RBI/2014–15/601 DPSS.CO.PD.No.2163/02.14.003/2014–2015
May 14, 2015
Card Payments – Relaxation in requirement of Additional Factor of Authentication for small value card present transactions
Reserve Bank has issued various instructions on security of card transactions and risk mitigation measures, including directions on online alerts as well as on additional factor of authentication. These measures have significantly increased customer confidence in using cards.
2. In the recent past, Reserve Bank has received requests for waiver of requirement of the additional factor of authentication (AFA) so as to foster innovative payment products / processes as also enhance the convenience factor in certain types of card transactions. After examining the trade-off between security and convenience in card transactions, Reserve Bank had placed for public comments a draft circular outlining the relaxation in the need for AFA in case of small value card present transactions using Near Field Communication (NFC) contactless technology subject to adherence to EMV standards.
3. The comments received on the draft circular have been examined. Accordingly, it has been decided to relax the extant instructions relating to the need for AFA requirements for small value card present transactions only using contact-less cards. In this regard, it is advised that -
- Relaxation for AFA requirement is permitted for transactions for a maximum value of Rs 2,000/- per transaction;
- The limit of Rs.2000/- per transaction will be the limit set across all categories of merchants in the country where such contactless payments will be accepted;
- Beyond this transaction limit, the card has to be processed as a contact payment and authentication with PIN (AFA) will be mandatory;
- Even for transaction values below this limit, the customer may choose to make payment as a contact payment, which has to be facilitated by both issuing and acquiring banks. In other words, customers cannot be compelled to do a contactless payment;
- Banks are free to facilitate their customers to set lower per-transaction limits. The responsibility for authorizing the contactless payment based on such card-based limits will lie with the card issuing banks;
- Suitable velocity checks (i.e., how many such small value transactions will be allowed in a day / week / month) may be put in place by banks as considered appropriate; and
- The contactless cards should necessarily be chip cards adhering to EMV payment standard, so as to be acceptable across the existing card acceptance infrastructure which are EMV compliant based on the earlier mandate in this regard.
5. Further, in the interest of customer awareness and protection the banks are also advised:
- to clearly explain to customers about the technology, its use, and risks while issuing such contact less cards;
- to create awareness among customers to look for / identify the “contactless” logo on the card (to distinguish them from other cards) as well as the merchant location / POS terminal (to identify that contactless payments are accepted at that location);
- to clearly indicate to the customers that they can use the card in contactless mode (without PIN authentication) for transactions upto Rs.2000/- in locations where contactless payments are accepted and to make customers aware that they are free to use the same card as a regular chip card (with PIN authentication) at any location irrespective of transaction value;
- to clearly indicate the maximum liability devolving on the customer, if any, at the time of issuance of such cards along with the responsibility of the customer to report the loss of such cards to the bank; and
- to put in place robust mechanism for seamless reporting of lost/stolen cards, which can be accessed through multiple channels (website, phone banking, SMS, IVR etc.).
6. It may, however, be noted that the above relaxations shall not apply to:
- ATM transactions irrespective of transaction value; and
- Card Not Present transactions (CNP).
7. This directive is issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007 (Act 51 of 2007).