What To Do With PIN and OTP Requests When Paying Online Or Abroad
Soaking in the sublime experience of walking around Galleria Vittorio Emanuele II, Italy’s landmark shopping destination named after its first king, imagine you were ready to do some damage to your credit cards until you stumbled on a roadblock: PIN requests.
After all the horror stories of exorbitant roaming rates, you were using a local SIM during your stay so getting the SMS from your bank with a short-lived Personal Identification Number (PIN) would not be possible. Calling the bank was not an option either unless you switched SIMs to place an international call. In the end, you had to settle for gelatos you could afford to pay with Euros, in cash.
Then the same thing happened in Japan, and again in Malaysia. Trying to explain to the cashier while there is a queue forming behind you made it an even more awkward situation and the language barrier certainly did not help.
On your return to Manila, you called your credit card issuers to rant and came away with a few good explanations and also some not too satisfactory ones. What was clear was that the pain of PIN requests is here to stay and it’s for your own good.
Fraudsters are becoming more and more sophisticated and the last thing you would want to discover after a lovely vacation is that you also paid for someone else’s good time. So the next time you pack your bags, park in front of your computer, or sign on with your phone for retail therapy, consider these tips for pain-free PIN requests.
Forewarned is forearmed, so call it in.
BDO encourages cardholders to call its Customer Contact Center to provide a travel notice prior to departure. Be ready to share dates of travel and your destination or destinations, if making more than one stop. According to BDO: “this is recommended to lessen and mitigate the possibility of credit card purchases being declined due to suspicion of fraud, such as transactions made in unusually large amounts, or from a different location.”
BPI, however, takes a different view and said that “as long as the EMV technology is used to complete a credit card transaction, there is no need to notify the bank for any upcoming travel.” EMV stands for Europay, Mastercard, and Visa, which is a global standard for cards equipped with computer chips and the technology used to authenticate chip-card transactions.
To PIN or not to PIN, that is the question.
According to Jesus Angelo Gomez, BPI Unsecured Lending and Cards Credit Cycle and Enabling Services group head, the bank employs a risk-based approach when it comes to requesting confirmations for every credit card swipe. “Depending on the level of risk involved, BPI may require a cardholder to authenticate his or her credit card transaction using a One-Time PIN (OTP).”
OTP is a unique six-character code sent to the cardholder's registered mobile number to complete a transaction. One is usually prompted when making an online purchase or when swiping their card overseas. OTPs actually serve as another layer of security and protection for the cardholders.
“However, there are also merchants who practice the same risk-based approach in authenticating a transaction, and in these cases, may no longer require OTP to complete a purchase,” Gomez adds.
BDO also makes use of OTPs to validate specific credit card transactions, and explained it depends on the store or restaurant where the transaction is being made.
Credit, not debit please.
When prompted for a PIN or OTP abroad, it turns out one word can make the pain go away: just say “credit.”
Merchants ask for PINs because they or the terminal they use assume the transaction is being made with a debit card. That one requires a PIN for the transaction to go through. But when you say “credit,” they can press a button to override the request and your transaction should go through painlessly.
Gomez explained that “depending on what payment protocol is being practiced or what card validation method is required in the country that a cardholder is currently in, some point-of-sale terminals may require a PIN over a signature.” To clarify matters, the cardholder simply needs to inform the cashier that he or she is using a credit card.
Stay in touch, even when roaming is off.
Gomez advised cardholders to make sure that “their contact details are always updated so that the bank can reach out for important updates and advisories about their account and to report a lost or stolen credit card immediately.”
But what if you turned off roaming on your phone (so you can save on data charges for more shopping money)?
If you’re a BPI cardholder, you can use the bank’s international toll-free number 1800.1.888.9100, or email at [email protected].
If you own a BDO credit card, you can email unauthorized transactions to [email protected]. While respecting others’ preference to save on international data charges, BDO suggested to still turn on roaming so you can receive notices. You can choose to turn off the data plan though. “There are no additional charges for incoming SMS, and this way cardholders will still be able to receive possible alerts free of charge.”
With Citibank, you can take advantage of its two-way communication service via SMS or email. This will allow you to confirm instantly whether certain transactions are yours or not. In case of a suspicious transaction, you will receive an SMS from (+63) 922.100.0581 or (+44) 786.006.5147. To confirm the transaction, simply reply with Y for a Yes, or N for a No.
If your roaming is off, you can use WiFi or local data to access emails. Citi will email you from [email protected] and you simply need to press the Yes or No button to accept a transaction.
Missed calls and SMS happen, so what then?
There are delays in receiving SMS and accessing emails, and sometimes this could mean that a credit card was blocked from further use. In some cases, there’s no choice but to call the bank and sort it out.
Now it’s good to know you can email credit card issuers to clarify, so long as you use your registered email address. Make sure yours is updated with your bank.
In the case of Citibank, if they don’t hear back from you via SMS or email, expect an automated voice call from (+632) 299.3753. You can follow the voice prompt instructions to confirm the transactions under question.
Are PINs and OTPs here to stay?
For now, both PINs and OTPs are working well to safeguard customers against unauthorized transactions, here and abroad.
BPI’s Gomez said they also leverage fraud scoring and behavioral model capabilities to curb fraud, depending on the type of risk involved. They have a 24/7 fraud detection unit that monitors credit card transactions real-time.
BDO confirmed too that “other than the OTP, we have more security mechanisms in place to detect a possible unauthorized transaction. For their safety and security, cardholders are reminded to never share their OTPs with anyone and to make purchases only from legitimate and trusted websites.”
If you are a heavy online shopper, consider getting a BDO Virtual Card, which is exclusively for online purchases. “It has a different card number from your regular BDO Credit Card to protect your regular card and credit line. You can likewise adjust and put a cap on your BDO Virtual Card's credit limit according to your online purchasing needs.”
In the meantime, biometric technology is taking off and several banks can now confirm identities using facial recognition and fingerprint scanning software. Maybe, just maybe, painful PINs and OTPs requests will soon be a thing of the past.