Report Of The RBI Working Group On Securing Card Present Transaction

The Reserve Bank of India (RBI) is taking cyber security of banking industry very seriously. RBI has been stressing that banks in India are required to ensure cyber due diligence and cyber security due diligence. However, the banks in India have still not done the needful in this regard even though the first quarterly report in this regard is due on 30th June, 2011.

RBI has now taken another significant step in this regard. RBI today placed on its website the Report of the Working Group on Securing Card Present Transaction. Comments of the Report may be emailed or forwarded by June 30, 2011 to the Chief General Manager, Department of Payment and Settlement System, Reserve Bank of India, Central Office, Mumbai-400001.

Card Present Transactions (at PoS and ATMs) constitute major proportion of card based transactions in the country. Currently, transactions using cards at PoS do not require additional authentication in majority of cards. Further most of the cards used in India, presently used magnetic stripe technology. Taking into account vulnerabilities involved, and to increase customer confidence may countries led by European Union have moved to Chip and Pin technology.

The RBI constituted a Working Group consisting of banks and card companies in March 2011 to look into all the related issues implementing the security of card transactions in India and suggesting a road map for migration. The Working Group submitted its report on June 2, 2011.

The Working Group arrived at the final recommendations based on the following critical factors:

(1) Putting in place a series of measures to strengthen the Payments infrastructure and ecosystem in the country,

(2) The need for a hybrid approach – the evolving nature of UIDAI, varying international and domestic trends. (Ed-The use of UID has been not approved till the suitability of same is well established).

(3) The need for a PIN (to ensure Lost and Stolen fraud is minimized) over and above protecting for skimming (Counterfeit). The choice of PIN though would be at the discretion of the Issuer.

(4) Important to ensure that both offline and online PINs are accepted by the EDC machines so that interoperability is ensured.

(5) Open, reloadable prepaid cards to be treated as “debit” equivalent as far as group recommendations as concerned.

(6) Differentiated implementation timelines for debit and credit cards.

(7) EMV Cards for international travelers to be prioritized

(8) Minimize throw-away costs and technology efforts for all stakeholders.

(9) Evaluation of UIDAI’s Aadhaar rollout as a strong alternative for domestic transactions 18 months from now based on:

(a) Aadhaar enrollment statistics for the existing cardholder base

(b) Proof of Aadhaar working as a second factor through pilots and roll outs

(c) Readiness of UIDAI to work with ATM, POS and device manufacturers to ensure ubiquity of biometric authentication both for existing machines and new deployments

(d) End to end transaction time including biometric authentication to comply with global standards for authentication

(e) Legal framework to be in place for ensuring non-repudiation of biometric authenticated transactions.

(f) Procedural guidelines and engagement model for banks to work with UIDAI for authentication, validation process in case of dispute through logs etc. to be put in place.

(g) UIDAI’s readiness to work with banks, associations and technology partners to make the payments ecosystem ready for a well tested, industry grade solution 18 months from now

(h) Evaluate the risk of being a “single point of failure”.

Perry4Law and Perry4Law Techno Legal Base (PTLB) welcome this initiative of RBI and congratulate the working group for coming out with good guidelines.

Source: ICTPS Blog.