RBI/2011-12/194
DPSS.PD.CO.No.513/02.14.003/2011-2012
The Chairman and Managing Director / Chief Executive Officers
All Scheduled Commercial Banks including RRBs /
Urban Co-operative Banks / State Co-operative Banks /
District Central Co-operative Banks/Authorised Card Payment Networks
Madam / Dear Sir
Security Issues and Risk mitigation measures related to Card Present (CP) transactions.
As you are aware, in its endeavor to ensure that the payment systems operated in the country are safe, secure, sound and efficient, RBI has been taking proactive measures to contain the incidence of frauds in these systems. One such measure has been the move to secure Card Not Present (CNP) transactions, making it mandatory for banks to put in place additional authentication/validation for all on-line/ IVR/MOTO/recurring transactions etc. based on information not available on the credit/debit /prepaid cards.
2. Card Present (CP) Transactions (transactions at ATM and POS delivery channels) constitute the major proportion of card based transactions in the country. Although a PIN validation is necessary for cash withdrawal at ATMs, majority of the card transactions at POS are not enabled for any additional authentication (other than signature). A majority of the cards issued by banks in India are Magstripe cards and the data stored on such cards are vulnerable to skimming and cloning.
3. The increased usage of credit/debit cards at various delivery channels also witnessed the increase in the frauds taking place due to the cards being lost / stolen, data being compromised and cards skimmed/counterfeited. There is, therefore, an imperative need to secure such card based transactions (CP transactions) as well to protect the interests of the card holders. Towards this end, RBI constituted a Working Group in March, 2011, with representations from various stake holders to examine these aspects and recommend an action plan which would foolproof the ecosystem. The Group submitted its report in June, 2011 and its recommendations, inter alia, include use of Aadhaar (an initiative of the Unique Identification Authority of India) based biometric authentication for all CP transactions in lieu of PIN with Magstripe cards continuing to be the form factor.The need for a complete migration to EMV Chip and PIN based cards could be considered based on the progress of Aadhaar in about 18 months.The Group has also recommended measures to secure the technology infrastructure, improve fraud risk management practices and strengthen merchant sourcing process within a period of 12-24 months.The report was examined and the recommendations therein have broadly been accepted by RBI.
(The report is available at http://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/SCP020611FS.pdf)
4. Accordingly, banks and other stakeholders are directed to initiate immediate action for accomplishing the following tasks within the time indicated against each.
a. Strengthening the existing Payment Infrastructure & Future Proofing the system:
S.No. |
Task |
Completion by |
Report Reference |
1. |
Implementation of improved fraud risk management practices |
September 30, 2012 |
Page 16 |
2. |
Strengthening Merchant Sourcing and Monitoring Process |
September 30, 2012 |
Page 17& 18 |
3. |
Securing the technology infrastructure (Unique Key per terminal- UKPT or Derived Unique Key per transaction- DUKPT/ Terminal line encryption- TLE) |
September 30, 2013 |
Page 15 |
b. Infrastructure/ readiness for card acceptance:
S.No. |
Task |
Completion by |
Report Reference |
1. |
Commercial readiness of acquiring infrastructure to support PIN for POS transactions.POS infrastructure to be ready for accepting EMV Chip cards. |
June 30, 2013 |
Page 23 |
2. |
Enablement of all POS terminals to accept debit card transactions with PIN |
June 30, 2013 |
Page 24 |
3. |
Issuers to be ready from technical perspective to issue EMV Cards |
June 30, 2013 |
Page 23 |
c. Debit/Credit Cards used internationally:
S.No. |
Task |
Completion by |
Report Reference |
1. |
EMV Chip Card and PIN to be issued to customers who have evidenced atleast one purchase using their debit/credit card in a foreign location. |
June 30, 2013 |
Page 24 |
5. The position of Aadhaar-based biometric authentication as a second factor of authentication for card present transactions would be reviewed towards the end of December, 2012, to assess the need for a complete switch over to EMV Chip and PIN Technology for card based transactions. It is, however, clarified that banks are free to migrate to EMV Chip and Pin based technology based on their commercial judgment and decisions taken by their Boards. It is further clarified that RBI is technology neutral with respect to type of PIN and its nature (static or dynamic).
6. Banks and other stake holders should monitor the progress of the action taken on a continuing basis and place detailed reports in this regard to their Boards on a quarterly basis.
7. The directive is issued under section 18 of Payment and Settlement Systems Act 2007, (Act 51 of 2007).
Please acknowledge receipt.
Yours faithfully,
Vijay Chugh
Chief General Manager.