How will RBI’s new debit and credit card regulations impact users?

I don't think the reaction would be as severe as being cited by the media. If you read the ruling, a lot of it makes sense. RBI is not going to disallow international usage. That is incorrect. What they are saying is, that by default, internet based transactions (CNP = Card Not Present) would be switched-off.

You can call your bank up and activate this service.

Here is the link to the original circular: http://rbi.org.in/scripts/Notifi...

The most pertinent section is, Point # 2 which states:

2. With cyber-attacks becoming more unpredictable and electronic payment systems becoming vulnerable to new types of misuse, it is imperative that banks introduce certain minimum checks and balances to minimise the impact of such attacks and to arrest/minimise the damage. Accordingly, banks are required to put in place security and risk control measures as detailed here under:

A. Securing Card Payment Transactions

1. All new debit and credit cards to be issued only for domestic usage unless international use is specifically sought by the customer. Such cards enabling international usage will have to be essentially EMV Chip and Pin enabled. (By June 30, 2013)
   
2. Issuing banks should convert all existing MagStripe cards to EMV Chip card for all customers who have used their cards internationally at least once (for/through e- commerce/ATM/POS) (By June 30, 2013)
   
3. All the active Magstripe international cards issued by banks should have threshold limit for international usage. The threshold should be determined by the banks based on the risk profile of the customer and accepted by the customer (By June 30, 2013). Till such time this process is completed an omnibus threshold limit (say, not exceeding USD 500) as determined by each bank may be put in place for all debit cards and all credit cards that have not been used for international transactions in the past.
   
4. Banks should ensure that the terminals installed at the merchants for capturing card payments (including the double swipe terminals used) should be certified for PCI-DSS (Payment Card Industry- Data Security Standards) and PA-DSS (Payment Applications -Data Security Standards) (By June 30, 2013).
   
5. Bank should frame rules based on the transaction pattern of the usage of cards by the customers in coordination with the authorized card payment networks for arresting fraud. This would act as a fraud prevention measure (By June 30, 2013).
   
6. Banks should ensure that all acquiring infrastructure that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquirers, processors / aggregators and large merchants (By June 30, 2013).
   
7. Banks should move towards real time fraud monitoring system at the earliest.
   
8. Banks should provide easier methods (like SMS) for the customer to block his card and get a confirmation to that effect after blocking the card.
   
9. Banks should move towards a system that facilitates implementation of additional factor of authentication for cards issued in India and used internationally (transactions acquired by banks located abroad).
   
10. Banks should build in a system of call referral1 in co-ordination with the card payment networks based on the rules framed at (v) above.

The de facto limit would be as defined the same for all. I am led to believe that banks will increase the limit for individual card holders based on their previous spending pattern, or just by placing a call to the bank.

The rules are there to ensure that most of the fraud that is committed with respect to stolen credit cards numbers, etc. can be mitigated, as the most logical area to spend is online and that is what RBI is trying to curb.

This is certainly a step in the right direction, and a few people will be marginally inconvenienced, but on the whole one would agree with the steps taken by Reserve Bank of India (RBI).