Update on March 19: In a statement, PayU India’s security and IT head M.Navaneethan said that the use of information on saved cards is encrypted and “all users have to mandatorily go through CVV and OTP authentication in order to complete every transaction”. In response to the fact that one user’s card can be blocked by other users by entering a wrong CVV, PayU said that card blocking is the executed by the bank, and can be unblocked at request. PayU said it has been certified level 1 by PCI-DSS certification for the last 7 years. (Find PayU’s full statement at the bottom.)

Earlier on March 18: Payments company PayU India is leaving users’ credit and debit card information exposed on its dashboard, reported Srikanth Lakshmanan on Twitter. Lakshmanan claims that he was able to get TRAI chairman RS Sharma’s masked credit card number by simply entering his email address. Although the credit card number is masked, the CVV field is left open, and card itself can be blocked upon entering the wrong CVV number multiple times. Lakshmanan told the Quint that other platforms and entities which have the last four digits of cards can get access to user emails, and other personal data be correlated if somebody mines the data.

A similar exposure of customers’ payment information by PayU was reported two years ago. A user pointed out that he was able to view multiple debit and credit card numbers, names of the card holders, in a drop-down list to choose a card. At the time, PayU had said that this was not a vulnerability and was “harmless” as the list was that of tokenized cards, and users/customers could not access full card number of the encrypted token. Although PayU acknowledged that it was possible to block another person’s number by entering an incorrect CVV number, there was no leakage of sensitive personal data of customers or any financial loss incurred by them.


Meanwhile, RS Sharma said that while Lakshmanan identified correctly that a user’s card could get blocked due to incorrect CVV/OTP being entered, he would prefer that PayUmoney “should detect and block” a person trying to do so before the card gets blocked. “If that’s not possible, then its better for the card to be blocked than to be compromised,” he said, adding that, “PayUmoney have the responsibility to examine all issues that arise, improve their processes, and inform their users of the precautions to take.”

PayU India’s complete statement:

PayU, India’s leading digital payment processor, has been successfully certified level 1 as per the PCI-DSS certification for the last 7 consecutive years. We adhere to strict security controls and have been consistently meeting the PCI regulations and ISO 27001. PayU is committed to protecting the integrity of our merchants’ and consumers’ data and we have bolstered our existing multi-layered- authentication mechanism to further secure all transactions processed via our platform.

We would like to highlight that the use of information on saved cards is encrypted by PayU and all users have to mandatorily go through CVV and OTP authentication in order to complete every transaction. Additionally, blocking of the card, due to multiple attempts on CVV/OTP is executed by the card issuer and can be unblocked by the user on request.

Reiterating our commitment towards data security, we assure all our merchants and consumers that PayU India treats any security concern with utmost diligence & priority and will never compromise on the same.” – M.Navaneethan, CISO And Head IT, PayU India