Indian banks lax on credit card security, warns survey

The survey, State of Data Security and Privacy in the Indian Banking Industry, found that security of credit card transactions is “lagging” and that even “basic measures for ensuring card security have not been adopted by many banks” in India.

In addition, banks have been slow to adopt stronger transaction security measures, such as the use of dynamic tokens, identity grids, and risk-based authentication.

“Against the backdrop of well known global cases of card breaches, it is surprising to note that the basic measures for ensuring card security have not been adopted by many of the banks. The practices such as storing and printing authorization information like CVV [card verification code] and expiry date, merchants creating plain text card records, non-masking of card number (PAN) followed by banks are non-conformant to globally accepted practices for card security”, the report warned.

The survey of 20 Indian banks found that a lack of coordination and cooperation between the security and fraud management functions has resulted in a significant gap in the banks' ability to curb financial fraud.

Also, concerns about external threats and increasing use of online and mobile banking channels, along with regulatory requirements, are pushing Indian banks to invest in information security technology and processes.

Indian banks need to focus on proactive information security mechanisms, such as threat modeling and innovation, instead of relying on compliance with static international standards on formation security, the report recommended.

Indian banks have been dragging their feet on implementing customer privacy protections required by the IT (Amendment) Act 2008, although the law is driving investments by banks in information technology, the survey said.

“With increased digitization of customer information, increased levels of customer awareness on privacy and notification of IT (Amendment) Act 2008, privacy has emerged as an important focus area for banks in India. However, privacy is yet to be factored in the banking ecosystem. In response to these developments, banks in India need to undertake a comprehensive privacy program that ensures protection of their customers’ information throughout its lifecycle”, the report concluded.

What’s Hot on Infosecurity Magazine?