Bankpulse
BanksHomeSearchLatestCo-pilotRankingsCrosswalkHistoryWithdrawnDashboardsRBI UniverseMethodologyGlossaryCircularsAskAnswersChangelogReviewsAbout
HomeCirculars › RBI/2012-13/424

RBI Mandates Tougher Security for Card & E-Payments

Live · in forceNo withdrawal recorded as of 20 Jun 2026. Reviewed by Vikram Jain; always verify against the official RBI source below.
Issued by RBI: 28 Feb 2013  ·  Decoded by BankPulse: 19 Jun 2026, 21:56 IST
⏱ ~2 min read
📄 Official RBI source ↗
Quick answerRBI has mandated new security measures for electronic payments, including domestic-only card issuance by default, EMV chip migration for international cards, PCI-DSS certification for IP-based acquiring infrastructure, and real-time fraud monitoring. Banks must comply by various deadlines, with most by June 30, 2013, but real-time monitoring 'at the earliest'.

What changed

RBI now requires all new debit and credit cards to be issued for domestic use only unless the customer explicitly opts for international usage. Existing magstripe cards used internationally must be converted to EMV chip cards, and a threshold limit for international transactions must be set. All IP-based acquiring infrastructure (including acquirers, processors/aggregators, and large merchants) must be PCI-DSS and PA-DSS certified.

What it means for you

Banks must overhaul card issuance and merchant terminal processes to meet these deadlines, increasing operational costs but reducing fraud risk. The move shifts liability for international fraud more onto banks and requires tighter coordination with card networks for real-time monitoring. Non-compliance could invite regulatory action.

What you must do

Who it affects

All scheduled commercial banks including RRBs, Urban Co-operative Banks, State Co-operative Banks, District Central Co-operative Banks, Authorised Card Payment Networks

What is the deadline for converting existing magstripe cards to EMV chip?

June 30, 2013, but only for customers who have used their cards internationally at least once.

What is the omnibus threshold for international usage on cards never used abroad?

Banks may set a limit not exceeding USD 500 until individual thresholds are established.

Do all merchant terminals need PCI-DSS certification?

Yes, all IP-based acquiring infrastructure, including acquirers, processors, aggregators, and large merchants, must be PCI-DSS and PA-DSS certified by June 30, 2013.

Track this rule
⏳ How this rule evolved — History Map →Full RBI rulebook crosswalk →
AI-drafted · 3-model AI consensus fact-check · under the editorial review of Vikram Jain · decoded & published by BankPulse · 19 Jun 2026, 21:56 IST
Official RBI source: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=7874&Mode=0 — Plain-English summary by BankPulse (bankpulse.ai), reviewed by Vikram Jain. Independent platform, not affiliated with the Reserve Bank of India; never reproduces RBI text verbatim.