Over the past couple of months, a number of websites and services have started to offer recurring payments on cards. For example, Business Standard, which recently took some of its stories behind a paywall, asks readers to purchase a monthly or yearly subscription, and has been billing them each month without asking users for a second factor of authentication (such as a one-time-password or a 3D secure password) as mandated by the Reserve Bank of India (RBI). Others include STAR TV’s HotStar and Ola Money auto-recharge.

Why recurring billing is important

This is a significantly important change for the payments ecosystem in India: typically, many global digital services (such as news subscription for the Financial Times, video services like NetFlix and BoxTV, email marketing services like MailChimp and Software-as-a-service tools such as VWO) charge user credit cards on a monthly basis. In India, this has historically not been done because of the second factor of authentication requirement, which adds an additional layer of friction to the transaction: users end up thinking again about whether they really need this service, or they deprioritize the decision to make the payment and hence drop out. With that layer of friction now potentially missing, online businesses can bill more easily.

How recurring billing is being processed for Business Standard

Pankaj Dedhia, senior marketing manager at CC Avenue, the payment gateway aggregator which is processing Business Standard’s subscription payments, told MediaNama that these recurring payments are only available on credit cards and not debit cards, and will work on both 3D secure password (verified by Visa or Mastercard Secure Code) and OTP. 

While performing a recurring billing transaction, the customer has to give a consent before making the payment that they authorize the merchant to charge the card as per the subscription plan. The first transaction that is processed folllows two-factor authentication. The 1st transactions is processed with a 2FA


CCAvenue will not store the 3D secure password for future recurring payments, and for subsequent payments, the merchant (Business Standard in this case) will send a request to CCAvenue, which will pass the request to the bank in a batch or API, for processing in the back-end. Dedhia added that customers will get a message which informs them that this transaction was processed without the need to enter a second password.

At any point in time the 3D Secure password or OTP of the customer is not stored on the payment gateway as these details are entered on the bank’s 3D Secure Page. The ECI indicator of the successful transaction is stored, which shall be used to represent the transaction in case if the customer denies the charge and disputes giving authorization.

These payments are processed through standing instructions left with the bank. We were unable to find an RBI circular clarifying this.We have written to CCAvenue and the RBI to clarify this and will update once we hear from them.

Sample message sent by the issuing bank: 

“Your trx is debited to ABC Bank CREDIT Card for Rs. 226.86 in MUMBAI at Merchant Name on 2015-11-29:00:30:05.This is not an authenticated trx as per RBI Mandate effective 1 May 12.”

There was a mention of recurring payments with standing instructions in December 2010, and a notification following up in 2012, mentioned that:

“In case of customer complaint regarding issues, if any,arising out of transactions effected without the additional factor of authentication after the stipulated date, the issuer bank shall reimburse the loss to the customer further without demur.”

So it might be possible that the merchant or the payment gateway has taken on the liability of any potential dispute arising from deliver of digital services, and because of this the issuing banks are allowing this process.

Why it is only for credit cards?

Dedhia said that recurring payments are right now only on credit cards and not on debit cards, and that might be cause of scale of potential liability related to debit cards, which the issuing banks may not allow. “Credit cards have a limit and beyond that customers can’t use them. And as such they are sort of a virtual currency. But transactions on debit cards are still hard earned cash in bank accounts,” he added.

‘OTP is still more secure’

Dedhia is of the opinion that OTPs sent by banks for digital transactions are more secure as they are dynamic and their validity expires after a certain period of time. In contrast, 3D Secure passwords are static and do not change. If a customers 3D Secure password is compromised, then funds can be easily drawn out without a customer’s consent.

UPI is still more elegant for recurring payments

Although cards are more prevalent in digital transactions in India, the Unified Payments Interface (UPI) is a lot more smoother for recurring payments as it allows pull-based transactions. A merchant has to initiate a transaction on their end to collect a recurring payment and the customer has to merely authenticate the transaction with an m-PIN.

This has the following benefits:

– The customer has control over the transaction rather than the bank or the merchant. Hence the customer is informed when a transaction is done.
– In recurring payments on cards, a customer may be billed for purchases he did not authorize and is informed about it only after the transaction is complete. On the UPI, the customer will have to ability to deny a pull-based transaction.
– The UPI will be inter-operable across all banks on the platform and perhaps there will be a few banks who do not wish to offer recurring payments on cards and cannot process it in their back end.
– Recurring payments on cards are only available to credit card holders while recurring payments on UPI will be for any account holder whose bank is a part of the UPI.

Update: The post was updated with some clarifications sent in by CCAvenue