While transactions must be secure, the RBI needs to prioritise convenience, which is possible by proactive usage of modern technology and innovation. New & improved rules shouldn’t just be added but must replace old outdated ones, to enhance effectiveness and ease during transactions.
How many times have you been told to sign on a card transaction slip in recent times? As cards cannot be used without a Personal Identification Number (PIN) nowadays, signing a card transaction slip isn’t mandatory any longer. However, you will find that very few merchants are able to generate a transaction slip that says “PIN Verified – Signature not required!”. More than 90% of them will still insist that you sign the transaction slip and complain that banks are refusing to process the unsigned ones.
Welcome to the bureaucratic world, where new and improved rules are simply added to old outdated rules instead of replacing them. Without question, the Indian card transaction processing system is the most secure system in the world. If you have doubts, talk to your NRI friends and relatives. They will tell you that international card transaction systems are inferior in comparison to the Indian card transactions system.
A stolen Indian card can’t be used without a PIN in India. Indian cardholders get an instantaneous SMS message about their transactions, which is not available to most international cardholders. But Indian cardholders are justifiably unhappy that “ease of use” in transactions is not a priority for our regulator, especially while transacting online. In the name of security, the bureaucrats in the RBI keep adding layer upon layer of online transaction rules instead of replacing outdated rules with improved ones that make better use of technology.
Giving up convenience for security is a false tradeoff. Improving transaction processing requires regulations that intelligently distinguish transactions on the basis of value, technology and customer choice.
Card Present (CP) Transactions: The Origin
Initially, when credit cards were first introduced, the idea was to allow for card transactions only when the card was physically presented at the time of making a payment. Possession of the card authenticated the user (first authentication) and matching the cardholder’s signature with the signature on the back of the card was the second.
However, the merchants were not very good at checking for authentic signatures and lost or stolen cards could be fraudulently used. In order to reduce delinquency (as well as to ensure that card usage was limited to the approved credit limit), merchants were required to make a phone call and obtain an authorization code for high value transactions. However, as long as the stolen or lost card was used for small transactions, the banks were unable to catch up and misuse was rampant.
After bank computerization, introduction of ATMs/debit cards and networked bank branches, (credit & debit) card issuers could issue cards with magnetic stripes and install card swipe machines in merchant establishments. The card swipe machines could be automated to dial the bank, check credit limits and lost cards and authorize legitimate transactions. Card misuse dramatically reduced.
In order to satisfy the demand for the use of cards to guarantee payments for hotel bookings (by telephone) and other situations where the physical card is not present (CNP), the card issuers invented the “cvv” number. However, CNP transactions involved higher risk and only very reputable and trustworthy merchants were allowed to accept CNP transactions. Also, the safe practice for the cardholder was to memorize the cvv number and scratch it off the back of the card. For CNP transactions, the card details (name, 16 digit number, expiry date) constitute the first authentication, whereas the cvv number forms second authentication.
When the internet arrived, e-commerce transactions also followed the same rules as the rules for CNP transactions. However, as the card market saw explosive growth, with hundreds of millions of cards being issued, it became common for cardholders to own 2-5 cards. Scratching off the cvv number and remembering them became impractical. As the cvv number was always present in the card, preventing fraudulent transactions when the card is stolen or lost was impossible. The cvv effectively became part of the first authentication and ceased to play the original role that had led to its birth.
RBI and Smart Regulations
The RBI was quick to realize that merchants were not rigorously checking signatures for CP transactions and cvv had ceased to be a second authentication factor for CNP transactions. It also realized that technology-based solutions were readily available to improve security of transactions.
Card swipe machines can be programmed to require the entry of a PIN (which the cardholders were already using at ATMs) for CP transactions. The extensive growth of mobile phone networks had made it possible to deliver “One Time Passwords” to cardholders in order to provide a “dynamic” second authentication factor (2FA) for authorizing CNP transactions. A few years ago, RBI mandated a phased rollout of both solutions. RBI also mandated that every transaction should generate an SMS to the cardholder enabling the cardholder monitor use of the card.
All of this was brilliant. But what RBI missed was that the use of PIN and/or OTP had significantly elevated security of transactions and many of the older rules and policies could be repealed.
RBI Regulations and Innovations
As the number of merchants in the internet grew, users could not trust all of them with their credit card details, even for one time use. Online merchants required the services of intermediaries such as Paypal. Users trusted Paypal since it was sponsored by the highly trusted eBay with their credit card details, and merchants were guaranteed payment after the users confirmed delivery of the goods.
While Online Wallet services like Paypal, Google Wallet etc were tremendously successful elsewhere in the world, the RBI viewed these innovations with enormous suspicion. While the RBI has a good track record in justifiably being suspicious of many of Wall Street’s financial innovations, on the issue of technology-driven payment solutions, it tripped badly. The RBI made it very difficult for Paypal-like services to operate in India, oblivious of the fact that cards are issued only after a Bank KYC process and also that only a cardholder could use Online Wallet Services.
Contactless Card Transactions
Contactless Card (CC) transactions using mobile wallets in smartphones are the latest innovation in the payment technology. CC transactions occur when a smartphone communicates with a merchant’s Point of Sale (POS) equipment using Near Field Communication (NFC) to provide cardholder details and confirm a payment. In advanced markets such as the US, the cardholder just taps the POS with her mobile phone and the payment is done.
In India, CC Transactions were not possible until recently when the RBI has indicated that it would allow “tap and pay” for small value transactions of INR 2000 or less. Higher value transactions would still require 2FA, even though once you lose your I-phone, sending an OTP to the lost I-phone does not really provide you any security. You have to rely on your I-phone password, the Apple Pay password, find your I-phone and call the bank to block your card. But all this is lost on the RBI.
PCI-DSS Certified Merchants
Even though the developed internet economies don’t have 2FA, there are market-driven standards that govern online payments. The Payment Card Industry Data Security Standards (PCC-DSS) Council, an international body, specifies standards to be followed by merchants on how to store and transmit card data.
It is only in recent years that Indian online merchants have acquired sufficient volume of transactions to invest in PCI-DSS certifications, which enables merchants store credit card details (first authentication only i.e. card holders name, 16-digit number and expiry date – cvv is not allowed to be stored) to expedite transactions. Vendors like Amazon, flipkart etc are PCI-DSS certified and, hence, are allowed to store credit card details of their account holders. Mercifully, the RBI has not intervened on this matter and allowed the PCI-DSS standards to prevail.
For other merchants, the customers are required to enter credit card details every time. However, in the 2FA environment, all that is really needed is the 16-digit card number for first authentication. There is no need to make the customer enter all four details in the card (Name of Cardholder, expiry date, 16 digit card number and cvv number) or for PCI-DSS certified merchants to store and transmit all these details for every transaction. Since most international markets (including US) don’t require 2FA, PCI-DSS standards are unlikely to be updated and we are stuck with them for some time, unless RBI dares to make India- specific exemptions for PCI-DSS standards.
The RBI has specified that some merchants (such as the airlines) have to get the cardholder’s billing address, email address and mobile phone number as additional authentication factors for every transaction. However, after dynamic 2FA has become mandatory, there is no need for multi-factor authentication, which was mandated in a bygone era where flight tickets were “rare” high value transactions.
Use of “Cash” or “Currency” is based on single factor authentication. If the currency note is in your possession, you are the owner and you are allowed to use it. The RBI does not tell you how much currency you can carry or how much you can use in a transaction. Since the RBI does not try to protect you against loss of cash, using cash is convenient and transactions are fast.
Transactors in cash can choose to be anonymous though income tax compels banks to inform them about large deposits and citizens to collect PAN while executing high value transactions. Card transactions also need to be similar. Small transactions must be fast and convenient though they will never be anonymous. High value transactions can be slower and secure.
As a user of cash, you get to decide how much cash you will carry in your wallet. After all, carrying a lot of cash is risky. Similarly, the RBI needs to allow cardholders determine the tradeoff between security and convenience. The RBI must relax the requirement for PIN or OTP for “small ticket” transactions and allow cardholders to opt out of 2FA as per their convenience.
Cardholders should be able to set a per transaction limit as well as per month limit; for example, a user could opt out of 2FA for less than INR 500 per transaction, provided all small ticket transactions during the month are less than INR 10,000 per month. For a different user, the limit could be INR 2000 per transaction and INR 20000 per month. The cardholder must determine how much money will be at risk.
Despite all the hype about Indian e-commerce, the market reality is that online transactions are cumbersome. Too many online shoppers opt for “Cash on Delivery”, which cripples the economies of scale that are available to online business models, instead of paying through cards. Even the RBI officials will acknowledge that for small-value purchases, such as an INR 15, purchase of a song on iTunes or a INR 150 movie ticket in PVR, 2FA authentication is an unnecessary overkill. Worldwide data has consistently shown that 2FA reduces the number of transactions that actually go through.
Indian e-commerce badly needs regulatory encouragement for Online Wallet Services. Even services of m-pesa, airtel money and ICICI Pockets have been severely restricted by the RBI’s ridiculous insistence on 2FA.
The RBI has possibly taken a first step towards creating a positive environment for innovation in payment services by announcing its intention to license “payment banks”. The RBI has also set a very ambitious framework for the Bharat Bill Payment System, which is being developed by the National Payments Corporation of India. Perhaps, the stage is set for India to lead the world in innovations on payment solutions.
A tremendous innovation that is on the horizon would be allowing banks to issue “open mobile wallets” or OMWs to savings account holders, which can be the equivalent of digital cash. A savings bank account holder can transfer small sums of money into the OMW or convert it into digital cash, amounts that are equal to cash they typically withdraw from ATMs and carry in their real world wallets. Digital Cash should be transferable on “tap & pay” CC transactions. Loss due to fraudulent use will be in small values only and users’ bank accounts or credit cards will not be subject to risk.
Imagine tapping your phone on a turnstile in a railway station to pay for a ticket. May be tapping your phone to pay a traffic fine. Or even tapping your phone to pay the bhajiwala. All of this will happen. The timing depends on how long the RBI will take before it realises that innovation and technology can bring about a radical transformation in the way in which transactions take place.
As you are no doubt aware, Swarajya is a media product that is directly dependent on support from its readers in the form of subscriptions. We do not have the muscle and backing of a large media conglomerate nor are we playing for the large advertisement sweep-stake.
Our business model is you and your subscription. And in challenging times like these, we need your support now more than ever.
We deliver over 10 - 15 high quality articles with expert insights and views. From 7AM in the morning to 10PM late night we operate to ensure you, the reader, get to see what is just right.
Becoming a Patron or a subscriber for as little as Rs 1200/year is the best way you can support our efforts.