The Reserve Bank of India, in a notification issued yesterday, has reiterated its stand that an additional factor of authentication (sometimes referred to as the CVV2) is compulsory in case of all transactions made online, with credit and debit cards issued in India, for payments where there is no outflow of foreign exchange; this, it says, is irrespective of the payment gateway.
It appears that the notification was issued as a response to questions about whether one needs to have the CVV2 if using an overseas payment gateway; if true, it would made overseas payment gateways more favorable, since CVV2 can (we assume) lead to a reduction in completion of transactions.
The CVV2 mandate is not applicable for credit cards issued outside India, on Indian merchant sites either. However, the RBI does add that an additional authentication has been mandated for mobile payments via Interactive Voice Response (IVR) from January 01, 2011 onwards. Read that notification here
RBI Notice (source)
RBI / DPSS No.914/02.14.003/2010-2011
October 25, 2010
The Chairman and Managing Director / Chief Executive Officers
All Scheduled Commercial Banks including RRBs /
Urban Co-operative Banks / State Co-operative Banks /.
District Central Co-operative Banks
Authorised card payment networks
Madam / Dear Sir
Credit/Debit Card transactions- Security Issues and Risk mitigation measures for Card Not Present Transactions.
We had vide our circular RBI/2008-2009/ 387, DPSS No. 1501 / 02.14.003 / 2008-2009, dated February 18, 2009, mandated that with effect from August 01, 2009, banks shall provide an “additional authentication/validation based on information not visible on the cards for all on-line card not present transactions”. (This mandate has been extended to all IVR transactions with effect from January 01, 2011, vide our circular RBI/2009-2010/420, DPSS No. 2303 / 02.14.003 / 2009-2010 April 23, 2010)
2. We have been receiving references regarding the applicability of this mandate for online transactions effected using cards issued by banks outside India on Indian merchant sites, and the use of Indian cards for transactions on foreign websites.
3. In this regard, it is clarified that the mandate shall apply to all transactions using cards issued in India, for payments on merchant site where no outflow of foreign exchange is contemplated. The linkage to an overseas website/payment gateway cannot be the basis for permitting relaxations from implementing the mandate.
4. The mandate is not presently applicable for use of cards issued outside India, on Indian merchant sites.
Chief General Manager