Our Digital Payments coverage is brought you by Chillr: India’s 1st multi-Bank instant mobile payment app enabling fund transfers to anyone in your phonebook.
Payment gateway PayU Biz has launched a new technology which will allow users to make payments via a single tap and still be compliant with the Reserve Bank of India’s regulation of two-factor authentication for all card payments.
Currently for online transactions via cards, customers choose a saved card to complete payment and enter the CVV number along with an OTP sent to the customer’s mobile phone via SMS. With PayU’s new technology, it removes the need to enter the CVV and auto-reads the OTP sent on mobile phones. Hence, it can complete the transaction via a single tap.
Speaking to MediaNama, PayU CEO Nitin Gupta said that it has made sure that the new technology is PCI-DSS compliant (a set of norms to ensure card payments are secure and optimized). He added that the first factor of authentication is the 16-digit card number (that is usually saved) and the second factor of authentication is the OTP which is sent to mobiles which is auto-read by PayU’s gateway.
Gupta however declined to give details on how the company managed to work around entering the CVV and said that it is patent pending. “We have filed a patent on our technology which is compliant with two-factor authentication. This is also PCI-DSS compliant. We filed a global patent in the US because two-factor authentication is becoming increasingly mandatory in other countries as well. It is mandatory in SA and the UK and it is being made mandatory across Europe. With this we can take the technology to multiple countries,” he explained.
Gupta also said that PayU does not store customers CVV numbers as it would violate the PCI-DSS compliance.
Failure rate halved
PayU claims that the failure rate on card transactions has been halved to 15% from the earlier 30% with the new technology in place. The company also claims transaction time has also been reduced from 88 seconds to 18 seconds.
In case of a card transaction fails due to network issues, PayU says that it has a feature called Magic Retry which picks up the transaction from the point where it stopped.
Not across all platforms
However, PayU explained that the one-tap payments technology is limited to mobile phones running on the Android operating system. Gupta explained the the SMS auto-read feature for OTPs is not allowed on the iOS operating system and hence customers will have to manually enter that.
Similarly for transactions on desktops, the CVV-less feature is enabled, but customers will have to manually enter the OTP sent on mobile phones.
While having one-tap payments will make transactions on mobile phones much more easier, this seems to be a case of sacrificing security for convenience. If a phone is stolen, a thief can make multiple purchases easily as PayU stores card details under saved cards and the OTP is aut0 read. The only thing which does not allow the fraudulent transaction to go through is the CVV number which is also bypassed now by the gateway.
*Update: PayU informs us that in case a mobile phone is stolen, there is an option on the website to block transactions on a mobile phone. Still, fraudulent transactions can go through in a small time frame if these stories are to go by.