RBI/2011-12/145
DPSS.PD.CO. No.223/02.14.003/2011-2012
The Chairman and Managing Director / Chief Executive Officers
All Scheduled Commercial Banks including RRBs /
Urban Co-operative Banks / State Co-operative Banks /
District Central Co-operative Banks/Authorised Card Payment Networks
Madam / Dear Sir
Security Issues and Risk mitigation measures related to Card Not Present (CNP) transactions.
Please refer to our circular RBI/DPSS No. 1501 / 02.14.003 / 2008-2009 dated February 18, 2009 wherein a directive was issued making it mandatory for banks to put in place additional authentication / validation based on information not visible on the cards for all on-line card not present(CNP) transactions except IVR transactions from August 01, 2009. This mandate was extended to cover all IVR transactions with effect from February 01, 2011 vide our circular RBI/DPSS No. 1503 / 02.14.003 /2010-2011 dated December 31, 2010.
2. Banks had been advised vide para 4 of the directions contained in RBI/DPSS No. 1503 / 02.14.003 /2010-2011 dated December 31, 2010 to revert on the introduction of additional factor of authentication for certain category of CNP transactions detailed therein. The matter was discussed in a meeting of banks with the Reserve Bank of India on June 22, 2011 wherein it was emphasizedby the Reserve Bank that while it was not advocating any specific solution in this regard, it is imperative that all CNP transactions are brought within the ambit of additional factor of authentication without further delay. To this end, banks were advised to evaluate possible alternatives at the earliest.Based on the feedback from the stakeholders and keeping in view the interest of card holders the following directions are issued:
- It is mandatory to put in place additional factor of authentication for all CNP transactions indicated in para 4 of our directions dated December 31, 2010 with effect from May 01, 2012.
- In case of customer complaint regarding issues, if any,arising out of transactions effected without the additional factor of authentication after the stipulated date, the issuer bank shall reimburse the loss to the customer further without demur.
3. The directive is issued under section 18 of Payment and Settlement Systems Act 2007, (Act 51 of 2007).
4. Please acknowledge receipt.
Yours faithfully,
Vijay Chugh
Chief General Manager.