New Delhi: In order to curb the rising incidents of card payment frauds, the Reserve Bank of India Thursday launched new guidelines applicable to all scheduled commercial banks, small finance banks, payment banks and credit card issuing non-banking finance companies and prohibited these entities from taking scanned customer data outside their premise.
The new guidelines, also known as the master direction on digital payment security controls will come into effect after six months but for a certain category of regulated entities, new guidelines have come into effect immediately.
Under the new guidelines, the Reserve Bank asked the banks and companies that issue debit cards, credit cards, pre-paid cards (virtual or physical cards) to follow the recommendations of Payment Card Industry (PCI) for comprehensive payment card security guidelines.
Scanned Card Data to stay within premise
In order to prevent any misuse of unencrypted card data, the Reserve Bank of India barred the card companies from taking the unencrypted card data (clear text) outside their premise or doing this activity remotely.
“The scanning tool should be installed only in the regulated entity’s premises on their devices and Card data scanning should not be done remotely,” the RBI said in its master guidelines.
The RBI also cautioned the card providers to first test the scope and impact of any third-party tool that they would use for scanning of card data.
The Reserve Bank said the discovered data, if any, must preferably reside in the scanning tool and any exportable card data must be appropriately masked.
“No data, even the masked data, must be taken out of the regulated entity’s premises,” warned the RBI.
The RBI also directed that service providers of these card issuing entities must scan or analyse the data within the premise of the regulated entity and only on the devices owned by that entity.
Also read: RBI forms expert panel for Urban Co-operative Banks
Credit-Debit card frauds in the country
Debit card, credit Card frauds are still common in the country despite the use of latest technology and multiple authentication factors.
According to the latest data given by the government in the Lok Sabha in March last year, more than 52,300 cases of credit and debit card frauds, involving a sum of Rs over Rs 149 crores were reported in 2018-19.
In 2019-20, the number of fraud incidents involving credit and debit cards declined marginally to 52,000 cases but the amount involved went up to Rs 228.44 crores.
Cloning of credit and debit cards, where a fraudster makes a copy of the card data, is commonly used by criminals to commit credit-debit card frauds.
RBI frames strict rules to prevent fraud
The RBI also issues fresh rules for secure management, processing, and transmission of personal identification number (PIN) to prevent any fraud.
The RBI said the regulated entities must use the technologies that instantly encrypt the customer data after the card swipe and then securely transfer the data directly to the payment processor.
The RBI also said the hardware security module used in the process must create a tamper-proof log of all the events.
It also directed the companies to improve security of ATMs by disabling USB ports and auto-run facility, apply the latest patches of operating system and implement anti-skimming and whitelisting solutions.
Also read: Sitharaman addresses RBI board, explains priorities of govt
Real time monitoring of overseas transactions
The Reserve Bank directed card companies to ensure robust surveillance of all card transactions, particularly overseas cash withdrawals.
“The regulated entities shall institute a mechanism to monitor breaches, if any, on a 24x7 basis, including weekends, long holidays and put in place a robust incident response mechanism to mitigate the fraud loss, on account of suspicious transactions,” said the Bank.
The Reserve Bank said card companies must ensure that card details of the customers are not stored in plain text at any location, system or application.
“They shall also ensure that the processing of card details in readable format is performed in a secure manner to strictly avoid data leakage of sensitive customer information,” said the RBI.
