RBI/2010-2011/243
RBI / DPSS No.914/02.14.003/2010-2011

October 25, 2010

The Chairman and Managing Director / Chief Executive Officers
All Scheduled Commercial Banks including RRBs /
Urban Co-operative Banks / State Co-operative Banks /.
District Central Co-operative Banks
Authorised card payment networks

Madam / Dear Sir

Credit/Debit Card transactions- Security Issues and Risk mitigation measures for Card Not Present Transactions.

We had vide our circular RBI/2008-2009/ 387, DPSS No. 1501 / 02.14.003 / 2008-2009, dated February 18, 2009, mandated that with effect from August 01, 2009, banks shall provide an “additional authentication/validation based on information not visible on the cards for all on-line card not present transactions”. (This mandate has been extended to all IVR transactions with effect from January 01, 2011, vide our circular RBI/2009-2010/420, DPSS No. 2303 / 02.14.003 / 2009-2010 April 23, 2010)

2. We have been receiving references regarding the applicability of this mandate for online transactions effected using cards issued by banks outside India on Indian merchant sites, and the use of Indian cards for transactions on foreign websites.

3. In this regard, it is clarified that the mandate shall apply to all transactions using cards issued in India, for payments on merchant site where no outflow of foreign exchange is contemplated. The linkage to an overseas website/payment gateway cannot be the basis for permitting relaxations from implementing the mandate.

4. The mandate is not presently applicable for use of cards issued outside India, on Indian merchant sites.

Yours faithfully

G. Padmanabhan
Chief General Manager