or Credit). | ||||
| The deployed infrastructure must comply with the minimum | ||||
| EMV | EMV requirements for Contactless acceptance | |||
| ISO27001 | Information Security Management System | |||
| ML/TF/PF | Money Laundering/Terrorist Financing/Proliferation | |||
| Financing | ||||
| PA DSS | Payment Application Data Security Standard | |||
| Payments Scheme | For the purpose of these Guidelines, a payment scheme is an | |||
| approval that allows a payment service provider to execute | ||||
| transactions through a specific payment instrument/token, | ||||
| excluding cards. | ||||
| PTSP | Payments Terminal Service Provider | |||
| PTSA | Payments Terminal Service Aggregator | |||
| PCI PED | Payment Card Industry Pin Entry Device | |||
| PCI DSS | Payment Card Industry Data Security Standard | |||
| Triple DES | Data Encryption Standards | |||
| Higher-value | Higher-value contactless payments are transactions that | |||
| contactless payments | exceed the limits and require verification/authentication. |
Payments System Management Department, Central Bank of Nigeria June 2023.