RBI asks banks to make phone banking more secure

RBI asks banks to make phone banking more secure

New Delhi: Banks will have to soon put in place an additional authentication cover for their credit and debit card customers transacting over phone, or get penalized.

Taking forward its efforts to tackle identity frauds in non-branch banking transactions, the Reserve Bank of India (RBI) has asked all the banks operating in the country to put in place by next year a system where credit and debit card customers would need to provide an additional password for IVR (interactive voice response) transactions.

IVR transactions are done over phone, wherein customers dial bank’s customer care number and are prompted by a recorded voice to dial designated digits for different kinds of transactions such as balance enquiry, bill payment etc.

The customers would now need to key-in an additional password on their phone, besides the currently prevalent details like card number, date of birth, card issue or expiry date and in some cases a telephonic password.

As RBI has also noted, there has been a stupendous rise in recent past in the banking transactions through channels other than the traditional branch banking. Such non- traditional routes include Internet, mobile and phone banking.

However, these new-age banking transaction routes are considered to be relatively more prone to identity frauds and the credit or debit cards could be misused by those other than their bonafide owners.

To tackle this menace, RBI last year asked the banks to put in place April 2009 onwards “a system of providing for additional authentication/validation based on information not visible on the cards" for transactions where card was actually not presented.

While this directive covered online transactions, it did not apply to IVR transactions and RBI had said at that time that “separate instructions will follow" for the same.

In both online and IVR transactions, a card is not actually presented for conducting the transactions, unlike the transactions at ATMs or merchant establishment where a credit or debit card needs to be swapped for credit or debit to take place from the customer’s account.

However, RBI has now decided to “extend this requirement of additional authentication/validation to all CNP (card not present) transactions including IVR transactions."

This additional security codes would need to be different than those visible on the cards, such as the card number, CVV (card verification value, which is printed on the back of the card), date of birth and date of issue and expiry.

As these are visible on a card, a nonbonafide customer, having seen the card at places like merchant establishments, can use them to transact in the account over phone.