While the Reserve bank of India (RBI) is keeping mum over the issue of a massive security breach of banks’ teller machines (ATMs), National Payment Corporation of India (NPCI), the umbrella organisation of retail payments, is closely working with all the 19 affected banks and Visa and MasterCard, to conduct a forensic investigation to find the root cause of the problem.

Banks believe that 3.2 million cards have been impacted but the number could go up as the consolidated data is still to be collated, say bankers.

According to NPCI, the genesis of the problem was when banks received complaints in September of cards being used in China and the US while the customers were in India. Sources say that the data breach is believed to have taken place from the processor of one of the private banks.

Of the total cards affected, 26 lakh are Visa and MasterCard put together, while the remaining 6 lakh cards are RuPay.

Senior bankers say they are still to hear from the RBI on the issue, even after they apprised the central bank of the problems. But the RBI has yet to get back with any response. A questionnaire sent to RBI by DNA Money to know its measures to plug the holes has not elicited any response.

YES Bank said it has proactively undertaken a comprehensive review of its ATMs, adding that there is no evidence of any breach or compromise on YES Bank ATMs.

NPCI said all three card networks -- RuPay, Visa and MasterCard have been working in a collaborative manner since September to plug the holes.

A P Hota, managing director and CEO of NPCI, which operates RuPay cards, said in a release, “The complaints of fraudulent withdrawal are limited to cards of 19 banks and 641 customers. The total amount involved is Rs 1.3 crore as reported by various affected banks to NPCI. Cards of all these complainants are related to other card schemes. There is no RuPay cardholder who had lodged any complaint for such fraudulent usage. All affected banks have been alerted by all card networks that a total card base of about 3.2 million could have been possibly compromised. Out of this 0.6 million are RuPay cards.”

Meanwhile, according to a senior official, State Bank of India (SBI) will issue an advisory to its customers not to use other banks’ ATMs until the security breach issue is completely sorted out. It is the only bank to say that about 6 lakh of its debit cards are impacted, which is 20% of the 3.2 million cards that are affected of all the banks. However, all other affected banks refused to give number as to how many of their cards may have been compromised, barring Axis Bank which said it has about 1.6 crore debit cards and they have intimated a few lakh customers about the need to change their personal identity number (PIN).

A senior private bank official said, “We have intimated the RBI about the extent of the problem in our bank.”

ICICI Bank said, “We would like to inform that the possible breach of information of debit cards has taken place in the ATM network of another bank. As a precautionary measure, the PINs of debit cards used at the ATMs of that bank have been changed. This has been done in order to protect our customers from any potential fraudulent transaction.” They have asked the customers to change their PIN periodically to prevent any misuse.

HDFC Bank said in a statement that their systems detected a potential compromise of debit cards arising from usage at a non-HDFC Bank ATM network a few weeks ago. “We immediately notified customers who we knew had used a non-HDFC Bank ATM in the recent past to change (their) ATM PIN. We also advised them to use only HDFC Bank ATMs,” it said, adding that frequently changing ATM PINs will help prevent the misuse.