Debit card scare: A lesson for banks and their customers

October 24, 2016

Debit card data pilferage – security breach or just plain human error ?


One of the biggest cases of suspected debit card data, that was compromised, highlights the importance of a key issue in the financial sector – customer education. The importance of customer education is becoming increasingly indispensable in this financial environment characterised by cutting-edge technologies and product and process innovation. While there are occasional reports of fraud in automated teller machines (ATM) that make it to the brief columns in newspapers, the recent case made headlines as the magnitude of the scare was significantly larger.

Data is suspected to be compromised of around 32.5 million debit cards which were used for transactions in 90 odd ATMs of a particular bank located across the country. According to the National Payments Corporation of India (NCPI), the home-grown payments gateway – the problem came to light after the receipt of complaints from a few banks that their customers’ cards were used fraudulently, mainly in China and USA while the customers themselves were in India. Apprehending that this could be a case of card data compromise, all the ATMs/PoS terminals in India and three card networks – RuPay, Visa and MasterCard worked in a collaborative manner in the month of September 2016.

It was found that the complaints of this fraudulent withdrawal were limited to cards of 19 banks and 641 customers. The total amount involved is Rs 1.3 crore as reported by various affected banks to the NPCI. The fact that the number of complaints were limited is mainly due to the fact that about 50 per cent of the banks’ customers do not have their account numbers linked to their mobile phone numbers. As a result, they did not receive any alerts when a transaction was made. Furthermore, when banks did start alerting them to change their pin, this communication was also not received by them. As a result, some banks like State Bank of India decided to block the cards and issue new cards, which is of course an added cost to them.

This is despite the Reserve Bank of India (RBI) issuing a circular about two years back asking banks and customers to get their mobile numbers registered and that the banks should alert their customers for every transaction. Moreover, even if the customers’ mobile number is registered with the bank, sometimes the bank only sends alerts if the value of the transaction is more than a particular threshold, say Rs 1,000 or Rs 10,000. This varies from bank to bank. This is against the spirit of the RBI guidelines. RBI norms clearly say that if a bank wishes to, it can charge the customers for the SMS alert service. However, some banks are not charging but at the same time, not sending SMS alerts for each and every transaction.


Share your comments here: