Naavi.org has been pointing out that RBI appears to have a dual character when it comes to policy implementation. There are one set of executives probably closer to retirement but occupying the top echelons of RBI who are still oriented towards “Safe Banking” and “Customer Interests”. But there is an emerging set of executives in the mid management cadre who are easily swayed by the powerful bank lobbies into recommending measures which are often anti consumer.
Another evidence of this is the issue of a new circualr dated February 28, 2013 by RBI addressing some Risk mitigation measures for Electronic payment systems, in the midst of the controversial “Discussion Paper” on “Disincentivisation of Cheques”.
Speaking of “Securing Card Payment Transactions”, the circular specifies that
1.new cards will be issued for use only within India. If international use is specifically requested by the customer, it may be allowed but only on a card with EMV chip and Pin enabled.This will be effective from June 30, 2013.
2.Existing cards which have been used internationally( E commerce and POS or ATM) at least once will have to be in the EMV/PIN format only and older magnetic strip cards will have to be replaced by June 30, 2013.
3.Until such time the EMV cards are issued, there would be an omnibus limit of USD 500/- on international payments of any magnetic strip card. Lower limits may be fixed by the Banks based on the customer profile.
In terms of security, it is advised that
1. all POS systems should be certified for PCI-DSS and PA-DSS compliance by June 30, 2013
2. Banks should frame rules based on transaction pattern of the card usage to prevent frauds.
3.All acquiring infrastructure based on IP based solutions should be mandatorily put through PCI-DSS and PA-DSS certification.
4.Real time fraud monitoring system should be introduced at the earliest.
5.Card blocking through SMS should be enabled.
6.Two factor authenticaiton should be applied even for international payment of cards.
7. Call referral system should be introduced. Under this system the issuer may respond to the merchat with a “Call issuer” decision. Merchant may then call the acquiring bank with details after which the acquirer calls the issuing bank and seeks authorization. Before authorization, the issuing bank will speak to the customer. After the authorization, merchant has to swipe the card again.
The above measures will go a long way in mitigating the card related frauds. Some of these suggestions are on the lines suggested by the Damodaran Committee.
It is time to congratulate RBI for this move.