Security and Risk Mitigation Measures for Electronic Payment Transactions in the Indian ePayment ecosystem.

As Indian citizens rapidly move up the value chain of ePayments, the crooks also have started to follow them. On an average, the Indian media reports 2- 5 news articles, wherein Indian Bank customers have lost money due to breaches in electronic payment channels.

As the electronic payment channels have multiple entry points, securing all of them is an impossible task. These weaknesses are exploited by criminals and hackers to cause havoc with your monies.

In India, Reserve Bank of India is continuously releasing guidelines to enhance the safety of ePayments.

The best part of the guidelines is that all the players (All Scheduled Commercial Banks including RRBs / Urban Co-operative Banks / State Co-operative Banks / District Central Co-operative Banks/Authorised Card Payment Networks) in the electronic payment eco-system are expected to adhere to the guidelines in a reasonable period of time.

To further safeguard ePayments in India, Reserve Bank of India vide its Notification No RBI/2012-13/424 DPSS (CO) PD No.1462/02.14.003 / 2012-13 dt.28/02/2013, has announced the following   security and risk control measures as detailed here under:


  1. Securing Card Payment Transactions:

01) By default all new debit and credit cards should be enabled only for domestic use. On specific customer request, cards can be enabled for international use too. Such cards enabling international usage will have to be essentially EMV Chip and Pin enabled. (By June 30, 2013)

02)Issuing banks should convert all existing MagStripe cards to EMV Chip card for all customers who have used their cards internationally at least once (for/through e- commerce/ATM/POS) (By June 30, 2013)

03)All the active Magstripe international cards issued by banks should have threshold limit for international usage. The threshold should be determined by the banks based on the risk profile of the customer and accepted by the customer (By June 30, 2013). Till such time this process is completed an omnibus threshold limit (say, not exceeding USD 500) as determined by each bank may be put in place for all debit cards and all credit cards that have not been used for international transactions in the past.

04)Banks should ensure that the terminals installed at the merchants for capturing card payments (including the double swipe terminals used) should be certified for PCI-DSS (Payment Card IndustryData Security Standards) and PA-DSS (Payment Applications -Data Security Standards) (By June 30, 2013).

05)Bank should frame rules based on the transaction pattern of the usage of cards by the customers in coordination with the authorized card payment networks for arresting fraud. This would act as a fraud prevention measure (By June 30, 2013).

06)Banks should ensure that all acquiring infrastructure that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquirers, processors / aggregators and large merchants (By June 30, 2013).

07)Real time fraud monitoring system to be implemented at the earliest.

08)Banks should provide easier methods (like SMS) for the customer to block his card and get a confirmation to that effect after blocking the card.

09)Customers should have an option for additional factor of authentication for cards issued in India and used internationally (transactions acquired by banks located abroad).

10) Real time call referral rules should be framed in co-ordination with the card payment networks


B. Securing Electronic Payment Transactions

01) Customer induced options may be provided for fixing a cap on the value / mode of transactions/beneficiaries. In the event of customer wanting to exceed the cap, an additional authorization may be insisted upon.

02)  Limit on the number of beneficiaries that may be added in a day per account could be considered.

03)  A system of alert may be introduced when a beneficiary is added.

04) Banks may put in place mechanism for velocity check on the number of transactions effected per day/ per beneficiary and any suspicious operations should be subjected to alert within the bank and to the customer.


05) Introduction of additional factor of authentication (preferably dynamic in nature) for such payment transactions should be considered.

06) Digital signature for large value payments for all customers, to start with for RTGS transactions, is another safety option.

07) Capturing of Internet Protocol (IP) address as an additional validation check should be considered.

08) Banks accepting sub-members should ensure that the security measures put in place by the sub members are on par with the standards followed by them so as to ensure the safety and mitigate the reputation risk.

09) Banks may explore the feasibility of implementing new technologies like adaptive authentication, etc. for fraud detection.


The deadline for Banks to adopt the above is June 30, 2013. As the above were discussed with the stakeholders over the last few months, the adoption should not be painful.

Yes, investment in technology and manpower will be required to quickly safeguard Indian Bank customers from electronic payment risks. The safer the ePayments are, the more people will shift their payment modes to ePayments channel.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s