Now, RBI takes complete charge of monitoring debit card data breach

The Reserve Bank of India has taken complete charge of monitoring and to prevent further damage to the banking system as the data of 3.2 million cards have been compromised.

In a meeting convened by the regulator and attended by senior officials of banks, National Payment Corporation of India (NPCI) and card network operators RBI has directed the lenders that from now the central bank will be taking stock of the situation. Lenders have been also asked to not issue any communication with regard to card misuse as all the information will now come from RBI.

"To review the steps taken by various agencies to contain the adverse fall out of certain card details alleged to have been compromised," the central bank said in a notification on its website.

This is the first time the central bank has commented on the data breach that happened in August-September. The issue came to RBI's notice on September 8, it said, adding the issue is currently being investigated by an approved forensic auditor, under PCI-DSS (Payment Card Industry Data Security Standard) framework.

The central bank once again advised banks to review their security arrangements under cyber security framework. Even in the last few months RBI has been asking banks to step up the security to ensure that chances of cyber fraud is minimised.

Banks have received complaints from only 641 customers about fraudulent activity. However, data of about 3.2 million cards have been compromised.

The central bank notification said banks have been taking necessary remedial action to avoid any potential abuse of such cards in future and that the amount fraudulently withdrawn has been re-credited.

"Banks have taken measures including advising the customers to change PIN, blocking payments at international locations, reducing the withdrawal limits, monitoring unusual patterns, replacing the cards and re-crediting the accounts of cardholders for amounts wrongly debited," RBI said.

It is a good practice to change the pins and passwords periodically, RBI said. Advising that the credentials of the cards should not be shared with anyone for any reason, RBI said "banks do not ask for card or account details from their customers."

According to reports, the systems of Hitachi Payment Services were infested with malware that helped miscreants steal personal information and do fraudulent transactions. Hitachi Payment Services denied the malware infection took root in its systems. A detailed forensic audit is being conducted by SISA, payments security specialist, and the results are expected by the first week of November.

The malware was reportedly found in the processors of Hitachi Payment Services' central switch, which operates most of YES Bank and some other ATMs owned by non-bank entities.

However, both YES Bank and Hitachi said there was no breach or compromise at their end.