Existing cards, both physical and virtual, that have never been used for online/ international/ contactless transactions will be “mandatorily” disabled, as per a notification by the Reserve Bank of India issued to banks and card issuers on January 15. The central bank also said that card issuers can take a decision, based on “risk perception” if they also wish to disable existing cards for card not present (domestic and international) transactions, card present (international) transactions and contactless transactions. These guidelines will come into effect from March 16, 2020. RBI claimed that it is taking these steps in order to “increase security” of card transactions.

By default, enable card transactions only at ATMs and POS: The notification also said that by default, all cards should be issued/reissued only for the purpose of use at ATMs and Point of Sales. Card issuers will have to provide the facility to enable card not present (domestic and international), card present (international) and contactless transactions. Additionally, it directed banks and card issuers to provide:

  • Facility to switch on/ off and set/ modify transaction limits (within the overall card limit, if any, set by the issuer) for all types of transactions – domestic and international, at PoS/ ATMs/ online transactions/ contactless transactions, etc.; this service should be made available 24×7 by means of — a mobile application, internet banking, ATMs and Interactive Voice Response (IVR). Additionally, this facility might be provided at a bank’s branch as well.
  • Notify a user via SMS or email whenever there is “any change in the status of the card”.

RBI clarified that these guidelines would not be mandatory for prepaid gift cards or cards used at mass transit systems.

Why this matters: 

  • In October 2019, the apex bank had directed banks to secure their customers’ card data, after millions of credit and debit card details of Indian banks were reportedly leaked and put up for sale. 1.3 million payment card details, 98%  of which were Indian, had been put up for sale on a website for stolen card details.
  • Another major breach had taken place in October 2016 when more than 3 million credit and debit card details of Indian banks were compromised.