Security Issues and Risk mitigation measures related to Card Not present transactions

Security Issues and Risk mitigation measures related to Card Not present transactions

RBI/2010-11/347
DPSS.CO.No.1503/02.14.003/2010-2011

December 31, 2010

To

The Chairman and Managing Director/ Chief Executive Officers
All scheduled Commercial Banks including RRBs/Urban Co-operative Banks/
State Co-operative Banks/District Central Co-operative
Authorised card payment networks

Security Issues and Risk mitigation measures related to Card Not present transactions

Please refer to our circular RBI/DPSS/No.1501/02.14.003/2008-2009 dated February 18, 2009, wherein a directive was issued making it mandatory for banks to put in place additional authentication/validation based on information not visible on the cards for all on-line card not present (CNP) transactions except IVR transactions. This mandate was further extended to all CNP transactions including IVR transactions with effect from January 01, 2011 vide our circular RBI/2009-2010/420, DPSS No. 2303 / 02.14.003/2009-2010 dated April 23, 2010.

2. The progress in implementing the directions has been under continuous monitoring since several stake holders are involved in implementing the service solutions. While considerable progress has been achieved in the matter, banks have been requesting to permit them to test the new system in a live scenario by providing a parallel run for a reasonable period, so as to ensure that customers are not put to inconvenience.

3. After further discussions with the stakeholders it has been decided to permit a parallel run of the new arrangement for a period of one month upto January 31, 2011. During this period IVR transactions will not be declined merely on account of non authentication of additional factor. However, all efforts will be taken by the banks to ensure that customers use the additional factor as well while transacting through the IVR mode. However, after January 31, 2011 no IVR transactions shall be permitted unless such transactions comply with the additional factor authentication requirement.

4. We have been receiving requests from the various stakeholders that the Mail order Telephone order (MOTO) transactions which are also a subset of the Card Not present transaction may be exempted from the purview of additional factor of authentication for the present.After extensive deliberations with the stakeholders, it has been decided that the banks and card companies shall revert to us by February 28, 2011 on the process to be followed in respect of:-:

a. Recurring transactions based on standing instructions given to the merchants by the cardholders indicating the category of utility services.

b. Travel and hotel industry bookings and other MOTO transactions

5. Please acknowledge receipt.