Good News for all card Debit and credit holder ,as RBI has directed all Banks to maintain certain securitiy norms ,which may help to aviod fraudulent use of card at POS(Point of sale ) Terminals (where card are being swaped).Further ,If any fraudulent transaction take place at POS where these security steps has not been maintained/taken by Banks after 30.09.2013 then Bank shall compensate the Loss to card Holders.These desicion has been taken on the basis of report of WORKING GROUP ON SECURING CARD PRESENT TRANSACTIONS dated 31.05.2013
So In both case Card holders have benefit
- If Security steps has been taken by bank : It will reduce the chances of Fraud.
- If security steps has not been taken :Bank shall compensate the Loss to card Holder
Banks were asked to implement these norms from 01.10.2013 vide RBI direction RBI/2011-12/194 DPSS.PD.CO.No.513/02.14.003/2011-2012 dated 22.09.2013. Later on ,Bank has seek extension in date for implemenation of these steps but RBI has denied the request (as under for extension of Date ,so these rules shall be applicable from 01.10.2013
In the circumstances, it has been decided not to grant any further extension of time. Accordingly, banks not complying with the requirements shall compensate loss, if any, incurred by the card holder using card at POS (point of sale)terminals not adhering to the mandated standards.
Method of compensation of loss to customers and Penalty for delay in making compensation
5. In this context, since the card holder/s would be approaching his/her card issuing bank for any fraudulent POS transaction/s in India (which have occurred after September 30, 2013), the following course of action is mandated:The issuing bank would ascertain, within 3 working days from the date of cardholder approaching the bank, whether the respective POS terminal/s where the said transaction/s occurred is/are compliant with TLE and UKPT/DUKPT(read meaning below) as mandated.In the event it is found that the POS terminals are non-compliant as mandated, the issuing bank shall pay the disputed amount to the customer within 7 working days, failing which a compensation of Rs.100 per day will be payable to the customer from the 8th working day.The issuing bank shall claim the amount paid by it to the customer from the respective bank/s which have acquired the POS transaction/s in question.The acquiring banks have to pay the amount paid by the issuing bank without demur within 3 working days of the issuing bank raising the claim, failing which the Reserve Bank of India would be constrained to compensate the issuing bank by debiting the account of the acquiring bank maintained with the Bank.
What are these new Measures ?
Currently all transaction data travels from POS terminal/ATM to the host system in clear text format except for the PIN data. The transaction data travels through various communication carriers like PSTN, IP WAN, GPRS, and CDMA. Any data compromise due to wire-tapping at merchant establishments or during the communication carriage can lead to fraud losses and reputation risk for the issuing and acquiring banks. RBI has directed to banks to implememt either of first two security feature at POS and third is mandatory for all..
1.Unique Key per Terminal (UKPT) :Unique Key per Terminal (UKPT) is a key management scheme, where each POS terminal/ ATM has a unique key for encrypting data originating from a terminal/ATM. UKTP is the common method of encryption implemented worldwide on ATM/POS.Currently, acquirers in India use a single key to encrypt transaction data originating from all their POS terminals. There is a risk in having the same key across all POS terminals. Incase of key compromise of a particular terminal, then all the terminals of the acquirer are compromised.
2.Derived Unique Key per Transaction (DUKPT) :DUKPT is one level higher form of POS transaction data encryption than UKPT. DUKPT uses one time keys that are generated for every transaction and then the key is discarded. The advantage is that if one of these keys is compromised, only one transaction will be compromised.
3.Terminal Line Encryption-( TLE) :It is critical to build adequate controls to safeguard customer and transaction information during the transaction life cycle. Currently information flow between the acquiring host, issuer host and switch are encrypted; the residual risk being the fact that the transaction data packets flow in clear between the terminal and the acquiring host. This exposes the payment infrastructure to possible data compromise through wire tapping.
TLE also protects against other threats like eavesdropping/card skimming, host spoofing, replay attacks in addition to wire tapping.
TLE offers an encrypted terminal line from the POS terminal to the bank acquirer host when transferring transaction data packets during online transaction processing. It uses a „Line Encryption Server‟ which facilitates the encryption and decryption of the transaction data packets.
Many countries across the globe have implemented TLE to secure the payment infrastructure; examples are Malaysia, Thailand, Indonesia, Europe, and US