wordpress blog stats
Connect with us

Hi, what are you looking for?

Understanding the RBI’s removal of 2FA for transactions under Rs 2,000


Card payment companies have finally got what they’ve been asking for: To boost online transactions through cards, the Reserve Bank of India (RBI) has removed the additional factor of authentication (AFA) for payments up to Rs 2,000. However, for this model, card issuing banks will have to offer the “payment authentication solutions”  of the respective card networks to their customers on an optional basis. 

Customers opting for this facility will go through a one-time registration process requiring entry of card details, etc. and AFA by the issuing bank. Thereafter, the registered customers will not be required to re-enter the card details for every transaction at merchant locations that offer this solution.

In this model, the card details already registered would be the first factor of authentication. The credentials used to login to the solution (as confirmed by the card network providing the solution) would be the additional factor of authentication.

Mastercard has a payment authentication solution in form of MasterCard Securecode while Visa has a similar offering via Visa Checkout. No word from RuPay regarding such a service yet.

However, it is unclear if a customer will always be logged into these payment authentication solutions or if they have to enter a password to authenticate the transaction. We have contacted MasterCard and several banks regarding this and will update once we hear from them.

Advertisement. Scroll to continue reading.

Does this mean there can be an auto-debit from a card?

Many International online services, such as Netflix, allow auto-debit without a second factor of authentication, because it uses a foreign payment gateway, and doesn’t to comply with Indian norms. The changes norms announced by the RBI do mean that the same option will work for Indian payment gateways. So, for example, customers will still have to enter their three digit CVV number to process the payment for paying for a ride on Uber. The RBI’s new rule only eliminates the need to enter the OTP  sent by a bank to authenticate a transaction, or the usage of Verified by Visa or 3D secure.

Note that payment gateway PayU Biz has a solution which will process card payments without the need of a customer to need their CVV number. Under the PCI-DSS rules (a set of international compliance norms) CVV numbers cannot be stored by a payment gateway. PayU, however, said that it does not store customers’ CVV numbers and declined to give details on how the company managed to work around entering the CVV and said that it is patent pending.

How it worked earlier

Earlier, to process card-not-present transactions, here were the steps a customer had to enter:

– Enter card details if it is not stored by a service.
– Enter CVV number.
– To process checkout, the payment gateway would route customer to a bank’s page where an OTP would be generated by the bank.  Else a customer would need to enter a password which would be authenticated by a card network such as Visa and MasterCard.
– Customer would then be redirected to the merchants page to get a confirmation.

Advertisement. Scroll to continue reading.

MediaNama’s take

1. A prudent approach: The RBI seems to have taken a prudent approach which, at the moment, seems to appease all the parties involved. Customers will be happy as this is an opt-in approach and online merchants will have to take explicit consent.

2. CVV is the customers only line of defence in this mechanism

Remember 2FA is based on the following security principle:

– First factor of authentication is what a customer has (card number)
– Second factor of authentication is what a customer knows (in this case, a password)

Many websites and mobile services have auto-logins and if a phone gets compromised, the CVV number (which a customer only knows), is the only defense against fraudulent transactions. As such, PayU Biz’s CVV-less transaction solutions undermines the security of a customer.

Advertisement. Scroll to continue reading.

Note: An earlier version of the story was pulled down due some inconsistencies in facts which we needed to verify. The corrections have been made in this version. We apologise to our readers. 

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



While the market reality of popular crypto-assets like Bitcoin may undergo little change, the same can't be said for stablecoins.


Bringing transactions related to crypto-assets within the tax net could make matters less fuzzy.


Loopholes in FEMA and the decentralised nature of crypto-assets point to a need for effective regulations.


The need of the hour is for lawmakers to understand the systems that are amplifying harmful content.


For drone delivery to become a reality, a permissive regulatory regime is a prerequisite.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ