Banks Test One Time Password For Tele Payments In India; RBI Extends Deadline

Update: Airline GoAir sent the following message to its customers (I received one):

“As per the new guideline of Reserve Bank of India, all GoAir customers making Credit/Debit card payments through our call center w.e.f. 01st January 2011 will need to have an OTP (One Time Password) which is mandatory.

We request you to contact your card issuing bank for further details on OTP to ensure hassle free card transactions on GoAir call center.”

Jan 3rd 2011: The Reserve Bank of India has extended the deadline for use of an additional security measure for authentication for all credit and debit card payment transactions made on IVR (interactive voice response) systems, from 1st January 2011 to 31st January 2011. According to RBI, this is keeping in view requests made by banks and other stake holders to test the new authentication system in a live scenario, parallel to the existing one. Thus, until the end of January, IVR based mobile transactions will be allowed to through even if the additional authentication factor fails. Read the original RBI circular on the additional factor of authentication issued in April 2010.

Although, after RBI guidelines in 2009, online transactions required an additional alpha-numeric 3D Secure password after entering the card details, for IVR systems it was not possible to use the same password as it contained alphabetic characters. To overcome this problem, a 6 digit OTP or One Time Password was devised by banks. Also, since the IVR system cannot redirect to the issuing bank’s IVR as it happens in online transactions, the bank can directly send the code to the customer upon his request.

Generating An OTP

In a post, Abhishek Rajan, head of Mobile Commerce Business at One97 Communications* explains how customers have to use the OTP: The customer needs to send an SMS to his bank’s designated shortcode/number:

The body of this SMS will contain a keyword and the last 4 digits of his credit/debit card number. For example: a Citibank customer needs to send an SMS ‘OTP XXXX’ to 52484 to get his OTP, where XXXX are the last 4 digits of the card number. The user will receive a password that is valid for a designated period of time, and can be used for one transaction. In case the customer forgets to generate his OTP before the transaction, his bank will automatically send him one after he enters his card details on the IVR. The OTP expires after one use even if the transaction fails. The validity period of the OTP, as per Rajan, varies from bank to bank:

– Axis Bank: OTP will be sent by SMS automatically after you have entered Card details on IVR
– Citibank: SMS ‘OTP XXXX’ to 52484 or 9880752484 (OTP valid for 30 minutes)
– HDFC Bank: SMS ‘PWD XXXX’ to 9717465555 (OTP valid for 2 hours)
– ICICI Bank: SMS ‘IOTP 16-digit card number’ to 5676766 (OTP valid for 24 hours)
– State Bank of India: SMS ‘OTP XXXX’ to 5676791 (OTP valid for 12 hours)
– Standard Chartered Bank: Online registration process (OTP valid for 24 hours)

Rajan believes that customers would be saved from the hassle of remembering another password as a new OTP will be generated for every new transaction, and that OTP will allow debit card users to use IVR for payments.

What This Means For Customers?

Customers will need to generate the OTP before every IVR based transaction through the mobile number that is registered with the bank. In case of multiple SIM users (of which there are many in India), it means that the user can use only one specific registered mobile phone.
If the customer forgets to generate an OTP before the transaction, the bank will send him the OTP on his registered number through SMS. This would mean he’ll need to checkhis message inbox while he’s on that call, which is not a very userfriendly proposition. If the call gets disconnected in the process,he will have to start the transaction from scratch.
The SMS might also be a premiumnumber short code, which means the user will incur additional expense while trying to generate the OTP.
Different banks have different keywords, shortcuts and validity periods for the OTP, which is complicated for the customer to remember
A separate OTP will have to be generated for each transaction. This is a tedious process, and the more the number of steps (and time) between intent to buy and the completion of the transaction, the greater the chances of the transaction not being completed.

Nikhil adds: If you’re going from shop to shop, and trying to pay using the mobile, you’re much better off using a credit/debit card or cash: the complexity around mobile payments – with the user having to remember card details, expiry date, CVV and now an OTP means that IVR based mobile payments will be restricted to purchases made on the mobile Internet/App or online space, and won’t replace credit cards or cash, the way Near Field Communications can.

The dismal state of mobile commerce in the country was highlighted by RBI Deputy Governor Shyamala Gopinath last year, with just 0.887 million mobile banking customers at the end of September 30th 2010, and 0.49 million transactions of value Rs. 44 crores.

* Disclosure: One97 Communications is an advertiser with MediaNama

Kapil

The current suggested and to-be implemented procedures are absolutely impractical and totally screws the whole convenience of making a mobile transaction. It makes the whole experience pretty harassing. The major ones I feel are:
1. Sending OTP request on premium no. leads to additional cost of Rs. 3 or 2 (depending on the network) per transaction.
2. If the transaction fails, the above cost is incerred again.
3. It increases the time in completing a transaction and in the meanwhile the movies / train tickets may get sold out on the holidays (because people booking from internet will complete the transaction fast).
4. SMS delivery times are often unreliable. So your transaction may get timed out before you receive the sms.

I think the best solution can be a security card like ICICI Bank issues to its B2 (branchfree banking) customers. With a grid of 16 nos. the system can ask password in 16*15=240 different ways. If anybody has seen it, he would surely agree with me. One can always keep that card handy instead of wasting time and money on SMSes.
Khan

The current suggested and to-be implemented procedures are absolutely impractical and totally screws the whole convenience of making a mobile transaction. It makes the whole experience pretty harassing. The major ones I feel are:
1. Sending OTP request on premium no. leads to additional cost of Rs. 3 or 2 (depending on the network) per transaction.
2. If the transaction fails, the above cost is incerred again.
3. It increases the time in completing a transaction and in the meanwhile the movies / train tickets may get sold out on the holidays (because people booking from internet will complete the transaction fast).
4. SMS delivery times are often unreliable. So your transaction may get timed out before you receive the sms.

I think the best solution can be a security card like ICICI Bank issues to its B2 (branchfree banking) customers. With a grid of 16 nos. the system can ask password in 16*15=240 different ways. If anybody has seen it, he would surely agree with me. One can always keep that card handy instead of wasting time and money on SMSes.

Related Posts