The budget has just been released, with the government taking a few good steps towards e-governance. However, in the furore over the budget, some important news has been missed out. RBI, on the 18th of February this year, released a circular on how banks must provide a system for separate authentication. As per the current rules, a person in possession of the credit card need only provide the name, code, validity, the details of which are available on the card. In order to create one more layer of security for ‘card not present’ transactions, all transactions over Rs. 5000/- will now require a separate authentication PIN which will be provided by the Financial institution.
The concept of this one layer of security is not unique. Services like VBV (Verified by Visa) and Mastercard Securecode are already in practice, though most credit card users do not use them. The implementation of this practice will however, only dishearten the already dismal state of the credit card industry in India.
Every financial transaction will now be re-routed to the bank’s homepage where a person will have to enter his PIN. Also, all online retailers should introduce this practice by August 1, 2009.
The issues to inconvenience, time delays and the possibility of bad connectivity apart, the technical feasibilities need to be considered. Not much has been done by either the media or the RBI to make people aware of this. Regular credit card users are probably witnessing the transition but what is possibly not that certain is the awareness among websites scattered across the globe.
The problems for the implementation are namely :
- A probable lack of awareness
- International websites need to include the features
- Technical difficulties, glitches in connection, traffic handling etc.
- Inconvenience – which is a major reason.
Most people avoid inconvenience as much as possible. Hence, an extra layer of authorisation, with an extra set of numbers to remember could only increase irritation among users. With the rate of Indians using credit cards dropping, a measure like this is probably not very wise.
Another disturbing thought is how preset auto-debit functions will be affected. Google Adwords does not currently have such a process and it is an important service for several websites across India. Paypal and other international pay-services will also need to introduce special features for credit cards issued in India.
The implementation of this feature, which might definitely aid in more security, does hamper the convenience factor which is the main reason for credit card use. In an interview with WATBlog, Ajit Balakrishnan mentioned that there are just 9 million credit card users in India, and a number far lesser than that are actually used online.
E-payments, and online transactions may be extremely important for the improvement of Indian Cusomer Experience and for all the IT cos and websites in India, but the RBI seems to not care much about it. Also, like most laws which are relevant to the Internet in India, this one has few details and fewer thought processes analysing it. The media buzz on it also seems mute with almost no agencies making a mention of it, except Medianama.
This issue is very pertinent to Internet startups, and might prove to be a major global hiccup for businesses in India. It affects various sectors like e-payments, travel, shopping, any sort of access to various services across the web. The deadline for introduction of the above circular is August 1, 2009. Hopefully, the industry will wake up to the news, and take relevant action to ease the transition period.
I agree, the state of online credit card processing is already pathetic in India and this just adds insult to injury.
> Paypal and other international pay-services will also need to introduce special features for credit cards issued in India.
I don’t see that happening. I believe this only applies to INR payments for Indian merchants. It would be almost impossible to enforce this for international payments as the rest of the world will not change their payment systems to support India’s.
Absolutely right! Obviously, this directive does not impact international online merchants (perhaps only online merchants in India).
RBI never sponsored or stated specific systems such as Verified by Visa or Mastercard UCAF/SPA in its directive. Before, the entire banking industry in India goes on this bandwagon, it is best to simply learn about the experience of cardholders and online merchants as it concerns these two systems.
Just google ” verified by visa 2009 ” or go to this link : http://www.boingboing.net/2009/03/28/verified-by-visa-bri.html.
VBV or UCAF/SPA static passwords can be easily phished. Once phished and used by fraudsters, it then makes it very difficult (not impossible) for the legitimate cardholder to dispute a fraudulent online payment made with his VBV or UCAF/SPA credentials.
On the other hand, fraudsters can easily collaborate and share each other’s VBV or UCAF/SPA credentials and then dispute the charges with the issuing banks. The issuing Banks can never prove that the cardholder’s static VBV or UCAF/SPA’s credentials were not phished or compromised.
well,
01) RBI published the notification in FEb 2009, and RBI has released the notification after consultation with the stake holders.
This means the banks/card companies had time to present their view points.
02) Hence, at this juncture, it is not correct to raise doubts on its implementation
02) The additional feature is required only for transactions over Rs.5000/-
Of course, there will be costs involved in any new feature.
This really sucks. I have auto-debit enabled for many of my memberships & Yahoo search marketing, Google Adwords, MSN Adcenter, Facebook, etc.
All my payments have failed in the last couple of days and I have no idea what to do now. No use calling the customer service as they keep repeating that they have to obey the rule.
I understand that its just an extra step when you’re shopping online. But how are the auto-debits supposed to work?!
Does getting a business credit card eliminate this problem? Any help would be appreciated, thanks!
I still don’t see a solution. What do we do guys? All my transactions keep failing!
Hi, I am myself sufferring from down website because of RBI regulation, but I still welcome it. Had this regulation been early, I could have saved 40,000/- INR, robbed by citibank and its colloborating merchants and justifying it legally, even though their managers agreed that what happened can be compared to a daylight robbery. I am sure this regulation will go long way in stopping international banks rob credit card holders. I never had time and energy to chase these goons, and I am sure there are many people like me.
Anurag Jain
I’m paying for my yahoo ads with paypal…and google has announced that they are taking care of this problem by adding an extra step
But i still can’t figure out how to use Facebook ads and a lot of other traffic sources :/ Any ideas guys?
RBI is so stupid that its just ruined ecommerce in india. What the heck is wrong with RBI policy makers. I cant fund my media buys now, cant buy advertisement on various networks. my credit card is now pritty useless. People should be given a option that if they want to register for verified by visa or not. I dont want this much safety i want my card to be universally accepted.
@Sam: completely agree with you Sam..
Safety, my brown ass!! RBI came up the so-called 2nd layer of security in order to avoid taking up any real responsibility. Now they can sit on their flabby behinds and claim the world is safe.
My CC is totally useless. Even HDFC’s Netsafe VCC doesn’t work. I’ll be damned with these clowns running the country.
I’m not fully aware of what happened..but my card is working now
Google and Facebook just charged my card successfully.
I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.
Margaret
http://lotterymegamillions.net
@ Margaret –
Great to know that we were of some use to you…
we’d love to know how you got to know about us…
U’re always welcome to comment on posts that satisfied your quest for analysis.
Cheers
I fully agree…though it’s a security…end of the day its bull shit…I keep travelling and now I am badly stuck…I am in US now…all my online transactions are declined…..it’s really a pain…you can’t expect the international websites to update their web…i cant book a movie ticket, i can’t buy stuff online….its really bad….i think they have to bring in an option where the card holder can volunteer and disable this additional security..
Im staying in india,im using a Uae credit card…just want to know whether this is applicable for me…as after purchasing the item on ebay i wouldnt want to get into trouble for non payment cos i did not setup username and password…
i want to know if i have an outstanding of 80,000 and i have paid approx 65,000 in the name of interest in a span of 1 year 4 months AND my outstanding still exist at same 80,000 !! what rights i have as a customer ? because i think this is insane! (Not using the card in those 1 year 4 months)
please reply
thanks
jayant