Shared responsibility key to safe digital transactions
As digital payments continue to rise in Bangladesh, concerns about online fraud and transaction security have grown. Keeping the system secure depends on shared responsibility among banks, payment service providers and users, according to Sabbir Ahmed, country manager of Visa for Bangladesh, Nepal and Bhutan.
In an interview with The Daily Star, Ahmed talked about how digital payments have changed, the measures needed to protect customers, and the increasing importance of public awareness.
For all latest news, follow The Daily Star's Google News channel. 
"In Bangladesh, we are seeing that digital transactions are increasing, and digital awareness is growing. With the rise of digital transactions, digital security questions also arise. Some incidents of online fraud and transaction fraud occur."
"So, all the participants in the digital transaction ecosystem need to play their roles. Everyone is doing their part differently, and this requires sufficient focus and attention," said Ahmed.
The Visa country manager compared the risks of digital fraud with those faced in traditional banking.
"Earlier, in conventional banking, we used to write a cheque. That cheque had a signature, and we would go to the bank counter to withdraw money. The bank would check whether the cheque was issued by the bank or if it was fake. The bank would match your signature with their records and authenticate the transaction accordingly," said Ahmed.
He said that even before digitalisation, forgery and fraud existed. "Sometimes one could get another person's cheque and attempt to withdraw money by forging the signature. Pay orders or cheques could even be created to mimic a bank's own format."
Ahmed said conventional banking relied on a two-factor process. The cheque itself was the first layer, while the signature was the second, verified by the bank before the payment was approved.
"Now, in digital transactions, there are still two factors," he said. "Suppose you are a debit or credit cardholder. You have a card. That card is factor one. It contains security instruments. For example, the 16-digit card number, the expiry date, and the three-digit CVV at the back."
"These details should only be known to you and no one else. That is factor one."
He said the second factor is the one-time password, or OTP. "An OTP is sent to a client's registered mobile number when the client wants to transact online or at a POS terminal. The client must enter this OTP or PIN. This is the second factor of authentication."
Ahmed said the logic behind both manual and digital transactions is the same, though the format has changed. "Now, in digital transactions, the two factors, card details and OTP or PIN, are targeted by threat actors who try to intervene."
He described common scams used to trick customers. "Nowadays, in our country, some customers receive calls from people posing as bank employees. They say your card will be blocked and ask for the OTP.
Clients, due to a lack of awareness, sometimes share the OTP, just like signing a blank page. Sharing OTP is essentially the same risk."
He urged customers to be more cautious. "Clients should never hand over their card to anyone. If paying at a restaurant or shop, ask for the card machine and pay in front of you so your card details remain secure. This is one."
He added that banks must stay alert to phishing and malware threats. "Many fraudulent messages ask employees to click on links that give attackers access to the device.
Today, an email statement on your phone can contain extensive financial information. Malware can capture everything, including internet banking credentials."
Ahmed said users should always check that a website is secure before making payments.
He compared this to old habits of cheque protection. "Everyone knows how to protect their cheque book or signature. The same attention should be given to protecting your card data and OTP."
He added that banks should invest in training and constant vigilance. "At the bank end, there should also be a focus on security and providing training on cyber risks. Recently, we conducted training for our bank partners, sharing global incidents and the latest fraud trends. Any new fraud incident reported comes immediately to our bank partners."
He outlined Visa's compliance framework. "Visa has requirements for all clients using their cards. If fraud occurs, banks must report it to Visa. These reports help us observe trends."
Ahmed said any entity storing card data must be certified under the Payment Card Industry Data Security Standard (PCI DSS), a set of global requirements from major credit card companies.
"Only certified merchants can store card information. This is mandatory. For instance, if a customer pays via bKash or Daraz, only PCI DSS-certified merchants can store card details. This ensures security and protects the customer."
He highlighted tokenisation as another safeguard. "Tokenisation is another step to enhance security. Earlier, merchants used to store full card details. Now, when a card is tokenised, its details are replaced with a unique token. When you make subsequent transactions, the token travels, not the actual card details. Even if someone tries to intervene, they cannot access your card information. This makes transactions much more secure."
He explained how it works in practice. "If you save your card in Google Wallet through a bank like City Bank, the card is tokenised. When paying at a merchant, the token is used. The transaction is approved within seconds. Card details are never exposed, making the system safer."
Comments