Kuala Lumpur, Wednesday, 19 October 2016 – The Association of Banks in Malaysia (ABM) wishes to provide clarification regarding a recent posting of a video on Facebook featuring “electronic pick-pocketing” of contactless payment cards which has caused come concerns over the security of such payment methods.
ABM would like to highlight that the video, which we are given to understand, is several years old, was thought to have been made in the United States of America (USA) where many contactless cards are/were still using magnetic stripes. While it is possible to build a scanner that can read certain information from payment cards using magnetic stripes, this technology will not work on cards which are using an Europay, MasterCard and Visa (EMV) chip. EMV is a global specification for bank chip cards which prevents the cloning of cards. An EMV chip helps to reduce fraud as it is very difficult and costly to counterfeit. When a transaction is performed by reading the EMV chip, a unique one-time cryptogram is produced which must then be validated for the transaction to be approved. The chip contains a secret unique cryptographic key, and unless that key can be extracted, it is not possible to copy or clone the chip. Importantly, it should also be noted that it is not possible to build a regular magnetic stripe card from this captured data due to a magnetic stripe protection mechanism.
Malaysia completed its migration to EMV chip cards by the end of 2004. Currently, all contactless payment cards issued in Malaysia have an EMV chip, therefore significantly reducing incidents of fraud. It is therefore not valid to cite a USA example as proof that Malaysian cards are at risk.
We would also note that Malaysia adopts a more secure payment verification method for internet transactions. To guarantee the security of each transaction, cardholders are required to enter a transaction authorization code (TAC) that is sent to their mobile phone or a card holder security device.
In the event the card details have been fraudulently used for a transaction on an overseas website which has not implemented a secure payment verification method, the Malaysian cardholder will be protected by liability shift rules. These rules are imposed by the international card schemes which require overseas retailers to bear the liability of such fraudulent transactions.
We would, however, like to remind all cardholders that they are responsible to safeguard both their payment cards and their PINs. It is thus the cardholder’s responsibility to notify their card issuer immediately in the event of loss/stolen or unauthorized use of their payment card or if they have reason to believe that their PIN has been compromised.
As Malaysians move towards becoming a cashless society, consumers should opt for innovative payment methods which are convenient, speedy and secured, especially for purchases costing RM250 and under.
Members of the public who may have enquiries on contactless payment cards are welcomed to contact us at our ABMConnect hotline by dialing 1-300-88-9980, or emailing us at eABMConnect by logging on to our website, www.abm.org.my