A few months ago, I was discussing with an online payment platform company, issues related to piracy of reports that we intend to sell. We’re not doing print, so these will essentially be digital goods, so the ease of transfer-ability is significantly worrying. The platform service provider pointed towards something we hadn’t considered, and which, according to them, is a significant issue internationally: chargebacks.
Chargebacks are situations wherein customers claim that they never paid for the product, and in Card Not Present (CNP) situations such as online payments, it is difficult to prove for a merchant. The situation is worse in case of digital goods, since delivery of the product is immediate, and there is no way to recall a digital product, unless it is only being viewed within the confines of an online platform, behind a paywall. In that case, you are revoking access.
A comment made by Vishwas Patel, Founder of online payment gateway firm CC Avenue, on our post regarding RBI’s new online payment guidelines, reiterates that. He said:
Verified By Visa and MasterCard Securecode helps a merchant more than it causes concern. It effectively takes away the liability from the merchants heads of Chargeback for the reason of cardholder disputing of not having participated in the transaction. Just validating a transaction with 16 digits, Expiry date and 3 digit CVV numbers, that are so blatantly visible on any card, had given rise to a lot of fraud. Earlier, Merchants were not only losing money on chargebacks but also products as well as shipping charges coz of frauds. VBV / SC passwords are not printed anywhere on the card or not available on the track two data of the card’s magnetic strip. RBI had taken the right progressive step of mandating it. Many countries like China and France has also mimicked RBI actions and have made it compulsory.
Another reader pointed us towards a comment on an old post, where Cleartrip co-founder Hrush Bhatt had highlighted the negative impact of One Time Password on their business. The comment:
Hrush, most big Indian e-commerce websites including yours probably have a dedicated team which just handles the payment processing on a daily basis. This team would probably handle the risk aspect for you as well. But not every merchant can afford to do it manually. Secondly, Ticket Delivery exposure is probably a non-issue for you, since the acquiring bank does not risk Cleartrip going bust anytime soon. But think of small travel websites which are selling these tickets. Without two factor authentication, they would be asked to put deposits just to accept payments for air tickets. Thirdly, for digital goods, even Paypal does not offer seller protection whereas VBV/Securecode does because you can deal and reason directly with the bank.
The whole VBV/SecureCode regime may not be optimal in terms of implementation, but the concept is surely needed esp for small merchants. Please give some credit where it is due before dismissing it outright.
Essentially, the customer cannot deny being present when using the 2 factor authentication (2FA) system. For digital goods, this is even more significant. While there might be other, easier, ways of validating this, I don’t think we should dismiss merchant concerns by taking into account only ease of use for the customer, and ignoring challenges that a card-only method poses.
One point I do agree with, though, is that it should be up to the merchant to decide whether it wants to risk a single factor payment system, and 2FA should not be mandatory. It creates a competitive system wherein all merchants are forced to improve their own fraud prevention capabilities, and allows for innovation. Banks are currently stifling innovation by not looking at 2FA methods beyond VBV / 3D Secure or OTP. That needs to change.
Patel’s second point related to taxation also bears reading:
Taxation: International MNC’s and portals love doing business with 1 billion+ Indians and making money out of them but don’t like the idea of paying taxes to the Indian Government. All these international merchants were using international PG’s not to bypass the additional authentication BUT to avoid paying the taxes generated from income doing business in India from Indians. They want to do business out of some tax free island, and get a price competitive advantage over our Indian tax paying merchants. Our RBI keeps a tab on such practicess of avoiding Corporate tax, service tax on comissions etc by these international merchants. Earlier RBI acted against international airlines also who were doing business in India but getting settlements abroad so as to avoid paying tax. See RBI Notification against airlines: