Security and Risk Mitigation Measures for Card Present Transactions

RBI/2013-14/296
DPSS (CO) PD No.719/02.14.011/2013-14

September 27, 2013

The Chairman and Managing Director / Chief Executive Officers 
All Scheduled Commercial Banks including RRBs / Urban Co-operative Banks / 
State Co-operative Banks / District Central Co-operative Banks/ 
Authorised Card Payment Networks

Madam / Dear Sir,

Security and Risk Mitigation Measures for Card Present Transactions

A reference is invited to our circular DPSS.PD.CO.No.513 / 02.14.003 /2011-2012 dated September 22, 2011 on security issues and risk mitigation measures related to Card Present (CP) transactions and circulars DPSS (CO) PD No.1462 / 2377/ 02.14.003/2012-13 dated February 28, 2013 and June 24, 2013 respectively on security and risk mitigation measures for electronic payment transactions, wherein various timelines were indicated for compliance.

2. Various banks have approached us, seeking further extension of the time line of September 30, 2013 for complying with the task of securing the technology infrastructure (Unique Key Per Terminal- UKPT or Derived Unique Key Per Transaction- DUKPT/ Terminal Line Encryption- TLE) as stated under Para 4(a)(3) of our circular dated September 22, 2011.

3. As you are aware the timelines indicated in the aforesaid circulars were decided after a series of meetings/discussions with the stakeholders. It was also clearly emphasized in our circular dated June 24, 2013 that no further extensions would be granted. In addition, it was also indicated that in the event of a customer complaining of misuse of card after the date stipulated in this circular, the issuer or the acquirer who has not adhered to the timelines should bear the loss.

4. In the circumstances, it has been decided not to grant any further extension of time. Accordingly, banks not complying with the requirements shall compensate loss, if any, incurred by the card holder using card at POS terminals not adhering to the mandated standards.

5. In this context, since the card holder/s would be approaching his/her card issuing bank for any fraudulent POS transaction/s in India (which have occurred after September 30, 2013), the following course of action is mandated:

a.       The issuing bank would ascertain, within 3 working days from the date of cardholder approaching the bank, whether the respective POS terminal/s where the said transaction/s occurred is/are compliant with TLE and UKPT/DUKPT as mandated.

b.      In the event it is found that the POS terminals are non-compliant as mandated, the issuing bank shall pay the disputed amount to the customer within 7 working days, failing which a compensation of Rs.100 per day will be payable to the customer from the 8th working day.

c.       The issuing bank shall claim the amount paid by it to the customer from the respective bank/s which have acquired the POS transaction/s in question.

d.      The acquiring banks have to pay the amount paid by the issuing bank without demur within 3 working days of the issuing bank raising the claim, failing which the Reserve Bank of India would be constrained to compensate the issuing bank by debiting the account of the acquiring bank maintained with the Bank.

6. Acquiring banks are advised to send a status report of compliance with respect to TLE and UKPT/DUKPT as on 30 September 2013, duly signed/ approved by the CMD/CEO of the bank on or before October 07, 2013. The position in this regard may also be put up to the Board in its next meeting, and a duly approved copy of this may be sent to us.

7. RBI will also consider invoking the penal provisions under the Payment and Settlement Systems Act, 2007 for banks that have failed to adhere to the timeline of September 30, 2013.

8. These instructions are issued under Section 18 of Payment and Settlement Systems Act, 2007.

Please acknowledge receipt

Yours faithfully,

Nilima Ramteke
General Manager (Officer-in-Charge)