RBI/2011-12/194
DPSS.PD.CO.No.513/02.14.003/2011-2012

September 22, 2011

The Chairman and Managing Director / Chief Executive Officers
All Scheduled Commercial Banks including RRBs /
Urban Co-operative Banks / State Co-operative Banks /
District Central Co-operative Banks/Authorised Card Payment Networks

Madam / Dear Sir

Security Issues and Risk mitigation measures related to Card Present (CP) transactions.

As you are aware, in its endeavor to ensure that the payment systems operated in   the country are safe, secure, sound and efficient, RBI has been taking proactive measures to contain the incidence of frauds in these systems. One such measure has been the move to secure Card Not Present (CNP) transactions, making it mandatory for banks to put in place additional authentication/validation for all on-line/ IVR/MOTO/recurring transactions etc. based on information not available on the credit/debit /prepaid cards.

2. Card Present (CP) Transactions (transactions at ATM and POS delivery channels) constitute the major proportion of card based transactions in the country. Although a PIN validation is necessary for cash withdrawal at ATMs, majority of the card transactions at POS are not enabled for any additional authentication (other than signature). A majority of the cards issued by banks in India are Magstripe cards and the data stored on such cards are vulnerable to skimming and cloning.

3. The increased usage of credit/debit cards at various delivery channels also witnessed the increase in the frauds taking place due to the cards being lost / stolen, data being compromised and cards skimmed/counterfeited. There is, therefore, an imperative need to secure such card based transactions (CP transactions) as well to protect the interests of the card holders. Towards this end, RBI constituted a Working Group in March, 2011, with representations from various stake holders to examine these aspects and recommend an action plan which would foolproof the ecosystem. The Group submitted its report in June, 2011 and its recommendations, inter alia,  include use of Aadhaar (an initiative of the Unique Identification Authority of India)  based biometric authentication for all CP transactions in lieu of PIN with Magstripe cards continuing to be  the form factor.The need for a complete migration to EMV Chip and PIN based cards could be considered based on the progress of Aadhaar in about 18 months.The Group has also recommended measures to   secure the technology infrastructure, improve fraud risk management practices and strengthen merchant sourcing process within a period of 12-24 months.The report was examined and the recommendations therein have broadly been accepted by RBI.
(The report is available at /documents/87730/39711208/SCP020611FS.pdf)

4. Accordingly, banks and other stakeholders are directed to initiate immediate action for accomplishing the following tasks within the time indicated against each.

a. Strengthening the existing Payment Infrastructure & Future Proofing the system:

b. Infrastructure/ readiness for card acceptance:

c. Debit/Credit Cards used internationally:

5. The position of Aadhaar-based biometric authentication as a second factor of authentication for card present transactions would be reviewed towards the end of December, 2012, to assess the need for a complete switch over to EMV Chip and PIN Technology for card based transactions.  It is, however, clarified that banks are free to migrate to EMV Chip and Pin based technology based on their commercial judgment and decisions taken by their Boards. It is further clarified that RBI is technology neutral with respect to type of PIN and its nature (static or dynamic).

6.  Banks and other stake holders should monitor the progress of the action taken on a continuing basis and place detailed reports in this regard to their Boards on a quarterly basis.

7. The directive is issued under section 18 of Payment and Settlement Systems Act 2007, (Act 51 of 2007).

Please acknowledge receipt.

Yours faithfully,

Vijay Chugh
Chief General Manager.