The Reserve Bank of India recently issued a directive asking banks to scale up their online security measures issuing an additional password by 1st Aug 2009.

The directive notified the banks to issue passcode in addition to other online security information required which includes name, card number, expiry date and CVV (card verification value) number.

The circular stated that non-adherence would attract penalty under the Payment and Settlement Systems Act 2007.

The additional PIN code is called Verified by Visa or MasterCard Secure Code depending upon the issuer. Unlike CVV which is printed on the credit card, the PIN is a value determined and known only to the subscriber.

The password can be obtained by online registration with the card issuing bank.

As the date for implementation nears, banks have been loaded with applications requesting for the additional passwords.

Many private players already have the credit card PIN system in place. While other have been implementing it.

Prabhu Rangam, AGM (IT), State Bank of India, says, ‘‘SBI has already accommodated the required change. Our debit cards are PIN based, so they may not require another layer of security."

The bank however requires the customer request for issuing credit card PIN.

ICICI Bank has implemented an additional personal assurance message (PAM) besides 6-digit card access PIN. Both PIN and the PAM are known only to the customers.

Commenting on the matter, an ICICI Bank spokesperson, said "We have already started the process of making the consumer aware of the service using text message alerts, e-mails and advertisements. Having started the process much ahead, we are well equipped to implement the process fully."

It is expected that the move will inversely affect the online industry initially, though over a period of time it will scale up.

However the level of security provided by these is again questionable. It is argued that these passcodes are static passwords and hence, can be easily phished.