The Reserve Bank of India has recently announced a new set of guidelines security and risk measures that banks need to take for electronic payment transactions. Some key changes:
- International use of debit and credit cards: A key change being made is the provision that credit and debit cards should be issued only for domestic use by default, and if a customer needs a credit/debit card for international use they will have to specifically apply for the card for international transactions. The deadline for this is June 30th 2013.
- Second Factor Authentication for International transactions: Banks should move towards a system that facilitates implementation of additional factor of authentication for cards issued in India and used internationally (transactions acquired by banks located abroad). No deadline has been set for this, and this is probably because it is not clear how banks will force international payment gateways for implement a second factor of authentication. This is exactly the issue we had pointed out when asking for a level playing field for payments.
- NEFT, RTGS & IMPS Payments: RBI has also announced measures to make funds transfer via NEFT, RTGS and IMPS methods to prevent online frauds. It has asked banks to:
a. Include customer induced caps on usage, in terms of the value / mode of transactions/beneficiaries. If an user wants to add an additional beneficiary or transaction, they will have to go through an additional authorization.
b. Limit the number of beneficiaries that may be added in a day per account. A system of alert to be introduced when a beneficiary is added.
c. Monitoring and alerts: A way to monitor the number of transactions effected per day per beneficiary to be implemented. In case of any suspicious operations, the bank and the account holder to be alerted.
d. Consider a dynamic factor of authentication for NEFT, RTGS & IMPS: To introduce additional factor of dynamic authentication for these transactions. It appears that the RBI is recommended the dreaded OTP method of authentication for NEFT, RTGS and IMPS.
e. Banks should capture Internet Protocol (IP) address as an additional validation check.
f. Banks that sub-members should ensure that the security measures put in place by the sub members are on par with the standards followed by them so as to ensure the safety and mitigate the reputation risk.
g. It has suggested that banks could also implement technologies like adaptive authentication, etc. for fraud detection.
- International cards will have to be EMV Chip and PIN enabled. What this essentially means is customers will have to enter a PIN for every card swipe or transaction. While this adds an extra security to prevent frauds, this might also cause an inconvenience to users. Still, this is a standard international card practice.
- Block card via SMS: the RBI has said that banks should be allowed to block cards via easier methods like SMS for the customer to block his card, and get a confirmation to that effect after blocking the card.
- Convert existing cards to EMV Chip: Issuing banks should convert all existing MagStripe cards to EMV Chip card for all customers who have used their cards internationally at least once (for/through e- commerce/ATM/POS) (By June 30, 2013)
Read More at Medianama
- International use of debit and credit cards: A key change being made is the provision that credit and debit cards should be issued only for domestic use by default, and if a customer needs a credit/debit card for international use they will have to specifically apply for the card for international transactions. The deadline for this is June 30th 2013.
- Second Factor Authentication for International transactions: Banks should move towards a system that facilitates implementation of additional factor of authentication for cards issued in India and used internationally (transactions acquired by banks located abroad). No deadline has been set for this, and this is probably because it is not clear how banks will force international payment gateways for implement a second factor of authentication. This is exactly the issue we had pointed out when asking for a level playing field for payments.
- NEFT, RTGS & IMPS Payments: RBI has also announced measures to make funds transfer via NEFT, RTGS and IMPS methods to prevent online frauds. It has asked banks to:
a. Include customer induced caps on usage, in terms of the value / mode of transactions/beneficiaries. If an user wants to add an additional beneficiary or transaction, they will have to go through an additional authorization.
b. Limit the number of beneficiaries that may be added in a day per account. A system of alert to be introduced when a beneficiary is added.
c. Monitoring and alerts: A way to monitor the number of transactions effected per day per beneficiary to be implemented. In case of any suspicious operations, the bank and the account holder to be alerted.
d. Consider a dynamic factor of authentication for NEFT, RTGS & IMPS: To introduce additional factor of dynamic authentication for these transactions. It appears that the RBI is recommended the dreaded OTP method of authentication for NEFT, RTGS and IMPS.
e. Banks should capture Internet Protocol (IP) address as an additional validation check.
f. Banks that sub-members should ensure that the security measures put in place by the sub members are on par with the standards followed by them so as to ensure the safety and mitigate the reputation risk.
g. It has suggested that banks could also implement technologies like adaptive authentication, etc. for fraud detection.
- International cards will have to be EMV Chip and PIN enabled. What this essentially means is customers will have to enter a PIN for every card swipe or transaction. While this adds an extra security to prevent frauds, this might also cause an inconvenience to users. Still, this is a standard international card practice.
- Block card via SMS: the RBI has said that banks should be allowed to block cards via easier methods like SMS for the customer to block his card, and get a confirmation to that effect after blocking the card.
- Convert existing cards to EMV Chip: Issuing banks should convert all existing MagStripe cards to EMV Chip card for all customers who have used their cards internationally at least once (for/through e- commerce/ATM/POS) (By June 30, 2013)
Read More at Medianama