Bankers said the recalled cards include those that have been replaced as a 'pre-emptive measure', while in many cases the customers have been asked to mandatorily change the PIN and other security numbers to resume using the blocked cards.
While there were some reports about certain cards, affected by security breach, having been used fraudulently abroad including in China, bankers appeared putting the blame on a payment services provider that manages ATM network of a private sector bank.
Among the private sector players, ICICI Bank, HDFC Bank and Yes Bank have asked customers to change their ATM PINs. HDFC Bank also advised its customers to use its own ATMs for carrying out any transaction.
The suspected security breach happened through a malware in the systems of Hitachi Payments Services, which serves ATM network of Yes Bank.
Hitachi provides payment services through ATM services, point of sale services (POS), emerging payments services and banking channel products like cash recycling ATMs and auto passbook entry machines.
"There needs to be a lot more vigilance where there are outsourcing partners to make sure they don't endanger the delivery and system risk, and there's a fair amount of policing as far as outsourcing risks are concerned," Yes Bank chief Rana Kapoor told reporters.
Hitachi Payment Services, however, maintained its system was not compromised, citing interim report by an external audit agency appointed by it.
According to bankers, the breach took place in such a way that anyone using the said bank's ATMs in the region might stand to get affected.
Seeking to calm worried card users, the Finance Ministry
also said that debit cards are completely safe and there should be no room for panic.
Central Bank's Executive Director R C Lodha said, "A few customers came to us about unauthorised transactions from their cards in China. These customers do not even have passports. We have replaced such cards."
The debit cards which were affected included of Visa, Mastercard and RuPay.
In a statement issued today, Visa said, "It has been informed that some payment cards in India may have been compromised due to suspected breach of payment systems at a service provider. We also note reports that some of these affected accounts have been fraudulently used for overseas transactions."
Mastercard said its systems have not been breached.
"At Mastercard, safety and security of payments is a top priority for us and we are working on the investigations with the regulators, issuers, acquires, global and local law enforcement agencies and third party payment networks to assess the current situation," it said in a statement today.
Hitachi Payment Services' Managing Director Loney Antony said some of the banks to whom the company provides payment services, had reported such unauthorised transaction towards end of July. It had then conducted an internal enquiry which did not find any security breach.
"We had appointed an external audit agency in the first week of September to check the security of our systems for any breach or compromise based on a few suspected transactions that were highlighted by banks for whom we manage their ATM networks. The interim report published by the audit agency in September does not suggest any breach or compromise in our systems," Antony said.
He said the final report is expected by mid-November.
Post this incident, while some of the banks like SBI have re-called around six lakh cards, others like Bank of Baroda, IDBI Bank, Central Bank of India and Andhra Bank have already replaced their debit cards as a pre-emptive measure.
HDFC Bank also advised its customers to use its own ATMs for carrying out any transaction.