August 22, 2014
The Chairman and Managing Director / Chief Executive Officers
All Scheduled Commercial Banks including RRBs /
Urban Co-operative Banks / State Co-operative Banks /
District Central Co-operative Banks/Authorised Card Payment Networks
Madam / Dear Sir,
Security Issues and Risk mitigation measures related to Card Not Present (CNP) transactions
Please refer to our circulars RBI/DPSS No. 1501 / 02.14.003 / 2008-2009 dated February 18, 2009, RBI/DPSS No.1503 / 02.14.003 /2010-2011 dated December 31, 2010 and RBI/DPSS No.223/02.14.003/2011-2012 dated August 04, 2011 wherein directives were issued making it mandatory for banks to put in place additional authentication / validation based on information not visible on the cards for all on-line card not present (CNP) transactions (e-commerce / IVR / MOTO / recurring based on standing instructions).
2. A reference is also invited to our circular RBI / DPSS No.914/02.14.003/2010-2011 dated October 25, 2010 on the subject, clarifying the applicability of the above directives on the nature of card not present transactions. It was clarified that the mandate shall apply to all transactions using cards issued in India for payments on merchant sites where no outflow of foreign exchange is contemplated. It was further stated that the linkage to an overseas website/payment gateway cannot be the basis for permitting relaxations from implementing the mandate.
3. It has come to our notice that despite the above clarifications there are instances of card not present transactions being effected without the mandated additional authentication/validation even where the underlying transactions are essentially taking place between two residents in India (card issued in India being used for purchase of goods and service offered by a merchant/service provider in India). It is also observed that these entities are evading the mandate of additional authentication/validation by following business / payment models which are resulting in foreign exchange outflow. Such camouflaging and flouting of extant instructions on card security, which has been made possible by merchant transactions (for underlying sale of goods / services within India) being acquired by banks located overseas resulting in an outflow of foreign exchange in the settlement of these transactions, is not acceptable as this is in violation of the directives issued under the Payment and Settlement Systems Act 2007 besides the requirements under the Foreign Exchange Management Act, 1999.
4. In view of the above, it is advised that entities adopting such practices leading to willful non-adherence and violation of extant instructions should immediately put a stop to such arrangements.
5. It is further advised that where cards issued by banks in India are used for making card not present payments towards purchase of goods and services provided within the country, the acquisition of such transactions has to be through a bank in India and the transaction should necessarily settle only in Indian currency, in adherence to extant instructions on security of card payments.
6. The directive is issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007, (Act 51 of 2007).
7. This directive shall come into effect immediately from the date of this circular. However, existing arrangements if any, will be accorded time up to October 31, 2014 to comply with our instructions, to avoid any business disruption, without prejudice to further action, if any, for violation of extant provisions under PSS Act/FEMA.