Transactions on Card upto Rs. 2000/- can be done without Using PINRBI

RBI/2014–15/601 DPSS.CO.PD.No.2163/02.14.003/2014–2015

May 14, 2015

Card Pay­ments – Relax­ation in require­ment of Addi­tion­al Fac­tor of Authen­ti­ca­tion for small val­ue card present transactions

Reserve Bank has issued var­i­ous instruc­tions on secu­ri­ty of card trans­ac­tions and risk mit­i­ga­tion mea­sures, includ­ing direc­tions on online alerts as well as on addi­tion­al fac­tor of authen­ti­ca­tion. These mea­sures have sig­nif­i­cant­ly increased cus­tomer con­fi­dence in using cards.

2. In the recent past, Reserve Bank has received requests for waiv­er of require­ment of the addi­tion­al fac­tor of authen­ti­ca­tion (AFA) so as to fos­ter inno­v­a­tive pay­ment prod­ucts / process­es as also enhance the con­ve­nience fac­tor in cer­tain types of card trans­ac­tions. After exam­in­ing the trade-off between secu­ri­ty and con­ve­nience in card trans­ac­tions, Reserve Bank had placed for pub­lic com­ments a draft cir­cu­lar out­lin­ing the relax­ation in the need for AFA in case of small val­ue card present trans­ac­tions using Near Field Com­mu­ni­ca­tion (NFC) con­tact­less tech­nol­o­gy sub­ject to adher­ence to EMV standards.

3. The com­ments received on the draft cir­cu­lar have been exam­ined. Accord­ing­ly, it has been decid­ed to relax the extant instruc­tions relat­ing to the need for AFA require­ments for small val­ue card present trans­ac­tions only using con­tact-less cards. In this regard, it is advised that -

  1. Relax­ation for AFA require­ment is per­mit­ted for trans­ac­tions for a max­i­mum val­ue of Rs 2,000/- per transaction;
  2. The lim­it of Rs.2000/- per trans­ac­tion will be the lim­it set across all cat­e­gories of mer­chants in the coun­try where such con­tact­less pay­ments will be accepted;
  3. Beyond this trans­ac­tion lim­it, the card has to be processed as a con­tact pay­ment and authen­ti­ca­tion with PIN (AFA) will be mandatory;
  4. Even for trans­ac­tion val­ues below this lim­it, the cus­tomer may choose to make pay­ment as a con­tact pay­ment, which has to be facil­i­tat­ed by both issu­ing and acquir­ing banks. In oth­er words, cus­tomers can­not be com­pelled to do a con­tact­less payment;
  5. Banks are free to facil­i­tate their cus­tomers to set low­er per-trans­ac­tion lim­its. The respon­si­bil­i­ty for autho­riz­ing the con­tact­less pay­ment based on such card-based lim­its will lie with the card issu­ing banks;
  6. Suit­able veloc­i­ty checks (i.e., how many such small val­ue trans­ac­tions will be allowed in a day / week / month) may be put in place by banks as con­sid­ered appro­pri­ate; and
  7. The con­tact­less cards should nec­es­sar­i­ly be chip cards adher­ing to EMV pay­ment stan­dard, so as to be accept­able across the exist­ing card accep­tance infra­struc­ture which are EMV com­pli­ant based on the ear­li­er man­date in this regard.

5. Fur­ther, in the inter­est of cus­tomer aware­ness and pro­tec­tion the banks are also advised:

  1. to clear­ly explain to cus­tomers about the tech­nol­o­gy, its use, and risks while issu­ing such con­tact less cards;
  2. to cre­ate aware­ness among cus­tomers to look for / iden­ti­fy the “con­tact­less” logo on the card (to dis­tin­guish them from oth­er cards) as well as the mer­chant loca­tion / POS ter­mi­nal (to iden­ti­fy that con­tact­less pay­ments are accept­ed at that location);
  3. to clear­ly indi­cate to the cus­tomers that they can use the card in con­tact­less mode (with­out PIN authen­ti­ca­tion) for trans­ac­tions upto Rs.2000/- in loca­tions where con­tact­less pay­ments are accept­ed and to make cus­tomers aware that they are free to use the same card as a reg­u­lar chip card (with PIN authen­ti­ca­tion) at any loca­tion irre­spec­tive of trans­ac­tion value;
  4. to clear­ly indi­cate the max­i­mum lia­bil­i­ty devolv­ing on the cus­tomer, if any, at the time of issuance of such cards along with the respon­si­bil­i­ty of the cus­tomer to report the loss of such cards to the bank; and
  5. to put in place robust mech­a­nism for seam­less report­ing of lost/stolen cards, which can be accessed through mul­ti­ple chan­nels (web­site, phone bank­ing, SMS, IVR etc.).

6. It may, how­ev­er, be not­ed that the above relax­ations shall not apply to:

  1. ATM trans­ac­tions irre­spec­tive of trans­ac­tion val­ue; and
  2. Card Not Present trans­ac­tions (CNP).

7. This direc­tive is issued under Sec­tion 10(2) read with Sec­tion 18 of Pay­ment and Set­tle­ment Sys­tems Act 2007 (Act 51 of 2007).

Leave a Reply

Your email address will not be published. Required fields are marked *