Home » , , ,

New RBI restrictions may impact your international online purchases

Share on Facebook0Tweet about this on TwitterShare on LinkedIn24Email this to someone

Update: There appears to be some disagreement on the nature of these restrictions, about whether they impact purchases only made in India, or they impact all purchases made using Indian cards in India (in which case, all transactions using Indian cards will have to be in INR). A different reading of the notice here, at Capital Mind. So, this either means that you’ll find it difficult to make international purchases (which is how we read it), or that purchases of Indian apps in India will have to have to be payment gateways.

Meru Cabs: usage of foreign payment gateways violated RBI guidelines, FEMA rules
Uber may still be able to use a foreign payment gateway in India – Arkay & Arkay

Earlier: The Reserve Bank of India yesterday mandated that entities that route online billing internationally, for goods and services purchased online using Indian cards, need to include a second factor of authentication, and route transactions through a bank in India. Services such a Uber, Amazon, Google Play, Apple App Store, international e-commerce stores like Alibaba, among others, were side-stepping norms applicable for Indian payment gateways. This directive has come into place already, but existing services have till October 31st, 2014 to comply with these instructions.

This is an issue which MediaNama had flagged in December 2012, but was taken up by the only recently after Indian cab services such as Meru complained about a lack of parity to the RBI.


The RBI has pointed towards a cash outflow to foreign banks, and while mandating that such transactions should be settled in Indian currency only, said that

“Such camouflaging and flouting of extant instructions on card security, which has been made possible by merchant transactions (for underlying sale of goods / services within India) being acquired by banks located overseas resulting in an outflow of foreign exchange in the settlement of these transactions, is not acceptable as this is in violation of the directives issued under the Payment and Settlement Systems Act 2007 besides the requirements under the Foreign Exchange Management Act, 1999.”

Our Take

1. Negative for Indian buyers of foreign goods and services, and foreign merchants: If an international merchant that you want to purchase goods from online doesn’t tie up with an Indian payment gateway, it could mean that you will not be able to make a purchase. These regulations are applicable to app stores as well.  This means that paying for an app on the Apple App Store or Google Play will mean a redirection to a second factor of authentication through buggy Indian bank payment gateways, if the customer is buying from India. Online purchases are often impulsive, and while a second factor of authentication means that more customers will drop off, a failure to close the transaction because of buggy payment gateways means that there will be an impact. Effectively:

Foreign buyer : Indian Seller = No impact
Indian buyer : Foreign Seller = Impact. Customers routed through Indian bank payment gateway.*
Indian buyer : Indian Seller = Impact. Customers routed through Indian bank payment gateway.

2. More business for Indian payment gateways and banks*: To cater to the Indian market, all merchants will have to route transactions through Indian payment gateways. We hope bank gateways are able to handle the additional traffic, and don’t IRCTC on customers.

3. Parity doesn’t necessarily mean you shackle everyone: Taking cue from IAMAI President Subho Ray’s great talk at a TRAI seminar on Internet Services regulation, while we agree there should be parity among different merchants, it doesn’t mean that everyone is brought down to the same level of restrictions. Instead, the RBI should liberalise payments processes, and make it easier for willing customers to make payments in card-not-present scenarios. Sadly, the RBI can’t do away with the 2 factor authentication, because, at least according to what one RBI representative said at a conference when I had asked him, it is mandated by law. (correct us if this isn’t true, please)

4. Why only VBV, 3D Secure or OTP? One of the major problems regarding card not present transactions, at least, based on what payment gateways and merchants have told us, is the buggy implementation of 3D Secure and Verified By Visa gateways, and difficulty in using One Time Password. There are alternatives, frankly, and the RBI would help boost commerce transactions by pushing for other factors of authentication. One easy alternative is the missed call system, where a customer can call a particular number from a card-registered mobile to authenticate the transaction. Companies like Zipdial and Netcore are already in a position to provide this service, as do many others.

*Update: In case of  Indian Buyer: Foreign Seller:

There appears to some valid disagreement (see this) about whether this will impact transactions on app stores and foreign goods. Our reading is that it will. Point 5 in the RBI notification states:

It is further advised that where cards issued by banks in India are used for making card not present payments towards purchase of goods and services provided within the country, the acquisition of such transactions has to be through a bank in India and the transaction should necessarily settle only in Indian currency, in adherence to extant instructions on security of card payments.

Our take is that a purchase of goods online made from within India, is a situation where the goods and services are being provided within India. The Internet consumed in India is being provided within India. Secondly, in terms of the wording, the phrase “It is further advised” indicates that this clause is over and above everything else, and relates to a settlement process, which, since is mandated in Indian currency, means that the 2 factor authentication and Indian banks will come into play.

In addition, an earlier part of the notification states:

A reference is also invited to our circular RBI / DPSS No.914/02.14.003/2010-2011 dated October 25, 2010 on the subject, clarifying the applicability of the above directives on the nature of card not present transactions. It was clarified that the mandate shall apply to all transactions using cards issued in India for payments on merchant sites where no outflow of foreign exchange is contemplated

This contradicts our assessment (explained above), wherein for foreign goods (and apps), there will be foreign exchange outgo contemplated.

What do you think?

Share on Facebook0Tweet about this on TwitterShare on LinkedIn24Email this to someone
  • unwire

    How will it impact on international credit card payments companies do towards servers / data centers AND google or FB payments for advertising.

  • This is really bad!! I wonder why everyone is forced into this. This should be opt-in instead of mandatory. Those who are paranoid can opt in. Or even make it default opt-in for everyone!!

  • IndiaNama

    The other shoe drops. I’ve said it before and I’ll say it again, the RBI board members have their heads firmly up their behinds. Bunch of old women quivering scared that somebody will steal their mangal sutrams. They need to provide some justification for this–for example, what is the of India’s paltry 20 million credit cards are used fraudulently?

    I’m curious how they can force a foreign merchant to comply with this? There are hundreds, if not thousands, of online retailers outside India.

    • bdutta

      Can’t say this for everybody, but lack of 2-factor authentication when doing international transcation using international PG’s is a matter of concern to me. I’ve had my card misused in fraudulent (leaky bucket skimming) transaction, and had to fight a rather painful and wasteful battle with bank to get the problem fixed, and charges to my cards reversed. While the link was never established solidly, but I have a strong suspicion of my card details being stolen while making payments either to Paypal or DX.com, just by correlation of events and their timing. This is of course anecdotal, but unless one has had a loss/trouble of somekind, they are unlikely to appreciate the security measures.

  • Vishwas Patel


    Two points:-

    1) Security: Verified By Visa and MasterCard Securecode helps a merchant more than it causes concern. It effectively takes away the liability from the merchants heads of Chargeback for the reason of cardholder disputing of not having participated in the transaction. Just validating a transaction with 16 digits, Expiry date and 3 digit CVV numbers that are so blatently visible on any card had given rise to a lot of fraud. Earlier, Merchants were not only losing money on chargebacks but also products as well as shipping charges coz of frauds. VBV / SC passwords are not printed anywhere on the card or not available on the track two data of the card’s magnetic stripe. RBI had taken the right progressive step of mandating it. Many countries like China and France has also mimicked RBI actions and have made it complulsory.

    2) Taxation: International MNC’s and portals love doing business with 1 billion + Indians and making money out of them but dont like the idea of paying taxes to the Indian Government. All these international merchants were using international PG’s not to bypass the additional authentication BUT to avoid paying the taxes generated from income doing business in India from Indians. They want to do business out of some tax free island and get a price competitive advantage over our Indian tax paying merchants. Our RBI keeps a tab on such practicess of avoiding Corporate tax, service tax on comissions etc by these international merchants. Earlier RBI acted against international airlines also who were doing business in India but getting settlements abroad so as to avoid paying tax. See RBI Notification against airlines:



    • IndiaNama

      Do you have any evidence of the fraud, the amount that was lost, anything?

      International MNCs are not doing business with 1 billion+ Indians. Get real. It’s more like 10 million Indians.

      • bdutta

        They’d love to do business with 1B+ indians… and hope to get there some day, but 10M+ isn’t a bad figure.. is it ?

        • IndiaNama

          Yes it is a piss-poor figure. It’s more than a blip, but it’s not much. Anyway my response was to counter the hyperbolic 1 billion figure, which completely distorts the argument.

  • IndiaNama

    The RBI notification says, “where the underlying transactions are essentially taking place between two residents in India (card issued in India being used for purchase of goods and service offered by a merchant/service provider in India).” Is Apple an Indian merchant/provider? If it is selling content on the Internet, is that sale taking place in India?

    Uber may not be able to avoid this. I took an Uber ride the other day, and was once again exultant at how hassle-free it was. Trust the paternalistic geezers at the RBI to screw that up. Ironic that this comes on the heels of the news that Uber is expanding in India.

  • Harry

    Fuck you RBI & Fuck you Meru cabs! Boycott Meru Cabs. These are the assholes who complanied to RBI…

  • Pallav

    there should not be a significant problem for service providers. Our take here http://t.co/KjAROOhJSq

  • acc

    That’s bullshit. What about hosting services we purchase? Most of hosting provider don’t have Indian gateway and they have international gateway. I guess only few of them would be ready to purchase Indian gateway if they have number of customers in India.

    This implementation would restrict many things. It would increase cost at end user also. Indian buyers would have burden of foreign exchange rates and now, merchant will also add some kind of convenience charge for additional payment gateway.

    RBI is trying to stop outflow money from India, but each buyer has a limit to spend not more than 50k average. That wouldn’t hurt compare to swiss bank black money.

  • bdutta

    Those calling Meru cabs name, please note that Meru cabs was suffering from lack of level playing field, so has every right to complain. Having said that, I’ve no love lost for Meru cabs… They just failed to keep up with the changing times and competition. I no longer use their service. Foreign companies using legal loopholes to beat the shit of of local companies needs to be fixed. The consumers will see some short-term pains of the transition. In the end, given everything else equal, I do not mind if the better service wins, even if it is a foreign company. Here the case was, not everything was equal. Payment, or lack of “good/convenient” options was a “pain” for some players.

    Finally, however, this seems like a retrogressive step, but is perhaps one of the side-effects of (in part, due to), the need to curb credit-card fraud. There is no one-size-fits-all solution to curbing the card-fraud menace. International transactions are even more susceptible to such frauds. Giving consumer/user the choice to take risk, is a logistic/administrative nightmare, since it is very hard to establish a trail-back, to say exactly which transaction led to a security breach, was it even card-user’s own fault etc.

    However, RBI must keep the landscape of international / global ecommerce in mind, and the benefits of Indian consumers in mind, while framing the policies, and should try to find a solution to legitimate use-cases, which are actually the large majority.

  • Felix Joy

    Why did they came up with the second authentication system, which is more troublesome for the consumers. It will mark the decline of onlne shoppers because of the troublesome and hectic process. Forget about the MNC’s there are also several Indian companies offering products, the new idiotic system will also mark less sales for Indian companies. This is not 1990’s, It is so shameful that RBI opts such measures in this era of online payments.

  • Felix Joy

    Why did they come up with the second authentication system, which is more troublesome for the consumers. It will mark the decline of online consumers because of the troublesome and hectic process. Forget about the MNC’s there are also several Indian companies offering products, the new idiotic system will also mark less sales for Indian companies. This is not 1990’s, It is so shameful that RBI opts such measures in this era of online payments.