RBI Sets Deadline for Migrating to EMV CardsSecurity Experts Discuss the Challenges Involved in Making the Transition
The Reserve Bank of India has set a Dec. 31, 2018, deadline for banks to complete their migration to EMV chip-and-PIN payment cards, rejecting calls for additional deadline extensions for issuing the cards.
RBI says banks should initiate the steps necessary to progressively migrate to EMV by the deadline. All magnetic stripe cards must be replaced by the deadline, irrespective of the card's validity period, RBI notes.
Banks in India, as well as white label ATM operators, must ensure that all ATMs are enabled for processing EMV cards by Sept. 30, 2017. In addition, all new ATMs must be enabled to handle EMV cards.
The RBI also is asking banks to upgrade all ATMs by September with additional safety measures to prevent skimming and cloning.
While the POS terminal infrastructure has been enabled to accept and process EMV cards since May of last year, the ATM infrastructure continues to process card transactions based on data from the magnetic stripe, the RBI explains. To ensure uniformity in the card payment ecosystem, banks should also implement the new requirements at their micro-ATMs that handle card-based payments, India's central bank notes.
"The most important initiative is to make ATMs EMV compliant - a challenge, as this would be a costly proposition," says Sivakumar Krishnan, head of IT at M Power Micro Finance Pvt. Ltd., a non-banking finance company. "Hence, we see little traction on this front."
Are Banks EMV Ready?
In a move to enhance security, RBI had originally advised banks that as of Sept. 1, 2015, all new debit and credit cards, both domestic and international, should be EMV chip-and-PIN based.
RBI then extended the deadline after many banks requested the delay. But now, RBI has decided not to grant a further extension beyond December 2018.
Clearly, most banks still have a lot of work left to do.
"I believe less than 50 percent of banks have informed their customers regarding issuing of EMV chip-and-PIN cards," says M. Parthasarathy, managing director of Sinhasi Consultants Pvt. Ltd. "Even large banks ... have not informed account holders and are still distributing magnetic stripe cards."
While a majority of banks have their EMV certification and have started issuing EMV cards to customers, more than 30 percent of banks have yet to get EMV certified because a few ATM switch service providers are not complying with EMV specifications recommended by National Payment Corp. of India, says Hyderabad-based Milind Rajhans, assistant general Manager for IT and CISO at AP Urban Co-operative Bank Ltd.
VISA and Mastercard have been providing five to 10 basis point discounts to banks on interchange fees for chip-based transactions as a catalyst for making the transition, Krishnan says.
Once banks migrate to EMV chip-and-PIN cards by the deadline, if a merchant lacks a POS terminal that can process EMV transactions and fraud results from processing the transaction using a magnetic stripe on the card instead, the cost of the fraud will be charged back to the merchant.
Security practitioners say there are more than 2.2 lakh ATMs across India. So it will take a while for engineers to physically visit all those ATMs for recalibration. Re-calibration involves multiple agencies - including banks, ATM manufacturers, NPCI and switch operators - and multiple activities, making it a complex operation requiring immense coordination.
To provide direction and guidance, RBI has established a task force chaired by S. S. Mundra, RBI's deputy governor, which is expected to help expedite making ATMs EMV compliant.
A source at VISA, requesting anonymity, says ATM switches come with forensic capabilities to prevent transactional fraud.
The challenges in making the move to EMV, CISOs say, include establishing a new security architecture to meet the needs of new transactional systems and gaining the necessary funding.
Understanding the methodologies of migration, whether full EMV or Quick chip for EMV, is another challenge, Rajhans says. "If the Quick chip EMV solution is provided by the vendor, the whole mechanism is exposed to compromise," he says. "So CISOs must ensure the third-party vendor is EMV certified by NPCI."
Relevance of Security Standards
Currently, most card-based transactions are based on the PCI DSS and ISO standards. Some security practitioners, however, argue that PCI DSS requirements must be strengthened for transactions on POS.
As banks install new ATMs with EMV capabilities - a big investment - PCI authentication standards must be made tougher for the point-of-sale part of the transaction as a majority of the cards follow PCI compliance standards, they expect.
To further enhance security, India is considering a move to contactless card transactions using the near field communication standard.
Some pilot projects are testing mobile- enabled ATM transactions using NFC, Krishnan says.