RBI relaxes mandate of Additional Factor of Authentication for small value card

Reserve Bank relaxes mandate of Additional Factor of Authentication (AFA) for small value card present transactions using contactless technology

The Reserve Bank has today released the final circular on the relaxation in requirement of additional factor of authentication (AFA) for small value card present transactions for values up to ₹ 2,000/- per transaction across all merchant categories. This is in line with the Reserve Bank’s approach to enhance customer convenience while ensuring security in card based transactions.

Banks have been advised to put in place suitable velocity checks (i.e., how many such small value transactions will be allowed in a day / week / month) as considered appropriate.

Banks have also been advised to create awareness among customers about the use of contactless cards, its acceptability, the risks and liability, if any devolving on the customers, at the time of issuance of such cards.

Customers may look for the “contactless” logo on the card as well as at the merchant location so that they can distinguish such cards from other cards available with them and also identify the locations where contactless payments are accepted.

As these cards will continue to be chip cards, customers may use them, irrespective of value, as a regular chip card and authenticate the transaction with a PIN as hitherto. If the customer, however, chooses to use the card for contactless payments, then PIN authentication may not be necessary for transactions up to ₹ 2,000/-.

To ensure inter-operability and facilitate acceptance of such cards across all existing card acceptance infrastructure that are already Europay, MasterCard and Visa (EMV) compliant based on the existing instructions, this relaxation has been made applicable to only card present transactions using contactless cards (NFC-based) adhering to EMV standards. This will also ensure the usability of such contactless cards as regular chip card with PIN authentication, if the customer so desires.

Bank will examine the possibility of other types of contactless payment solutions using other form factors like mobile and issue instructions, if required.

It may be recalled that the Bank had placed in its website the draft circular on “Relaxation in requirement of Additional Factor of Authentication for small value card present transactions” on March 13, 2015 for public comments till April 04, 2015. This relaxation was considered taking into account the requests received from various segments indicating the need to foster innovative payment products as also enhance the convenience factor in certain types of card uses.

Ajit Prasad
Assistant General Manager

Press Release : 2014-2015/2407

—————

RBI/2014-15/601
DPSS.CO.PD.No.2163/02.14.003/2014-2015

May 14, 2015

The Chairman and Managing Director / Chief Executive Officer
All Scheduled Commercial Banks including RRBs /
Urban Co-operative Banks / State Co-operative Banks /
District Central Co-operative Banks/Authorised Card Payment Networks

Madam / Sir

Card Payments – Relaxation in requirement of Additional Factor of Authentication for small value card present transactions

Reserve Bank has issued various instructions on security of card transactions and risk mitigation measures, including directions on online alerts as well as on additional factor of authentication. These measures have significantly increased customer confidence in using cards.

2. In the recent past, Reserve Bank has received requests for waiver of requirement of the additional factor of authentication (AFA) so as to foster innovative payment products / processes as also enhance the convenience factor in certain types of card transactions. After examining the trade-off between security and convenience in card transactions, Reserve Bank had placed for public comments a draft circular outlining the relaxation in the need for AFA in case of small value card present transactions using Near Field Communication (NFC) contactless technology subject to adherence to EMV standards.

3. The comments received on the draft circular have been examined. Accordingly, it has been decided to relax the extant instructions relating to the need for AFA requirements for small value card present transactions only using contact-less cards. In this regard, it is advised that –

1. Relaxation for AFA requirement is permitted for transactions for a maximum value of Rs 2,000/- per transaction;
2. The limit of Rs.2000/- per transaction will be the limit set across all categories of merchants in the country where such contactless payments will be accepted;
3. Beyond this transaction limit, the card has to be processed as a contact payment and authentication with PIN (AFA) will be mandatory;
4. Even for transaction values below this limit, the customer may choose to make payment as a contact payment, which has to be facilitated by both issuing and acquiring banks. In other words, customers cannot be compelled to do a contactless payment;
5. Banks are free to facilitate their customers to set lower per-transaction limits. The responsibility for authorizing the contactless payment based on such card-based limits will lie with the card issuing banks;
6. Suitable velocity checks (i.e., how many such small value transactions will be allowed in a day / week / month) may be put in place by banks as considered appropriate; and
7. The contactless cards should necessarily be chip cards adhering to EMV payment standard, so as to be acceptable across the existing card acceptance infrastructure which are EMV compliant based on the earlier mandate in this regard.

5. Further, in the interest of customer awareness and protection the banks are also advised:

1. to clearly explain to customers about the technology, its use, and risks while issuing such contact less cards;
2. to create awareness among customers to look for / identify the “contactless” logo on the card (to distinguish them from other cards) as well as the merchant location / POS terminal (to identify that contactless payments are accepted at that location);
3. to clearly indicate to the customers that they can use the card in contactless mode (without PIN authentication) for transactions upto Rs.2000/- in locations where contactless payments are accepted and to make customers aware that they are free to use the same card as a regular chip card (with PIN authentication) at any location irrespective of transaction value;
4. to clearly indicate the maximum liability devolving on the customer, if any, at the time of issuance of such cards along with the responsibility of the customer to report the loss of such cards to the bank; and
5. to put in place robust mechanism for seamless reporting of lost/stolen cards, which can be accessed through multiple channels (website, phone banking, SMS, IVR etc.).

6. It may, however, be noted that the above relaxations shall not apply to:

1. ATM transactions irrespective of transaction value; and
2. Card Not Present transactions (CNP).

7. This directive is issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007 (Act 51 of 2007).

Yours faithfully

(Nanda S Dave)
Chief General Manager