The e-commerce industry in India needs to brace for the coming of a lull in transactions, which owes its origin to a notification from the Reserve Bank of India.
According to the notification, it order to enhance the security of online card transactions, it will become mandatory from August 1st 2009 onwards, to provide:
1. A system of providing for additional authentication/validation based on information not visible on the cards for all on-line card not present transactions except IVR transactions.
2. A system of “Online Alerts” to the cardholder for all “card not present” transactions of the value of Rs. 5,000/ and above.
Implications
Travel Portal Cleartrip recently set up a page to help its users register at various bank sites for Verified by Visa and Mastercard Secure verification norms which banks in India are adopting in order to comply with point 1 mentioned above. Hrush Bhatt, co-founder, Cleartrip, told MediaNama that for completing transactions, merchants will have to re-direct consumers to bank sites, which will require the additional password for verification of payment. For methods that involve redirection, payment failures are around 10 times more.
Bhatt said that though the RBI circular is correct in spirit, but the manner in which this is being implemented, is going to cause disruption for customers and merchants. Cleartrip is gearing up for at least a 2-3 week disruption, “when people won’t know what this stuff is. Hopefully, after that people will enroll.” ICICI Bank is planning to mandate usage of these additional passwords on July 20th, while the rest are expected to switch between July 20th and August 1st, except American Express. “AmEx already has billing address verification in their API,” he said.
Bhatt added that this also puts Indian online companies at a disadvantage to international ones, because “International companies do not have this extra hoop to jump through. Any (Indian) company that wants to serve an international audience is also at a disadvantage.” This is because international customers will not be able to use sites from Indian merchants unless they have the additional password.
Alternatives & Why Banks Went For Additional Passwords
“Last date we heard, less than 8% of the world is enrolled in any of these programs,” Bhatt said, referring to Verified by Visa and Mastercard Secure. “In the US, merchants are provided with a variety of fraud control measures like billing address verification, date of birth verification; obviously, the banks have this information.” Bhatt said that the biggest processors of transactions online – Amazon and iTunes – do not support the additional password.
“There could be other ways, but the banks have chosen to go with the method that involved the least amount of work for them. The existing gateways and the APIs don’t process these fields right now, so they will have to reverse integrate with wherever that information sits in their system to ensure that that an additional field is provided to the gateways.”
Impact On WAP?
Bhatt wonders how this will work on WAP, because with this additional layer of security involves a redirection to the bank sites: Do mobile browsers support those redirects?
Does It Really Reduce The Risk Of Fraud?
This norm doesn’t stop people using Indian credit cards from purchasing at International websites – so it doesn’t really reduce the risk of fraud. The extra layer of verification is only for Indian merchants, and stolen cards can be used to purchase internationally.
Our Take: Instead of making things easier for those looking to transact online, things have only become tougher. I initially learned about this new requirement because I was unable to book a flight ticket via an airlines website last month, and eventually went back to Cleartrip to book. This looks like a disaster-in-waiting for the e-commerce and e-ticketing business in India.
Banks haven’t done anything so far to inform customers about having to register for Mastercard Secure or Verified by Visa, and it’s up to merchants to inform customers. Ticketing, clearly the most popular of e-commerce services, will be impacted most. Looks like cash-cards, as a mode of payment, will benefit most from this; at least on IRCTC, their success rate is substantially higher than those of credit cards. Maybe, with a decline in credit card transactions online, banks will start informing customers. Unless that happens, the merchants will struggle.
This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.
34 Comments until now.
Now that VBV & MSC are going to be enforced upon the customer, what happens in case of a mobile transaction? Mobile transaction here could include txns done via J2ME application, IVR, SMS or USSD?
Andy, as mentioned in the circular, separate guidelines are going to be issued for IVR, but it looks like IVR will be the way to go for M-commerce. VBV and MSC look too restrictive, and as I found out while trying to book a ticket last month, significantly error prone.
Debit card payments aren't being processed properly either, and this appears to be a big blow for the fledgling e-commerce business. M-commerce hasn't even begun yet, imho, except bill payments maybe.
Nikhil, there's just one benefit of VBV/MSC for the merchant — the fraud liability shifts to the merchant bank. This should hopefully bring down the fraud losses for all Indian online merchants substantially. Theoretically, this should now be zero, but I'm sure some banks will still continue to ask lame questions as their VBV/MSC passwords, which can easily be guessed by fraudsters.
IRCTC has removed ICICI Bank payment gateway as an option for making payments. Is it related to these verification norms?
Given the fraud issues that sites are facing in India, this is actually an important step to make e-commerce viable. Yes, it adds an extra step, but it happens at a point where the funnel is virtually redundant. The only imperative at this point is that it should work seamlessly. I have used it in a couple of places in the past (when it was voluntary for merchants to implement), and I haven't really had a problem with it. Maybe the scale is creating a problem for Visa or Mastercard now, but I don't see this as a negative step. Security is an issue for online transactions, and this is a step towards making it at least marginally safer.
Sumant: the point is that it's probably better to have a date of birth or address verification, than an additional password to remember. additional security is not a bad idea, but additional registration and having to note/remember a password will increase transaction failure.
secondly, the banks appear to be doing a terrible job of informing customers – I tried to book a ticket 5-10 times, and couldn't figure out what was wrong with my card. Apparently, nothing was wrong with my card, only, ICICI had never told me about this extra password.
Address verification is also not easy to implement in India, because there is no standard addressing scheme — the same address can be entered by the same person in 10 different ways. Also, address/DOB verification can very easily be cracked by fraudsters. A LOT of people have these two data points freely available on the social networking profile pages.
All of this (new password, address verification, DOB verification, etc.) can be averted if the credit card companies simply stop printing the CVV at the back of the card and mail it separately! Why was a security code printed at the back of the card in the first place?
What VBV or MSC lacks today is a numeric password. The guildelines around these dont clearly mention, the type of password a VBV or MSC should be. If one comes to look at it, it should be as simple as an ATM PIN, which is numeric and 4 digits. However, each bank has its own way of implementing VBV/MSC, numeric, alphanumeric and variants. Seems like whilst RBI made these guidelines, they never thought such txns could take place from mobile. Its time they know that there are more GPRS users in the country than internet users. Hence, everything they do, should also factor in mobile txns. Mcommerce or else will never take off in india. And Mcommerce is just not IVR but GPRS, USSD and SMS.
Merchants like http://www.shoppersstop.com has had this feature pre-enabled as additional security for its customers.
Has it impacted their sales?
Not Really, On the contrary, http://www.shoppersstop.com has an advantage now since their customers are already used to such additional checks.
How would this work with the Mobile applications such as NGpay , irctc etc? It is difficult to direct to a wap page from a Wallet.
hi guys , For IVR based , soon u will find numeric passcode which will be seprate frm ur current VBV & MCSC passwod , so if u want to do a transaction on IVR get ready for additional passwords.
And belive my words its very cumbercum process … and merchant is not benefetting frm the same as banks put a thrashhold of 2.5% FTS , whereas aquiring banks force their merchants to reverse those txns to avoid FTS breach , its clear loss loss situation to merchant
hi guys , For IVR based , soon u will find numeric passcode which will be seprate frm ur current VBV & MCSC passwod , so if u want to do a transaction on IVR get ready for additional passwords.
And belive my words its very cumbercum process … and merchant is not benefetting frm the same as banks put a thrashhold of 2.5% FTS , whereas aquiring banks force their merchants to reverse those txns to avoid FTS breach , its clear loss loss situation to merchant
You said it ! CVV should be made secure, if needed the digits can be increased from 3
A Step in rite pathway by RBI but PG & Bank readiness for same apart from online segment is almost zero & v slow to kickoff. The huge frauds have the capacity to tumble your biz cases on ony platform espcly on emerging platforms as Mcommerce. ( we as a organisation face the same every day with having Mcommerce application on all mobile platforms viz.WAP,Client,sms,ussd,IVR )
A Step in rite pathway by RBI but PG & Bank readiness for same apart from online segment is almost zero & v slow to kickoff. The huge frauds have the capacity to tumble your biz cases on ony platform espcly on emerging platforms as Mcommerce. ( we as a organisation face the same every day with having Mcommerce application on all mobile platforms viz.WAP,Client,sms,ussd,IVR )
RBI norms applicable from 1st Aug however kept the IVR pased payments out or perview ( with seperate norms for same mandated ) & No distingusing of Mcommerce transaction, Banks & most PG dint worked on mobile model integration of 3d secure ( VBV-MSC ) or only now realise the nonadaptability of same on mobile com universe.( however some process is now on with PG`s to work on a model adaptive on mobile. still lil slow n late )
Client apps like ngpay etc wil adversly get hit by the same if the relaxation/ clarity for mobile implementaion of 3d secure is not relaxed by RBI soon. ( tough to work out a 3d secure PG process integration within aug 1 ,2009 deadline )
However there are some solutions we as a mcommerce app owner are working on with PG and other partners. ( which includes our own mobile commerce apps and our alliance apps like ngpay,mChek etc. Challenging. Any next steps you guys initiating for client – ussd solutions for VBV-MSC in CURRENT scenarion -PG state ?
Regards
Ankur Dubey
Mobility
MakeMyTrip I. Pvt. Ltd.
RBI norms applicable from 1st Aug however kept the IVR pased payments out or perview ( with seperate norms for same mandated ) & No distingusing of Mcommerce transaction, Banks & most PG dint worked on mobile model integration of 3d secure ( VBV-MSC ) or only now realise the nonadaptability of same on mobile com universe.( however some process is now on with PG`s to work on a model adaptive on mobile. still lil slow n late )
Client apps like ngpay etc wil adversly get hit by the same if the relaxation/ clarity for mobile implementaion of 3d secure is not relaxed by RBI soon. ( tough to work out a 3d secure PG process integration within aug 1 ,2009 deadline )
However there are some solutions we as a mcommerce app owner are working on with PG and other partners. ( which includes our own mobile commerce apps and our alliance apps like ngpay,mChek etc. Challenging. Any next steps you guys initiating for client – ussd solutions for VBV-MSC in CURRENT scenarion -PG state ?
Regards
Ankur Dubey
Mobility
MakeMyTrip I. Pvt. Ltd.
not only difficult to launch a wap page from client / wallet enviroment but other issues as return mapping for transaction you kicked is a tacky issue. also the page porting and browser support issues always there as the bank 2nd verification page currently not adapted for mobile.
R`s
Ankur D
Mobility
MMT
Are you sure this will not impact the ability of Indian credit card holders to make online purchases with international merchants? For example, if an Indian card holder wants to buy books from Amazon.com, he or she will still continue to be able to do so after 1 August 2009 WITHOUT using this additional securecode?
Thanks and regards,
Sanjeev
Think handling issues with International non-VBV/Master secure verified card holders buying on India sites are more tacky than Indian Cards users buying outside ( non 3d secure enviroment as the PG wont request the 2nd varification )
But clarity on handling is expected soon from banks. Its their card usage thats also gonna take a Hit !!
Your thoughts ?
Think handling issues with International non-VBV/Master secure verified card holders buying on India sites are more tacky than Indian Cards users buying outside ( non 3d secure enviroment as the PG wont request the 2nd varification )
But clarity on handling is expected soon from banks. Its their card usage thats also gonna take a Hit !!
Your thoughts ?
RBI never sponsored or stated specific systems such as Verified by Visa or Mastercard UCAF/SPA in its directive. Before, the entire banking industry in India goes on this bandwagon, it is best to simply learn about the experience of cardholders and online merchants as it concerns these two systems.
Just google ” verified by visa 2009 ” or go to this link : http://www.boingboing.net/2009/03/28/verified-by-...
VBV or UCAF/SPA static passwords can be easily phished. Once phished and used by fraudsters, it then makes it very difficult (not impossible) for the legitimate cardholder to dispute a fraudulent online payment made with his VBV or UCAF/SPA credentials.
On the other hand, fraudsters can easily collaborate and share each other’s VBV or UCAF/SPA credentials and then dispute the charges with the issuing banks. The issuing Banks can never prove that the cardholder’s static VBV or UCAF/SPA’s credentials were not phished or compromised.
One would think that with the liability shift of fraudulent online payments from merchant to issuing banks, all online merchant in the world would have implement VBV and/or UCAF/SPA. Since anyone with half a brain knows that these systems do not secure cardholders but actually add another step into the shopping and payment experience, most online merchants have held off in implementing VBV and UCAF/SPA. Yes, some cardholders might get turned off with an online merchant that has implemented VBV and go to an international online merchant that does not require this extra authentication step.
To prevent phishing, most banks are now personalizing the 3d-secure authenticatio screen as part of their 3d-secure registration process.
Although I do agree that RBI has not mandated 3d-secure per se. It has just asked for an authentication info which is not printed on the card. American Exrpress, for example, is using it's Address Verification System (AVS) to comply with this regulation.
I still don't understand why the card ATM PIN can't be the extra layer of authentication. Scrap the CVV and just ask the fellow to enter his ATM PIN. Right now there are FIVE pieces of information (card#, expiry date, CVV, 3d-secure password, and ATM PIN) a person has to remember if he/she wants to use the card through all possible transaction channels.
No amount of personalisation can prevent phishing or man-in-the-middle or man-in-the-browse attacks.
Also, like I said, fraudsters can just collaborate with one another and pay using the static credentials needed for VBV or UCAF/SPA.
It would be a huge mistake to use the static ATM PIN as the extra layer of authentication. It is always a mistake to use static pin-codes or static pass-words.
I was under the impression that a person can change the ATM PIN easily. Is that no longer the case?
Not as easily as you seem to think. Obviously this static pin-code will have to be registered with the issuing bank so that each card transaction (ATM and over the floor limit card payments) that require the pin-code will be validated by the issuing bank.
A change in ATM PIN usually requires 1) a visit to the bank, 2) changing of the ATM pin-code 3) the issuing bank's system to take in the new pin-code.
Can't a web-based system to change the ATM-PIN be developed? If I put my ATM card into a machine operating by a bank other than the issuing bank, does it contact the issuing bank for verifying against the latest PIN?
It would be foolish to introduce a web-based system to change the ATM-PIN and would most likely not be PCI-DSS compliant nor would the major card schemes allow it.
Yes, the pin-code is captured by the ATM's HSM, transformed and wrapped using the ATM's HSM's network key, and then passed on until it is received by the issuing bank's authorization system.
It surprises me that India, the world’s technical resource, would copy the errors made by Banks elsewhere in the world that tried introducing VBV or UCAF/SPA. It is relatively simple for anyone to do a google search on Verified by VISA and realize that it has not been successful in other parts of the world. At least banks in other parts of the world and online merchants were not mandated to implement these systems.
Be wary of mandated systems. A good security system never needs to be mandated.
Well, just wanted to mention that some Credit Card issuers like HDFC Bank started educating their customers about VBV/ MSC over an year ago… just that most other issuers and merchants have started educating after the RBI mandate….!!
Hi 'Card Security expert', what then do u think is the right authentication measure for online transactions, if its not VBV… considering the limited tech savvy population in India?
USSD -two-way messaging may mitigate security problem, without having to go through additional password