AP Hota, managing director and chief executive officer of National Payments Corporation of India – the domestic payment gateway speaks to The Hindu on the recent suspected debit card data compromise issue and discusses the lesson we learn from the episode.
What are lessons that we learn from this episode?
One of the lessons that have come out very clearly is that we were thinking that 100 per cent of the customers have linked their mobile number to the bank account, But it is no so. As far the information we have got, it is only 50 per cent of the customers whose mobile numbers are registered with the bank.
NPCI gave a statement yesterday saying there is no need for customers to panic. Why do you say so?
If at all there was any card compromise, if at all, the fraudulent transactions should have happened by now and the customer would have complained. A total 641 complaints have come in the first week of September and not now. And the card compromise, if at all that has happened, it happened in June and July. The fraudsters would have taken sometime to make the cards, and fraudulent transactions would have happened in August and September. By this time, the customers and banks have changed the pin also. If the pin is has not been changed, the card if blocked.
But is there a failure on the part of the bank to educate their customers?
Customer education is a continuous process. We cannot say it is a part of the failure of the banks, but they could have done more.
It has been noticed by several customers that there are some small value transaction for which banks don’t sent alerts…
As per RBI circular, irrespective of the amount the bank should send alerts. RBI has also allowed that if the banks so like they can charge the customers for the mobile alerts service. But some banks have decided not to charge but fixed a transaction limit beyond which they will send the alert. Banks should follow what RBI said and not make their own rules.
Who will compensate the customers for any loss?
RBI has clear guidelines on the issue. As far as the customer is concerned, once it is proven that the transaction is fraudulent, banks will reimburse. And the bank later on would get reimbursed from the bank which is responsible for the fraud.
For example, in the 641 complaints, the largest number if from Axis Bank. Axis Bank will refund the customers and they in turn will get compensated once it is proven that switch of other banks is at fault. There are well laid out ruled for that.
There was not a single complain on RuPay cards, mainly because our RuPay international cards are less. All the complaints were from Visa and Mastercard.
What are the steps that banks should take to avoid such incidents?
All the banks have should have the fraud risk management tool. They can subscribe to NPCI services and most of the banks have subscribed. Banks also must conduct the PCI-DSS audit (Payment Card Industry-Data Security Standard), once in an year to ensure how the data security should be maintained.
Do you think the incident will affect RBI’s vision of a cashless economy?
No don’t think this incident will not effect the RBI’s vision of a cashless economy. I think our payments system is robust.
