Payments effected through alternate payment products/channels are gaining traction among the customers, with more and more banks providing such facilities to their customers. In this scenario, it is imperative to ensure safety and security of such transactions effected through these channels.
Of late, there have been reports of frauds committed through the electronic payment channels and fraudulent usage of cards both at domestic and international locations. Even while the frauds reported are not alarming compared to the total transactions effected through these channels, RBI, has proactively engaged with the stakeholders to ensure the security of such transactions. One such initiative taken earlier was the mandating of additional factor of authentication for all card not present (CNP) transactions. Measures for security of card present (CP) transactions have also been initiated by RBI through the implementation of recommendations of the Working Group on Securing Card Present transactions.
With cyber-attacks becoming more unpredictable, and fraudsters moving to new methods, banks are required to put in place certain minimum checks and balances to minimise the impact of such attacks and to arrest/mitigate the damage. However, in order to ensure that customers of banks are not vulnerable to such attacks, RBI has today issued new guidelines to the stakeholders to further strengthen the security and risk mitigation measures of cards and electronic banking transactions.
Related RBI Notification is as follows :-
DPSS (CO) PD No.1462/02.14.003 / 2012-13
February 28, 2013
The Chairman and Managing Director / Chief Executive Officers
All Scheduled Commercial Banks including RRBs / Urban Co-operative Banks /
State Co-operative Banks / District Central Co-operative Banks/
Authorised Card Payment Networks
Madam / Dear Sir,
Security and Risk Mitigation Measures for Electronic Payment Transactions
Payments effected through alternate payment products/channels are becoming popular among the customers with more and more banks providing such facilities to their customers. While this move of the banks indeed promotes and encourages the usage of electronic payments, it is imperative that the banks ensure that transactions effected through such channels are safe and secure and not easily amenable to fraudulent usage. One such initiative by RBI, was mandating additional factor of authentication for all card not present (CNP) transactions. Security of card present transactions has also been initiated by RBI through the implementation of recommendations of the Working Group on Securing Card Present transactions. Banks have also put in place mechanisms and validation checks for facilitating on-line funds transfer, such as: (i) enrolling customer for internet/mobile banking; (ii) addition of beneficiary by the customer; (iii) velocity checks on transactions, etc.
2. With cyber-attacks becoming more unpredictable and electronic payment systems becoming vulnerable to new types of misuse, it is imperative that banks introduce certain minimum checks and balances to minimise the impact of such attacks and to arrest/minimise the damage. Accordingly, banks are required to put in place security and risk control measures as detailed here under:
A. Securing Card Payment Transactions
B. Securing Electronic Payment Transactions
The electronic modes of payment like RTGS, NEFT and IMPS have emerged as channel agnostic modes of funds transfer. These have picked up to a large extent through the internet banking channel and hence it is imperative that such delivery channels are also safe and secure. Some of the additional measures that need to be introduced by the banks could be as follows:
The above security measures under B (i) to (viii) are expected to be put in place by banks by June 30, 2013.
3. Banks are advised to quickly implement the above security/risk mitigation measures and keep us posted with the progress made in this regard.
4. The directive is issued under section 18 of Payment and Settlement Systems Act 2007, (Act 51 of 2007).
5. Please acknowledge the receipt of this circular.
Chief General Manager
1Call Referral implies:-
-Card is swiped at the EDC at the merchant.
-Issuer responds with a “Call Issuer” decision.
-Merchant calls the acquiring bank with details of the card number and transaction data.
-Acquirer calls the issuing bank to seek authorization
-Issuing bank approves/ declines the transaction post speaking with the customer and validating the transaction.
-Merchant will need to swipe the card again to obtain approval