– International use of debit and credit cards: A key change being made is the provision that credit and debit cards should be issued only for domestic use by default, and if a customer needs a credit/debit card for international use they will have to specifically apply for the card for international transactions. The deadline for this is June 30th 2013.
Implications: one doesn’t know how banks will implement this, but ideally, card users should apply to allow usage of debit cards internationally. There could be situations where a card, by default, is for domestic transactions only, but because app stores like that of Apple (iStore) or Google (Google Play) route payment through international payment gateways, their cards might not be accepted for international payments. A similar situation for buying advertising on Google or Facebook. This is not quite the solution we had in mind when we had asked for a level playing field for online transactions.
– Second Factor Authentication for International transactions: Banks should move towards a system that facilitates implementation of additional factor of authentication for cards issued in India and used internationally (transactions acquired by banks located abroad). No deadline has been set for this, and this is probably because it is not clear how banks will force international payment gateways for implement a second factor of authentication. This is exactly the issue we had pointed out when asking for a level playing field for payments.
– NEFT, RTGS & IMPS Payments: RBI has also announced measures to make funds transfer via NEFT, RTGS and IMPS methods to prevent online frauds. It has asked banks to:
a. Include customer induced caps on usage, in terms of the value / mode of transactions/beneficiaries. If an user wants to add an additional beneficiary or transaction, they will have to go through an additional authorization.
b. Limit the number of beneficiaries that may be added in a day per account. A system of alert to be introduced when a beneficiary is added.
c. Monitoring and alerts: A way to monitor the number of transactions effected per day per beneficiary to be implemented. In case of any suspicious operations, the bank and the account holder to be alerted.
d. Consider a dynamic factor of authentication for NEFT, RTGS & IMPS: To introduce additional factor of dynamic authentication for these transactions. It appears that the RBI is recommended the dreaded OTP method of authentication for NEFT, RTGS and IMPS.
e. Banks should capture Internet Protocol (IP) address as an additional validation check.
f. Banks that sub-members should ensure that the security measures put in place by the sub members are on par with the standards followed by them so as to ensure the safety and mitigate the reputation risk.
e. It has suggested that banks could also implement technologies like adaptive authentication, etc. for fraud detection.
– International cards will have to be EMV Chip and PIN enabled. What this essentially means is customers will have to enter a PIN for every card swipe or transaction. While this adds an extra security to prevent frauds, this might also cause an inconvenience to users. Still, this is a standard international card practice.
– Block card via SMS: the RBI has said that banks should be allowed to block cards via easier methods like SMS for the customer to block his card, and get a confirmation to that effect after blocking the card.
– Convert existing cards to EMV Chip: Issuing banks should convert all existing MagStripe cards to EMV Chip card for all customers who have used their cards internationally at least once (for/through e- commerce/ATM/POS) (By June 30, 2013)
– Transaction Limit for Magstripe international cards: All the active Magstripe international cards issued by banks should have threshold limit for international usage. The threshold should be determined by the banks based on the risk profile of the customer and accepted by the customer (By June 30, 2013). Till such time this process is completed an omnibus threshold limit as determined by each bank may be put in place for all debit cards and all credit cards that have not been used for international transactions in the past.
– Compliance Norms for Internet Protocol based solutions: Banks should ensure that all acquiring infrastructure that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquirers, processors / aggregators and large merchants (By June 30, 2013).
Banks should ensure that the terminals installed at the merchants for capturing card payments (including the double swipe terminals used) should be certified for PCI-DSS (Payment Card Industry- Data Security Standards) and PA-DSS (Payment Applications -Data Security Standards) (By June 30, 2013)
– Frame rules based on transaction patterns: Bank should frame rules based on the transaction pattern of the usage of cards by the customers in coordination with the authorized card payment networks for arresting fraud. This would act as a fraud prevention measure (By June 30, 2013).
Other developments: Note that, RBI had reported 8,322 cases of cyber frauds in 2012, a decline from 9,588 cases and 15,018 cases registered in 2011 and 2010 respectively.
RBI has increasingly making online/mobile transactions a tad difficult for users with their limits and restrictions. In September 2012, RBI had reiterated that it won’t allow telecom operators offering mobile wallets to offer cash-out facility, unless they sign up customers under a Banking Correspondent tie-up.