What changed
RBI made it mandatory for banks to deploy an extra layer of authentication for online card transactions that do not require the physical card, using information not printed on the card. Additionally, banks must now send online alerts to cardholders for all card-not-present transactions of ₹5,000 and above.
What it means for you
Banks and card issuers must upgrade their payment systems to support two-factor authentication for e-commerce and other card-not-present scenarios, excluding IVR. This increases operational costs and requires coordination with card networks and merchants. The alert system also demands real-time notification infrastructure, adding to compliance burden but reducing fraud risk.
What you must do
- Implement additional authentication (e.g., OTP, PIN) for all online card-not-present transactions by August 1, 2009, except IVR transactions.
- Set up a system to send real-time alerts to cardholders for every card-not-present transaction of ₹5,000 or more.
- Ensure compliance with the Payment and Settlement Systems Act, 2007, as non-adherence will attract penalties.
- Coordinate with card networks and merchants to integrate the new authentication and alert mechanisms.
Who it affects
All scheduled commercial banks including RRBs, Urban co-operative banks, State co-operative banks, District central co-operative banks, Card-issuing institutions, Merchants accepting card-not-present transactions
What is the deadline for implementing these security measures?
The deadline is August 1, 2009, as per the circular dated February 18, 2009.
Are IVR transactions covered under the additional authentication requirement?
No, IVR transactions are excluded from the additional authentication mandate; separate instructions will be issued for them.
What happens if a bank fails to comply with these directives?
Non-compliance will attract penalties under the Payment and Settlement Systems Act, 2007 (Act 51 of 2007).