Indian Debit Cards Compromised

indian-banknotes @

While we at Compliance3 continue to work with companies in the UK and Europe to ‘take risk off the table’ by taking card data out of their data environments, criminals continue to probe other markets to find potential chinks in the armour of payment card security.

The latest data breach to come to our attention – it may not have registered on your radar – is on the Indian sub-continent.

The BBC ran a story last week (here) that suggested that  “fears that the security of more than 3.2 million debit cards has been compromised”.

The compromise appears to have emanated from an ATM network infected with malware.

Okay, so 3.2 million cards only represents half of one per cent of all cards issued in India (there are some 700 million debit cards issued in India); and to date fraudulent transactions have only totalled around $195,000 (13 million rupees) – mainly in China and the US – but that’s still a lot of cards at risk, and potential damage to India’s newly emerging card based economy.

Indian banks are struggling to get cashless transactions accepted; with only 10 digital transactions per head per annum, compared to around 260 per head per annum in the UK; and data compromises like this will not help foster trust.

Shaktikanta Das, the Department of Economic Affairs Secretary of the Indian Government said “There is no cause for alarm. The integrity of IT system of banks is robust and whatever action is required, the government will take promptly,”

Mohit Bahl Head of Forensic Services at KPMG India suggested that while “Indian Banks have cyber security protocols comparable to their international peers…they are not as robust in constantly monitoring and updating their security measures”.

Shaktikanta Das of the Indian Government added “whatever action is required, necessary action will be taken by the government,”

The country’s biggest lender State Bank of India has announced that it is reissuing 625,000 payment cards, and has pledged to compensate customers for any losses incurred as a result of the data breach.