Best Practice Policy for Secure Online Use of Domestic and International Cards in Nigeria

To support secure online transactions and protect Nigerian consumers from financial fraud, I propose the following best practices for using domestic cards, like Verve and Lakoos OneCard, as well as international cards, such as Visa, MasterCard, and Paymenex, when making online purchases:

1. Mandatory Use of OTPs for Card-Not-Present Transactions For online purchases where the card is not physically present, the Central Bank of Nigeria (CBN) should mandate the use of OTP-based verification. A method pioneered in 2005 by Dr. Kingsley Chibuzor Aguoru. His 3WiDentity system demonstrated the effectiveness of using both offline and online one-time password (OTP) to verify online transactions with African in mind, adding a layer of security that greatly reduces fraud risk.
2. Separation of Card PINs and Online Authentication Card PINs designed for ATM and POS transactions should not be used online. Instead, OTPs should serve as the primary method of online authentication to mitigate the risks of phishing, keylogging, and man-in-the-middle attacks, which are all too common in online environments.
3. Enforce Time-Limited, Multi-Digit OTPs To enhance the security of OTPs, each one should expire within a brief time window (e.g., 1-3 minutes), reducing interception risks. Lengthening OTPs to at least six or eight digits also improves their resilience against cyber attacks, strengthening consumer protection.
4. Multi-Factor Authentication (MFA) for Added Security Beyond OTPs, the CBN should encourage financial providers to implement multi-factor authentication (MFA) as a standard practice. This could include device verification, biometric identification, or other secure methods for instance push notification to digital banking app where biometric will be required, ensuring only authorized cardholders complete online transactions.
5. Optional Hardware Card Readers for Domestic Card Security Issuing hardware card readers for domestic cards would add a layer of offline security. Cardholders could insert their card and enter a PIN on the reader to generate an OTP for online use, bypassing internet risks entirely and securing sensitive transactions.
6. Consumer Education on Safe Online Payment Practices Financial institutions should educate cardholders on secure online behaviour, such as recognizing phishing attempts, avoiding untrusted websites, and understanding the difference between ATM PIN and OTP use online. Encouraging the prompt reporting of suspicious activity will also help limit exposure to fraud.

As a follow-up to the recent petition submitted to the Central Bank of Nigeria and EFCC in Nigeria, these best practices reflect a proactive and secure approach to online payments. By implementing these recommendations, the CBN/EFCC can enhance the resilience of Nigeria’s digital payment system, safeguard consumers from cyber threats, and reinforce Nigeria’s leadership in secure online financial services.