Get App
Last Updated : Oct 21, 2016 08:25 AM IST | Source: CNBC-TV18

150 customer complaints received, 90 ATMs compromised: NPCI

Speaking to CNBC-TV8 AP Hota of National Payments Corporation of India said that in September a number of complaints came forth from banks indicating their customer cards were being used in China when they were in India.

Speaking to CNBC-TV8 AP Hota of National Payments Corporation of India said that in September a number of complaints came forth from banks indicating their customer cards were being used in China when they were in India.

This led to a probe and it found that none of cards that were reported belonged to RuPay, he said. All three service providers Visa, MasterCard and RuPay have worked together and thought it prudent to caution banks. The banks should either ask their customers to change the pin or they should do the recarding.

The number of customer complaints received is about 150, Hota said, adding that about 90 ATMs have been compromised. The ATMs of largely one particular bank and one particular switch have been compromised, he said.


He also said that these ATMs have been destabilised.

Below is the verbatim transcript of AP Hota’s interview to Latha Venkatesh, Prashant Nair & Ekta Batra on CNBC-TV18.

Ekta: First if you can just apprise us of all of the steps which have been taken in order to possibly curb the breach or the cyber security breach and is it possibly going to extend beyond just State Bank of India?

A: Let me not use the word cyber security breach and create a sensation. What has happened is in the month of September, we got a number of complaints from banks indicating that their customer’s cards are being used in China though they are in India. So, we checked the system and we found that none of these cards where RuPay Cards.

We thought that there could be something wrong. We examined the matter and we found out through our systems by a point of compromised solution that there could be something wrong in some ATMs of some banks. So Visa, MasterCard and RuPay all of us worked together and we thought that this is prudent to caution the bank that either they should ask the customers to change the pin or they themselves should do the re-carding so that credit cards cannot be used again.

Latha: Have you all drawn a fence around the problem? We are given to understand 3.2 million cards could have been -- how many have been compromised in this or is it the entire 3.2 million, will it go towards 3.22 to 3.23?

A: The number of complaints received is about 150, only 150 customers have complained. These all complaints pertain to these cards being used at some common points. That is where we find the common point of compromise.

Latha: You have located the ATM in question?

A: We are examining.

Latha: Which banks ATM was this?

A: At this stage, the study is still on. However, the apprehensions are of a one particular bank. The work is on and normally whenever such events happen, it is a localised 7-10 ATMs but in this case we found that there are as many as 90 ATMs spread throughout the country. So, it appears to be quite unusual.

Latha: Are these numbers right, 150 complaints have been received about 90 ATMs and largely one bank's ATMs?

A: Largely one bank's ATMs and normally whenever such compromise happens, it become localised with 5-10 ATMs but this time it is 90 ATM. So, the theory is that it may not be ATM; it might be the switch of one particular bank. That is how in the newspaper one name is coming but I don’t want to confirm or deny at this stage, some work is on.

Prashant: This is an important point that you are making so it is not as if that one bank's ATM when you go to that one banks ATM and you use the card you are at risk. You could use any bank's ATM and you in a way could be at risk, just clarify that point for us? It is not about which ATM facility you use, but it is about which bank's ATM card you use, is this what you are saying?

A: In this case the ATMs of one particular bank of one particular switch so it is not pointing to a particular ATM but it is pointing to a particular switch. Because the switch is normally Payment Card Industry (PCI) – Data Security Standard (DSS) compliant that is why the international body called PCI – DSS they have the international body they have commissioned the forensic audit. So, not National Payments Corporation of India (NPCI) or VISA or MasterCard, it is the council which has appointed the forensic audit and it is expected by end of this month.

Latha: You all have already de-stabilised or switched off those ATMs and that switch after you did that no more further complaints have come?

A: The banks have been advised by all the three units because the RuPay cards also involved about Rs 6 lakhs, Vias and MasterCard together Rs 26.5 lakh. So all of them have advised the banks that we are altering you -- it is better that their customers change the pin and if you are not in a position to change the pin, better you can do the re-carding. In any way the cards were to be re-carded this year in view of the migration to Europay, MasterCard and Visa (EMV), so the banks have taken the route of changing the card itself.

Ekta: Is it then fair to assume that all the necessary precautions have been taken to solve the problem or are there further precautions that you are taking?

A: Adequate precautions have been taken. The information security officers of all the banks and the information security officers of three networks they are in close touch with each other. They are interacting almost every alternate day. Things are absolutely under control. There is no reason for any panic.

Latha: If only 150 complaints have been received so far how much would it be even if it were Rs 1 lakh spent on each card? We are still looking at probably Rs 1.5 crore as the loss for this system not more than that?

A: I don’t have the figure right at the moment but it is 150 plus complaints of all the banks put together. They have launched complaints with the banks but necessary rules, regulations are there for the customers to be protected, so customers need not worry. This much I would like to advice.

Latha: At such a juncture where does the fault lie, the guy who made the machine? Who is the ultimate bearer of the responsibility?

A: Investigation is on, the forensic audit is on. PCI is a very respected body, they have commissioned the audit. Let us wait for the audit.

Get access to India's fastest growing financial subscriptions service Moneycontrol Pro for as little as Rs 599 for first year. Use the code "GETPRO". Moneycontrol Pro offers you all the information you need for wealth creation including actionable investment ideas, independent research and insights & analysis For more information, check out the Moneycontrol website or mobile app.
First Published on Oct 20, 2016 12:08 pm
Follow us on
Available On