My bank called me when I tried to sign up for Netflix. I use a HDFC Bank debit card and had not set limits on for international payments. Netflix did mention that payments will be processed internationally and that foreign transaction fees apply.
I entered my card details, which included my card number and CVV code, a few minutes after my bank set my limits. However, Netflix seems to be violating the Reserve Bank of India’s guidelines for card not present transactions which mandates that there should be two-factor authentication for card payments online and that settlement of transactions should be made by an Indian bank.
I did not receive an one-time password on my phone and Netflix redirected me to this page which said that the payment was successful.
I also received a message on my phone that the payment was processed by Netflix in Amsterdam. Curiously, HDFC Bank’s representative who called me said that the payment to Netflix is being routed to a merchant in Singapore.
Users on Twitter had also spotted that Netflix was bypassing two-factor authentication.
Interesting. Netflix is processing payments outside of India. In USD. No 2FA. We know how this ends.
— Gautam John (@gkjohn) January 7, 2016
Previously, the RBI had mandated that entities that route online billing internationally, for goods and services purchased online using Indian cards, need to include a second factor of authentication, and route transactions through a bank in India.
Uber’s problems with two-factor authentication
Readers will remember that cab hailing service Uber had run into similar problems in 2014 and had to comply with RBI’s guidelines on card-not-present transactions and to tie up with mobile wallet Paytm to facilitate transactions in India. Uber has since resumed payments via cards in July 2015 and tied up with Delhi-based Zaakpay, a digital payments gateway, to enter a CVV and a one-time password received on their mobile phone to pay for the cab ride.
We’ve pointed out earlier that there is a lot of confusion on the nature of RBI’s two-factor authentication and foreign exchange rules. It is unclear whether these rules impact purchases only made in India, or they impact all purchases made using Indian cards in India (in which case, all transactions using Indian cards will have to be in INR). Many users have pointed out that purchases made on Amazon.com, gaming marketplace Steam and other international websites do not go through two-factor authentication and it remains to be seen how the RBI will handle this situation. Netflix should have done its homework on this front and taken lessons from Uber on how to enter the Indian market.