|

Credit Card Fraud Protection in India — RBI Rules + Recovery Playbook (2026)

ByArun

Last updated: May 2026. India recorded 1.2 lakh credit card fraud cases worth ₹400+ crores in FY 2025-26. RBI’s “limited liability” framework protects most users — IF you act fast. Beyond 7 days, the protection drops sharply. Here’s the exact playbook for prevention, detection, and recovery.

The 30-second answer

Time after fraudYour liability
Reported within 3 working days₹0 (zero) — bank covers full amount
Reported between 4-7 working daysCapped at ₹10K-25K depending on card type
Reported after 7 working daysFull liability typically falls on you
Loss due to your negligence (shared OTP, PIN, CVV)Full liability regardless of timing
Loss due to bank’s deficiency (system breach)₹0 regardless of timing

The 5 most common credit card frauds in India (2026)

1. SIM swap + OTP intercept

Fraudster gets a duplicate SIM via your mobile operator’s KYC bypass, intercepts OTPs, and authorises transactions. Average loss per case: ₹1.5-3 L.

Defence: Lock your SIM with the operator (set a port-out code). Enable transaction alerts on email + SMS + bank app — any one channel will alert you even if SIM is compromised.

2. Phishing via fake bank URLs / SMS

“Your card is blocked, click here to reactivate.” The link goes to a clone site that captures your card number, CVV, expiry, and OTP.

Defence: Banks NEVER ask for full card details, CVV, OTP, or PIN over SMS/call/email. If you must verify, call the customer care number printed on the card itself, not from the SMS.

3. Compromised merchant / database breach

Your card number is harvested from a poorly-secured e-commerce site you used 6 months ago. Card-not-present fraud follows.

Defence: Use virtual / tokenised cards for one-off purchases (HDFC Tokenization, ICICI Pockets, Axis QR-Pay). RBI’s tokenisation mandate (effective 2022) replaces real card numbers with merchant-specific tokens.

4. International e-commerce fraud (forex transactions)

Card details bought on dark web are tested via small ($1) transactions on international sites. If successful, larger fraudulent purchases follow.

Defence: Disable international transactions by default in your bank app. Enable temporarily only when you actually need them. Set forex transaction alerts.

5. Skimming / cloning at POS terminals

POS terminal at fuel station / restaurant has a hidden skimmer that copies your card’s magnetic stripe + records PIN. The cloned card is then used internationally.

Defence: Use chip + PIN (EMV) instead of swipe. Cover the keypad with your free hand when entering PIN. Never let the card leave your sight.

RBI’s limited liability framework (the law that protects you)

RBI Notification DBR.LEG.BC.78/09.07.005/2017-18 (effective 6 July 2017, strengthened 2023) defines three liability scenarios:

A. Bank’s contributory fraud / negligence (e.g., system breach)

Customer liability: ₹0 regardless of when reported.

B. Third-party breach (neither bank’s nor customer’s fault)

Customer liability:

  • Reported within 3 working days: ₹0
  • Reported within 4-7 working days: ₹10,000-25,000 (depending on card credit limit)
  • Reported after 7 working days: as per bank’s policy (typically full liability)

C. Customer negligence (shared credentials, lost card not reported)

Customer liability: full amount until card is blocked + reported.

The specific liability caps (B scenario)

Card credit limitMaximum liability if reported within 4-7 days
Up to ₹5 L₹10,000
₹5 L to ₹25 L₹25,000
Above ₹25 L₹25,000 (some banks ₹50K)

Translation: even with maximum delay, your loss on a high-limit premium card is capped at ₹25K-50K under the framework — not the full fraud amount.

The exact 5-step recovery playbook

  1. Within 30 minutes of detection: Block the card via your bank app (Manage → Block). Most banks confirm block via SMS within 60 seconds. This stops further fraud immediately.
  2. Within 3 hours: Call PhoneBanking to file a verbal fraud complaint. Get a complaint reference number (FCR / DRN).
  3. Within 24 hours: Submit the formal dispute via the bank’s “Dispute / Chargeback” form (in-app or branch). Include: complaint reference, transaction details, proof of fraud (screenshot of unrecognised transaction).
  4. Within 72 hours: File a cybercrime FIR at cybercrime.gov.in (online) or your local cybercrime cell. The FIR number is required for the bank to process the chargeback.
  5. Within 90 days: Receive resolution — RBI mandates banks to credit the disputed amount within 90 days while investigating. If your case is clean (timely report + FIR + no negligence), you should see the credit reverse on your statement.

Reading your statement defensively

Set aside 5 minutes when you receive your statement to scan for:

  • Unrecognised merchant names — Google any unfamiliar one before assuming it’s fraud
  • Duplicate transactions on the same date
  • International transactions when you weren’t shopping internationally
  • Forex markup (1.99-3.5%) on transactions you thought were INR
  • Annual fee charged earlier than expected
  • Service charges / late fees you didn’t expect

RBI mandates customer dispute window of 60-90 days from statement date. Beyond this, even genuine errors become harder to reverse.

Prevention checklist (30 seconds in the bank app, monthly)

  1. SMS + email + push alert all enabled for every transaction
  2. International transactions: disabled by default, enable only when needed
  3. Online transactions: enabled (most users need this)
  4. Tap-to-pay (contactless): enabled with limit set to ₹5,000 per transaction (regulator-mandated cap)
  5. ATM cash advance: disabled (you rarely need this; emergency = withdraw debit)
  6. Magnetic stripe (swipe): disabled if your card has chip — most banks let you turn this off
  7. EMI conversion: enabled (so you can self-convert if needed)
  8. Statement password: set if you receive PDF statements via email

If your card is lost / stolen (vs fraud-on-card)

Lost card protocol:

  1. Block the card immediately via app or 24×7 helpline
  2. Most banks credit a replacement card within 5-7 working days; emergency cards available at branches in 24 hours
  3. If the card was misused before blocking, the same RBI framework applies
  4. Lost card replacement fee: ₹100-500 (premium cards often waive)

The cyberinsurance clauses on premium cards

Many premium cards bundle complimentary cyber-fraud insurance:

  • HDFC Infinia / DCB: Credit shield ₹9 L (covers card outstanding if cardholder loses life/permanent disability), purchase protection ₹50K-3 L
  • Axis Magnus: Cyber liability cover ₹25 L (covers fraud loss after RBI cap)
  • ICICI Emeralde Metal: Purchase protection ₹3 L, fraud cover ₹1 L
  • AmEx Platinum Charge: Purchase protection ₹3 L, fraud cover ₹2 L

Read the fine print: most insurance has a deductible (₹2,500-10,000) and excludes “negligent” fraud (shared OTP, etc.).

FAQs

What if I shared my OTP — am I 100% liable?
Generally yes. But banks may settle partially if you can show coercion (sustained social engineering, threats). Argue your case with the cybercrime cell and bank ombudsman.

How long does it take to get refunded for fraud?
RBI mandates banks to credit the disputed amount within 90 days while investigating. If they fail, escalate to the RBI Ombudsman (cms.rbi.org.in).

Should I take separate cyber-fraud insurance?
If your card limit is ₹3 L+ and you don’t already have premium-card-bundled insurance, yes — Bajaj/HDFC ERGO/Tata AIG offer ₹500-2,000/year policies with ₹3-10 L cover.

Will fraud affect my CIBIL score?
Disputed transactions are not reported to CIBIL during the 90-day dispute window. Once resolved in your favour, the entry is removed.

Can I sue the bank if they refuse to refund?
First, escalate via the bank’s grievance redressal cell (30 days). Then file with the RBI Ombudsman (free, 60-90 days resolution). Civil court / consumer court is the last resort.

Sources & references

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *