PDF document (15 kb)
Card Payments - Removal of requirement of Additional Factor of Authentication for small value card present transactions

DPSS.CO.PD.No. /02.14.003/2014-2015

March 13, 2015

The Chairman and Managing Director / Chief Executive Officer
All Scheduled Commercial Banks including RRBs /
Urban Co-operative Banks / State Co-operative Banks /
District Central Co-operative Banks/Authorised Card Payment Networks

(Draft Circular for comments)

Madam / Dear Sir

Card Payments - Removal of requirement of Additional Factor of Authentication for small value card present transactions

Reserve Bank of India has issued various instructions on security of card transactions and risk mitigation measures, including directions on online alerts as well as on additional factor of authentication. This has resulted in strengthening both card present (CP) and card not present (CNP) transactions. The measures have significantly reduced the misuse of cards.

2. Of late, the Reserve Bank has been receiving requests from customers and entities in certain niche segments indicating the need to foster innovative payment products / processes and for enhancing the convenience factor in certain use cases / type of transactions without the need for having the mandatory additional factor of authentication (AFA).

3. The requests have been examined from the perspective of the trade-off between security and convenience in card transactions and need for relaxation in extant instructions with suitable safeguards to protect customer interest in light of availability of new technologies. One such technology is that of Near Field Communication (NFC) which is used in contactless cards .The contactless cards are chip card which provides security as well as convenience.

4. Accordingly, it has been decided to relax the extant instructions relating to the need for additional factor of authentication requirements for small value card present transactions only using contact-less card payments using NFC. In this regard, it is advised that -

  1. Relaxation for AFA requirement is permitted for transactions for a maximum value of Rs 2,000/- per transaction; banks are free to set lower per transaction limits.

  2. the contactless cards should necessarily adhere to EMV standards.

  3. Suitable velocity checks (daily, monthly, etc) shall be put in place by banks as agreed upon by the customer.

  4. for transaction value above the threshold limit of Rs 2000/- PIN (AFA) will be mandatory.

5. Further, in the interest of customer protection the banks are also advised:

  1. to clearly explain to customers about the technology, its use, risks and liability while issuing contact less/ NFC cards.

  2. to clearly indicate the maximum liability devolving on the customer, if any, at the time of issuance of such cards, along with the responsibility of the customer to report the loss of such cards to the bank immediately through multiple channels made available by the bank.

  3. to put in place robust mechanisms for seamless reporting of lost/stolen cards which can be accessed through multiple channels (website, phone banking, SMS, IVR etc.).

6. However, it may be noted that the above relaxations shall not apply to:

  1. ATM transactions irrespective of transaction value.

  2. Card not Present transactions(CNP).

7. The directive is issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007 (Act 51 of 2007).

Yours faithfully

(Nanda S Dave)
Chief General Manager