Reserve Bank of India (RBI) has finally decided that enough is enough. According to the Circular numbered RBI/2013-14/296, DPSS (CO) PD No.719/02.14.011/2013-14, issued on September 27, 2013, RBI has finally brought into force the mandatory provisions of the circular numbered DPSS.PD.CO.No.513 / 02.14.003 /2011-2012 dated September 22, 2011 on security issues and risk mitigation measures related to Card Present (CP) transactions and circulars DPSS (CO) PD No.1462 / 2377/ 02.14.003/2012-13 dated February 28, 2013 and June 24, 2013 respectively on security and risk mitigation measures for electronic payment transactions, wherein various timelines were indicated for compliance.
Banks in India have approached RBI from time to time to extend the 30th September 2013 deadline for the applicability of these circulars for complying with the task of securing the technology infrastructure (Unique Key Per Terminal- UKPT or Derived Unique Key Per Transaction- DUKPT/ Terminal Line Encryption- TLE) as stated under Para 4(a)(3) of RBI’s circular dated September 22, 2011.
RBI had decided these timelines after a series of meetings/discussions with the stakeholders. It was also clearly emphasised in RBI’s circular dated June 24, 2013 that no further extensions would be granted. In addition, it was also indicated that in the event of a customer complaining of misuse of card after the date stipulated in this circular, the issuer or the acquirer who has not adhered to the timelines should bear the loss.
This means that banks in India would now be legally liable to make good the losses arising due to their own negligence, lack of cyber due diligence and non adherence to the directions issued by RBI from time to time. Presently the banks of India are passing of the burden and losses arising out of fraudulent monetary transactions to their consumer that is going to change very soon.
RBI has further decided not to grant any further extension of time. Accordingly, banks not complying with the requirements shall compensate loss, if any, incurred by the card holder using card at POS terminals not adhering to the mandated standards.
In this context, since the card holder/s would be approaching his/her card issuing bank for any fraudulent POS transaction/s in India (which have occurred after September 30, 2013), the following course of action is mandated by RBI:
(1) The issuing bank would ascertain, within 3 working days from the date of cardholder approaching the bank, whether the respective POS terminal/s where the said transaction/s occurred is/are compliant with TLE and UKPT/DUKPT as mandated.
(2) In the event it is found that the POS terminals are non-compliant as mandated, the issuing bank shall pay the disputed amount to the customer within 7 working days, failing which a compensation of Rs.100 per day will be payable to the customer from the 8th working day.
(3) The issuing bank shall claim the amount paid by it to the customer from the respective bank/s which have acquired the POS transaction/s in question.
(4) The acquiring banks have to pay the amount paid by the issuing bank without demur within 3 working days of the issuing bank raising the claim, failing which the RBI would be constrained to compensate the issuing bank by debiting the account of the acquiring bank maintained with the Bank.
RBI has also directed the acquiring banks to send a status report of compliance with respect to TLE and UKPT/DUKPT as on 30 September 2013, duly signed/ approved by the CMD/CEO of the bank on or before October 07, 2013. The position in this regard may also be put up to the Board in its next meeting, and a duly approved copy of this may be sent to RBI.
RBI will also consider invoking the penal provisions under the Payment and Settlement Systems Act, 2007 for banks that have failed to adhere to the timeline of September 30, 2013. These instructions have been issued under Section 18 of Payment and Settlement Systems Act, 2007.