2023-04-25
Added · Updated
The Hong Kong Monetary Authority mandates that authorized institutions strengthen security controls for binding payment cards to contactless mobile payment services following a rise in fraud cases. Institutions are required to implement additional authentication measures, such as two-way SMS confirmation or in-app verification, to ensure cardholders explicitly authorize the binding process. These enhanced security protocols must be implemented as soon as practicable, with a mandatory deadline of 31 May 2023.
Our Ref.: B1/15C B9/29C 25 April 2023 The Chief Executive All Authorized Institutions issuing payment cards Dear Sir/Madam, Binding payment cards for contactless mobile payments We are writing to require authorized institutions (AIs) to strengthen security controls over the binding of payment cards to contactless mobile payment services (e.g. Apple Pay, Google Pay and Samsung Pay). The Hong Kong Monetary Authority (HKMA) has observed an increase in the number of fraud cases involving the binding of payment cards to new mobile payment services. In the first quarter of 2023, the HKMA received over 60 complaints from cardholders about unauthorized transactions being conducted over their cards after they were bound to new payment services. While the tactics used by the fraudsters varied from case to case, the typical modus operandi of such frauds involved sending phishing emails or SMS to lure the cardholders to divulge their payment card information and, most importantly, the one-time passwords issued by the card-issuing banks for binding the payment cards to the new mobile payment services. Even though the card-issuing banks issued alerts to the cardholders to notify them of the binding of their payment cards with new payment services, these alerts were sometimes overlooked or not responded to immediately. As a result, the fraudsters were able to carry out unauthorized transactions over the accounts of the cardholders. In the light of the latest developments and having discussed with the industry, the HKMA considers that there is a need for card-issuing AIs to strengthen security controls over the binding of payment cards to new mobile payment services. Specifically, card-issuing AIs are required to conduct additional authentication (on top of the input of correct card data and the one-time password) to confirm that the cardholders have indeed given the instructions to bind their cards with new payment services. Examples of such authentication measures include: (a) Obtaining additional confirmation from cardholders before the binding takes effect through 2-way SMS, in-App confirmation, call back or other effective