Photographs: Reuters.
With cyber-attacks becoming more unpredictable and electronic payment systems becoming vulnerable to new types of misuse, it is imperative that banks introduce certain minimum checks and balances to minimise the impact of such attacks, says the Reserve Bank of India.
RBI has asked banks to implement a set of security and risk control measures from 30 June 2013.
...
Money transfer, card usage: New norms to prevent misuse
Securing card payment transactions
All new debit and credit cards to be issued only for domestic usage unless international use is specifically sought by the customer. Such cards enabling international usage will have to be essentially EMV Chip (EMV - Europay, MasterCard and Visa - is a global security standard for chip card technology) and Pin enabled.
Issuing banks should convert all existing MagStripe (magnetic stripe) cards to EMV Chip card for all customers who have used their cards internationally at least once (for/through e- commerce/ATM/POS).
...
Money transfer, card usage: New norms to prevent misuse
All the active Magstripe international cards issued by banks should have threshold limit for international usage. The threshold should be determined by the banks based on the risk profile of the customer and accepted by the customer (By June 30, 2013).
Till such time this process is completed an omnibus threshold limit (say, not exceeding $500) as determined by each bank may be put in place for all debit cards and all credit cards that have not been used for international transactions in the past.
...
Money transfer, card usage: New norms to prevent misuse
Photographs: Uttam Ghosh/Rediff.com.
Banks should ensure that the terminals installed at the merchants for capturing card payments (including the double swipe terminals used) should be certified for PCI-DSS (Payment Card Industry- Data Security Standards) and PA-DSS (Payment Applications -Data Security Standards).
Bank should frame rules based on the transaction pattern of the usage of cards by the customers in coordination with the authorised card payment networks for arresting fraud. This would act as a fraud prevention measure.
...
Money transfer, card usage: New norms to prevent misuse
Banks should ensure that all acquiring infrastructure that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquirers, processors / aggregators and large merchants.
Banks should provide easier methods (like SMS) for the customer to block his card and get a confirmation to that effect after blocking the card.
...
Money transfer, card usage: New norms to prevent misuse
Banks should move towards a system that facilitates implementation of additional factor of authentication for cards issued in India and used internationally (transactions acquired by banks located abroad).
Banks should build in a system of call referral1 in co-ordination with the card payment networks based on the rules.
...
Money transfer, card usage: New norms to prevent misuse
Photographs: Reuters.
Securing electronic payment transactions
The electronic modes of payment like RTGS, NEFT and IMPS have emerged as channel agnostic modes of funds transfer. Some of the additional measures that need to be introduced by the banks could be as follows:
Customer induced options may be provided for fixing a cap on the value/mode of transactions/beneficiaries. In the event of customer wanting to exceed the cap, an additional authorisation may be insisted upon.
...
Money transfer, card usage: New norms to prevent misuse
Limit on the number of beneficiaries that may be added in a day per account could be considered.
A system of alert may be introduced when a beneficiary is added.
Banks may put in place mechanism for velocity check on the number of transactions effected per day/ per beneficiary and any suspicious operations should be subjected to alert within the bank and to the customer.
...
Money transfer, card usage: New norms to prevent misuse
Photographs: Reuters.
Introduction of additional factor of authentication (preferably dynamic in nature) for such payment transactions should be considered.
The banks may consider implementation of digital signature for large value payments for all customers, to start with for RTGS transactions.
Capturing of Internet Protocol (IP) address as an additional validation check should be considered.
...
Money transfer, card usage: New norms to prevent misuse
Sub-membership of banks to the centralised payment systems has made it possible for the customers of such sub-members to reap the benefits of the same.
Banks accepting sub-members should ensure that the security measures put in place by the sub members are on par with the standards followed by them so as to ensure the safety and mitigate the reputation risk.
Banks may explore the feasibility of implementing new technologies like adaptive authentication for fraud detection.
article