Banks get more time for extra security layer

RBI has given banks one more month to put in place an extra layer of security -- one-time user password -- for credit card transactions over phone.

The banks would now be required to comply with the new guidelines by February 1, after which the customers would need the additional password for telephonic credit card payments.

As per RBI guideline, banks were to decline any telephonic banking transactions, including the automated IVR (Interactive Voice Response) services, if customers do not have the One-Time Password (OTP) for such services with effect from January 1, 2011.

However, some banks expressed their inability to comply with this directive within the stipulated time and asked for more time to put in place the systems required for it, a senior official at a leading private sector bank said.

After consultations among its top officials, as also with the bank representatives, RBI has given banks time till February 1, 2011, for putting in place the security measure.

The proposed OTP will be valid for a single use and would remain in effect for a period of 2 hours. The customers would need to generate a separate OTP for each IVR transaction.

The new step has been taken as a safeguard against credit card frauds. There has been an uptick in credit card frauds, where lost or stolen cards can be used by anyone.

For transactions where cards are needed to be presented physically, the RBI has already made it mandatory for an identity verification and the signature also needs to be matched with that on the card. But phone and internet banking have been a matter of grey areas in terms of their misuse.

The added security layer for phone banking follows a similar step taken by the banks for internet banking transactions. Last year, RBI had made it mandatory for banks to put in place an additional security layer for all credit card transactions over the internet.

Banks are already communicating to their customers to get the OTP for their phone banking transactions.

"The date of implementation (of additional password) has been revised to February 1, 2011, as advised by RBI," private sector bank HDFC Bank said in a circular to its credit card customers.

Those customers who do not get an OTP before February 1, will be prompted to get one whenever they initiate a phone banking transaction.

The password will be sent only to the registered mobile number and email address of the customer.

After the new security layer, the customers would need at least five numbers to conduct a credit card transaction over phone, including the 16-digit card number, card expiry date, CVV (Card Verification Value, which is printed on the back of the card) number, mobile number, and the OTP.