How RBI has empowered card customers with an additional layer of security

The option to switch on and off international or online usage gives an additional layer of security

Businessman Nishant Agrawal (name changed on request) was asleep at his home in Delhi when he got an SMS at 1.30 in the night informing him that his credit card had been swiped in London and Rs 60,000 spent. Right after the first transaction, however, he got a call from his bank’s risk-monitoring department in Chennai enquiring if he had carried out the transaction. Agrawal replied he had not and asked for the card to be blocked. “The miscreant tried several more times and I kept getting messages of failed transactions. Thankfully those transactions did not go through as the card had been blocked,” says Agrawal. After some enquiry and asking him to fill up a form, his bank reimbursed the money in the very next billing cycle.  

While Agrawal did not lose any money, others are not so lucky. “With the penetration of cards growing, incidents of card frauds have assumed mammoth proportion. It is the second-biggest form of cybercrime after online and social media abuse,” says Prashant Mali, president and founder, Cyber Law Consulting. To curb misuse of the type described above, the Reserve Bank of India (RBI) issued a circular on January 15, 2020.  

Customers to enjoy greater control: In future, whenever a person is issued a new card, or loses his old card and is issued another, it will be useable only at an ATM machine or a point-of-sale (PoS) terminal within the country. It will not work online or on a machine outside the country. It also won't work in a contactless manner (where you just tap the card, and neither swipe nor enter it in a slot). These features will work only when the user enables them.

For existing cards, banks have been allowed to decide, based on their assessment of the client’s risk profile, whether to disable these features for existing cards. If you have never used your card abroad, your bank may decide to disable international transactions. Furthermore, online usage will be compulsorily disabled for existing cards that have never been used online. The user will have to enable this feature.

RBI has also mandated that customers be given the option to switch on or off international, online, PoS and contactless usage via a variety of channels—net banking, mobile app, interactive voice response (IVR), etc. They should also be allowed to set daily limits on spending via these means.

International misuse likely to be curbed: Databases containing card details of thousands of customers are stolen and sold in bulk on the darknet. International scamsters buy and use the data to misuse Indian customers’ cards.  

In India the RBI has made two-factor authentication compulsory. You need to use a PIN or a one-time password (OTP) received via SMS to complete transactions. That is not the norm internationally. “If a criminal just has a photograph of both sides of your card, he can use the data printed there to carry out international transactions. Once these norms come into force, and customers keep international usage switched off, such crimes will reduce,” says Udbhav Tiwari, public policy advisor, Mozilla.

Customers will be able to exercise more control. “They can switch on or off  any domestic or international usage, depending on their need, say,  when they are going abroad or need to shop at a foreign web site, and switch it off the rest of the time,” says Bharat Panchal, chief risk officer-India, Middle-East & Africa, FIS, a global provider of financial technology software, services, and solutions.

The requirement that a new card should first be used at an ATM or PoS machine is meant to tackle frauds arising from the theft of new cards in transit. “The user will have to use his PIN to use the card for the first time. That will ensure the card has reached the right person,” adds Panchal.

Some initial inconvenience: Banks have been given the leeway to determine the risk profile of existing users and switch off certain usages. Different banks will determine the risk profile of customers differently. So, a customer may suddenly find he is unable to use his card internationally. Someone trying to buy a burger at a fast-food restaurant may not be able to pay for it because contactless usage has been switched off. “Customers may face a little convenience initially in lieu of enhanced security. It’s a reasonable trade-off. They need to become aware they have the power to enable and disable these features at will,” says Tiwari.     

Beware, frauds can still happen: Suppose that a card owner keeps his credit card switched on for international usage because he subscribes to the New York Times. If the card details of such a person get stolen and used internationally, he could still lose money. The answer lies in keeping a separate card for international usage, which is always switched on, and setting a daily limit just above the subscription amount to curb your losses. Keep a close eye on SMS and email messages from your bank regarding card transactions, and also on your credit card statement. Get your card blocked the moment you see a transaction you do not recognise.
 

Phishing type of frauds can still happen. If you receive a message—SMS, email or over WhatsApp—from a stranger with a link, do not click on it. The moment you do so, the hacker will get access to your device and could steal data from it. Similarly, beware of vishing (voice-enabled phishing). Do not reveal any card-related information over the phone to any person claiming to be bank staff. Similarly, do not store a picture of both sides of your card on your mobile, or the pin number or password in your phone’s contact list. If your card is RFID-enabled (such cards have wi-fi signal like bars), switch off or set a limit on contactless usage. If despite these precautions, a theft does occur, inform the bank and the police station within 48 hours of the incident.