Jagoinvestor
December 13, 2013
Entering ATM PIN is now compulsory when you use Debit Cards
RBI has made it mandatory to punch your PIN number, when you use your debit card on shopping outlets (Big bazaar, Petrol Pumps, Shops) from Dec 1 2013. I realised just few days back that this has already started. I was shopping for household things at a mall nearby and was asked to punch in my Debit card PIN after it was swiped. It was the first time I had to do that in last so may years of my using debit card for shopping. I covered the machine with my hands and entered my PIN and the transaction went through.
There are close to 350 million debit card in India right now and you can imagine the quantum of frauds which is possible with so many debit cards in India. Before this rule came into effect, if your debit card was lost – Someone could just take your debit card, go for the shopping and swipe your debit card and would never get caught because the shopkeepers never checked signatures, identity of person etc.
But now with this new rule in place, an additional check of entering PIN number is required and the chances of fraud is lowered to some level
But – there are some Problems due to this
Now from one angle, surely frauds will come down, but then at the same time, this new rule exposes you to some new risks and potential frauds. Like – If you punch your PIN without much thought and others surrounding you are looking at the machine, others can look at the 4 digit PIN number you punched and memorize it.
Forget strangers, but imagine you are with some friend/relative and you punch your PIN, he/she looks at it, memories it and now he can use it later for some online transaction (he still has to find out your Card number and Expiry date, which is clearly mentioned on your card).
Also at some outlets dishonest shopkeepers have skimmers machine which record your data when you swipe the card and they can duplicate your card and use it later to withdraw cash from ATM or do transactions with duplicate cards.
An article from Firstpost also mentions that there is also a possibility of PIN being stored on the Machine after you have punched it.
The next question to ask is can the PIN be stored (knowingly/ unknowingly) on the card reader machine by the retailer? According to this report in the USA, instances have been known where many merchants have incorrectly stored PIN information they should be destroying after customers enter the secret code. While we agree this is a western world report, Indian fraudsters have always been inspired to copy those tricks in the domestic markets. What would stop our fraudsters? And even if your merchant would have stored the PIN inadvertently on his card machine, a hacker can easily access the retailer’s machine to get data about several card holders along with their PINs.
Implementation from Dec 1
The above rule was to be followed by all the terminals from Dec 1, 2013. Anyone not complying is just not following RBI guidelines and breaking the law.
While all the places I have seen has started implementing it, still at some places its not being not followed. Here is one instance which comes from the same first post article comments section, where someone is sharing his experience.
yesterday on 4 Dec, I went to another restaurant and wanted to pay via debit card. While, the merchant was punching into machine, I was waiting for him to hand over the machine. But this is not what happened, I was not asked for the PIN for this restaurant even after the new RBI rule is in effect.
This clearly violates the fact that the new RBI rule is not completely applied for all merchants/banks.
What do you think about this new change ? Are you happy with it, or have some reasons against this change ?
Good and neat article. However, I wish to draw your attention to the following point. The article assumes that POS pin and online transactions pin are same. As far as I know, they are different.
Transactions could be made more secure if the user, instead of entering the same pin for every transaction, could enter the one time pin the credit/debit card companies are mandated to send through SMS to the registered mobile for each transaction.
Can you give more clarity on that ?
Good move by RBI to avoid frauds, I must say!
I have been staying in the UK for quite sometime and entering the PIN for every single transaction you make on any shopping is something I really felt should be implemented in India as well. But now, introducing PIN on all transactions would avoid a majority of fraudulent acts which happen everyday…
Avoiding your friends/family members from memorising the PIN has a simple fix – just cover the panel with your hand while entering the PIN – I have to do it here in the UK as well, there is no harm in it and your friend/family members would understand as well, we have to just start doing it 🙂
Correct 🙂 . I am with you on this !
In my opinion, RBI should have introduced the concept of entering OTP instead of ATM PIN. As soon as the merchant swipe your card, you should receive an OTP on your mobile which you can tell the merchant to complete the transaction. This would have been easy & safe. No Risk at all.
This is a good alternative !
I think there should be a feature o OPT-IN for this PIN kind of security. I handover my addon-card to my driver to fill petrol on 6-7 of my cars, and pay for the grocery list that i provide him to purchase.
I can trust him with the card, but he is not much educated, and hence if i provide him the pin, he can mistakenly shout out the pin at the petrolpump and grocery store for others to know, while currently he just does it silently.
I know you guys will say that if i trust him with the card, i can trust him with the PIN too, but i guess for now i cam only trust him with the card, and with the PIN comes more caution that i need to take care of since others can use it if he makes any mistake. This will defeat my whole purpose of the ease of making my driver do all the shopping for me as im too busy.
I know you guys will also debate regarding that, only the card holder should do the purchase and the one who has the signature on the back of the card has to do the purchase, but i guess im okay with that since i want more convenience and i can trust the driver with him guarding the card at all cost. but the PIN method, might just add one more layer of theft if someone else other than my driver knows the pin, and if anything happens wrong, the blame will be put on the driver.
The point for this message is convenience, so i guess you guys should not concentrate on the ethical ways for allowing my driver doing my shopping, but infact debate on providing a feature like OPT-IN for such kind of security. If one wants lesser security he can at his will.
what say you guys ? why force everyone…
I can understand your situation, but is it a something which majority does ?I mean you have a one off case. The rules which are framed is done keeping in mind most of the population, for sure some cases like yours will have to readjust their strategy , I hope you will agree with me ?
Manish
Even if someone gets to know the PIN they CANT withdraw the money without having the access to the card. So I don’t see any additional RISK involving in sharing the PIN with your driver unless you don’t trust him which is not the case with you. Also I have not seen any bank allowing to access any services with just the ATM pin (even the password reset asks additional questions like DOB etc).
*they CANT withdraw the money
I completely agree. I feel this is one of the stupid way of securing especially in India. The merchants are not well equipped with advance machines (e.g. wireless, Display number punching etc.). They keep machine near to power socket and then they ask for the PIN as you cannot go inside that area it become unsecured. I have seen these issues many times recently. Also I have seen that many merchants ask for the PIN and customers happily provide them as there is no awareness. The merchants keep starring at their machines..
Chintan
Thanks for sharing that, I also saw a lady screaming the PIN in a mall, they do not understand the problem it can bring in !
RBI new guideline will be helpful in preventing fraud and enhancing more security towards transactions, whether its small or big amount.
Thanks for your views Prakash !
It’s good sign that RBI has taken the decicision to make it mandatory to enter PIN for all debitcards.
I hope that is applicable for credit card as well.
My opinion is this should have done very long bank, all the transactions debit/credit cards must have PIN which should be mandatory to make transactions. I you misplance credit card you not only end up loosing credit amount also you need to pay interest for those amount, however debit is only your savings account.. I don’t understand why always merchandise encourage to shop from credit card rather than debit card. I would say merchandize should give discounts & points more for debit card users compared to credit card as he is paying cash directly and also EMI’s should also need to be provided with debit cards not just with credit card.
Thanks,
Shravan
Thanks for sharing your views on the topic .
I feel it is a good move from the security perspective. Again the problem with this move does not involve entering the PIN but the people, we, who are responsible. From Dec 1, I’ve seen so many people sharing the PIN with the guy who is going to swipe it rather than taking the effort to go the machine and swipe it. Far worse, I’ve seen couple of people literally shouting out their PIN in public. 😀
Fools walk the surface of the earth and the worse part is they breed and reproduce 🙂
Thanks for sharing that.
hi
can you tell me more about BITCOIN and what excatly it is and how it work….
Hi Rakesh
Its all on wikipedia – en.wikipedia.org/wiki/Bitcoin‎
YES, I personally feel that it wont solve the problem completely. There need to be introduced higher levels of security by Govt.
Keep it simple especially for your sake:
Always use CREDIT CARD when you want to swipe your plastic card. WHY? If any fraud happens then you don’t have to pay right away and you can always dispute it.
BUT if any fraud happens on your DEBIT CARD then the money goes right from your account and bank will NOT take any responsibility what-so-ever.
Unfortunately, Indian financial system has a long way to go before instituting robust fraud laws, so for now watch your back and stay safe….
Thanks for sharing your views on that.
This is usual way to pay in the UK. It has been introduced since few years (may be around 2009/2010). I feel secure that even if my card is lost, no one can use it at most of the places which have chip and pin machines. The risk of fraud is always present, and for someone trying harder, it is not difficult to commit fraud anywhere. With newer technology changes, we simply make it bit more difficult so that usual fraudsters cannot exploit the previous loopholes.
Thanks for sharing your views on this Nehal !
Hi,
I have a query, is it also mandatory to enter ATM pin when you swipe using a credit card transaction at merchant joints?
I am sure many would be benefitedif someone know the answer.
Regards,
Ashish
Yes, its mandatory !
I think its a good measure, increases the security overall. I faced an incident where the petrol bunk person asked me for my pin as his machine was located remotely. I went their & punched myself. I think this will become a tendency where customers will be asked to tell their PIN;s & shop-keeper keys in on behalf of them. So be cautious & enter the pin yourself.
One should never share their PIN with anyone . Because one can note down your CARD number, Expiry and PIN and then use it for online transactions !
The biggest issue with the new Chip and Pin cards for me is not what is mentioned, but how they broke my internet buying.
I recently got my Axis MC DC replaced a MC Chip & Pin based card. Activated the card, changed the PIN, did a transaction at the ATM — things seemed fine. Just today tried buying some items on Flipkart and Zoomin and the transaction was declined by the bank. Re-changed my MCSecureCode, re-tried to no avail. Again changed my SecureCode and tried on another Indian e-portal only to see my payment getting declined again by the bank.
Oddly enough, the card works fine on Amazon and Steam ! Go figure.
On contacting the Axis Bank CSAs, as usual, they had no clue and told me to wait for 48 hours as the problem automagically fixes itself.
Pathetic ! Absolutely pathetic.
thanks for sharing your experience with all of us . I think you should claim some compensation on the loss made by you with Axis Bank . Complain to Axis Grievance cell and also to banking ombudsman
Manish
My guess as to why it works is this:
When you buy on-line outside the country, even the VbV (Verified by Visa) -password is not asked, sometime ago. That means international transactions (like Amazon and Steam!) that you refer don’t need any second verification!!
In other cases (Indian) it may be that there is some problem with the second verification Software of the bank!!
@Chander: That would be my guess as well. The problem is how to get it fixed. The local branch was useless, the CSA was useless. The only option I’ve is to write to the Ombudsman. :/
1) Even Credit Cards also need to have their PINS entered; especially if they have been used for making International Payments online, or used abroad.
2) Outlets like Big Bazar swipe the card at the edge of their computer, in addition to swiping on the POS Terminal!!
We are thriving on diversity and lack of any “system approach” — even with the Aadhar Card (steered by an Infosys co-founder) which has contributed to gross confusion elsewhere. Hats off to the LPG Cos in Kerala. Subsidies are being credited into Bank A/c
Thanks for sharing your views on this topic Chander !
Cards were good option as they reduce the risk of stealing cash since they can be blocked via call. Now, again going back to “Payment via Cash” might prove this card technology useless. I think entering the PIN is much safer than not entering at all.
By making PIN mandatory I think there would be increase in number of consumers who will “start changing their PIN at frequent intervals” which is a good thing to do.
Regarding machines which store PIN number and fraud merchants, there should be some regulatory authority which makes sure that merchant-machines are not proving any loss for the consumer, failing to which even once will make them lose their license.
Yea . Even I think its going to do more “good” than “bad”