Mumbai: In the wake of the biggest-ever debit card data breach affecting Indian banking system, the RBI Monday said a forensic auditor is investigating the matter, even as it tried to allay fears saying the number of cards misused is "few".
The RBI held a meeting with senior officials from select banks, the National Payment Corporation of India (NPCI) and card network operators to review the steps taken by various agencies to contain the adverse fall-out of certain card details alleged to have been compromised.
The apex bank said it came to its notice on September 8 that details of certain cards issued by some banks had been possibly compromised at ATMs linked to the ATM Switch of one of the service providers.
"The issue is currently being investigated by an approved forensic auditor, under PCI-DSS framework (Payment Card Industry Data Security Standard)," the central bank said in a statement.
It further said the "number of cards misused, as per currently available information, is few".
As a matter of abundant precaution, card network operators concerned were earlier advised to share the details of cards used during the period of such exposure, it said.
Several public and private sector banks have recalled or blocked over 32 lakh debit cards to safeguard their customers from any financial fraud.
The Finance Ministry has asked various agencies, including the RBI to submit their report in 10 days.
The Reserve Bank further said banks have been taking "necessary remedial action to avoid any potential abuse" of such cards in future by unscrupulous elements and to protect the interest of their customers.
The RBI said that banks have taken measures including advising the customers to change PIN, blocking payments at international locations, reducing the withdrawal limits, monitoring unusual patterns, replacing the cards and re-crediting the accounts of cardholders for amounts wrongly debited.
The central bank also said it is a "good practice" to change the PIN and passwords periodically and advised customers not to share them with anyone for any reason.
Banks do not ask for card or account details from their customers, hence, customers should exercise caution and not reveal such information to any person on phone or email, it said.
The RBI further said it has already issued instructions to banks on cyber security framework.
It has emphasised on an early implementation of this framework so that possibility of such incidents happening in future is minimised and in the event of such incidents, containment measures are taken immediately.
As many as 32.14 lakh debit cards of various public and private sector banks are feared to have been 'compromised' by cyber malware attack in some ATM systems.
Several banks, including state-owned SBI, have recalled a number of cards while many others blocked the ones suspected to have been compromised and asked their customers to change PIN (personal identification number) before use.
Fraudulent withdrawals have been reported from 19 banks so far while complaints have been received from a few banks that their customers' cards were used fraudulently abroad, mainly in China and the US while the customers were in India.
According to the NPCI, as many as 641 customers across 19 banks have been duped of Rs 1.3 crore using stolen debit card data.