Security and Risk Mitigation Measures for Card Present Transactions - RBI - Reserve Bank of India
Security and Risk Mitigation Measures for Card Present Transactions
RBI/2013-14/296 September 27, 2013 The Chairman and Managing Director / Chief Executive Officers Madam / Dear Sir, Security and Risk Mitigation Measures for Card Present Transactions A reference is invited to our circular DPSS.PD.CO.No.513 / 02.14.003 /2011-2012 dated September 22, 2011 on security issues and risk mitigation measures related to Card Present (CP) transactions and circulars DPSS (CO) PD No.1462 / 2377/ 02.14.003/2012-13 dated February 28, 2013 and June 24, 2013 respectively on security and risk mitigation measures for electronic payment transactions, wherein various timelines were indicated for compliance. 2. Various banks have approached us, seeking further extension of the time line of September 30, 2013 for complying with the task of securing the technology infrastructure (Unique Key Per Terminal- UKPT or Derived Unique Key Per Transaction- DUKPT/ Terminal Line Encryption- TLE) as stated under Para 4(a)(3) of our circular dated September 22, 2011. 3. As you are aware the timelines indicated in the aforesaid circulars were decided after a series of meetings/discussions with the stakeholders. It was also clearly emphasized in our circular dated June 24, 2013 that no further extensions would be granted. In addition, it was also indicated that in the event of a customer complaining of misuse of card after the date stipulated in this circular, the issuer or the acquirer who has not adhered to the timelines should bear the loss. 4. In the circumstances, it has been decided not to grant any further extension of time. Accordingly, banks not complying with the requirements shall compensate loss, if any, incurred by the card holder using card at POS terminals not adhering to the mandated standards. 5. In this context, since the card holder/s would be approaching his/her card issuing bank for any fraudulent POS transaction/s in India (which have occurred after September 30, 2013), the following course of action is mandated:
6. Acquiring banks are advised to send a status report of compliance with respect to TLE and UKPT/DUKPT as on 30 September 2013, duly signed/ approved by the CMD/CEO of the bank on or before October 07, 2013. The position in this regard may also be put up to the Board in its next meeting, and a duly approved copy of this may be sent to us. 7. RBI will also consider invoking the penal provisions under the Payment and Settlement Systems Act, 2007 for banks that have failed to adhere to the timeline of September 30, 2013. 8. These instructions are issued under Section 18 of Payment and Settlement Systems Act, 2007. Please acknowledge receipt Yours faithfully, Nilima Ramteke |