Ecommerce Industry is bracing for a change – now you will not be able to use your debit/credit card online UNLESS you register with your bank.
RBI has issued guidelines making it mandatory for all online transactions to have an extra level of authentication. The ‘extra’ level, is a password that you will have to enter after entering your credit/debit carddetails while making online payments. You will require this ‘extra password’ for transacting on any website in India.
Online Transaction – What has changed
- Beyond August 1, you will NOT be able to use your debit/credit card online UNLESS you register with your bank. Registration is a very simple process. Click here to know more.
- To implement this new mandate, Visa is using a technology called Verified by Visa (VbV) and MasterCard is using a technology called SecureCode (MSC).
- For AMEX card holders, the ‘extra level of authentication’ will work slightly differently.You will be asked to enter you billing address, which will be passed on to the bank. This will be checked against your billing address the bank has on its records. If the addresses don’t match your payment will be rejected. This technology is called AVS – Address Verification System.
ecommerce RBI Guidelines - Online Trasnactions made Difficult?
Links to Bank portals – Axis Bank, ABN Amro, Citibank, Deutsche Bank, HDFC, HSBC, ICICI Bank, Karur Vysya, SBI, Standard Chartered
RBI Guidelines
The use of Credit/Debit Cards has been increasing in the country. We have been reviewing various options to enhance the security of online card transactions. After extensive consultations with banks/card companies, it has been decided as under:
- It would be mandatory to put in place with effect from August 01, 2009:
i) A system of providing for additional authentication/validation based on information not visible on the cards for all on-line card not present transactions except IVR transactions (for which separate instructions will follow).
ii) A system of “Online Alerts” to the cardholder for all ‘card not present’ transactions of the value of Rs. 5,000/ and above.
3. Banks are advised to strictly adhere to the instructions and time discipline indicated in this circular. Non-adherence to the directives shall attract penalties prescribed under the Payment and Settlement Systems Act 2007 (Act 51 of 2007).
Download a copy of RBI guidelines here
Immediate Impact to Ecommerce Sites
This move will surely impact the ecommerce players in the short run (hopefully limited to short run only)– many shoppers will simply ditch the buying decision at the checkout process.
Infact, expect a major hit to the entire ecommerce industry as the various stakeholders aren’t in-sync with the guidelines.
Key questions to RBI and the stakeholders
- Have Banks improved their operations? Normally, it takes 10-15 days to get the online password from ICICI (which happens to have the largest share of online transactions in the country)
- Why is VISA/Master Card/AMEX not reaching out to consumers? Isn’t it their duty as well?
How do you think ecommerce companies should handle this?
Recommended Read:
- Ecommerce Design – How to Establish Customer Trust [Tips to design a successful checkout process]
- Key Elements in Designing an eCommerce Product.
Image courtesy
How will paypal accounts be affected by this? As payapal do a automated transaction on the card on your behalf.
What happens if you are already using Verified by Visa or master Card Secure thingie..? Do you have to register again specifically with the bank..?
I think it’s a good idea to have all these authentication and verification moved to a higher level if banks and card companies are also doing their jobs.
hi
good blog post
Why there is nothing mentioned on the citibank india site. No such news, no instructions NOTHING…..!!!
India (Bangalore): Verity Technologies, a mobile applications company with focus on Authentication and Identity Management Services. Blue ID is an Identity and Authentication Management tool. Verity’s highly acclaimed Blue ID, a new generation technology that secures financial transactions.
Blue-ID card allows store purchase, online purchases, and mobile Authentication and Identity Management Services purchases and can provide the “instant verification” for consumers.
About Verity Technologies:
Verity Technologies is a mobile applications company which provides authentication services for financial and other transactions. Incorporated in 2000 as a telecom solutions company, Verity has built innovative communication products/applications that enable flow of data across platforms and devices. It aims to create disruptive changes in areas like financial transactions through an anonymous authentication and identity management service that for the first time uses the cell phone as the medium of connectivity rather than a consuming node. Verity is a India Co portfolio company, India Co is a publicly traded company, listed on the Bombay Stock exchange. For more details on Verity log on to http://www.veritytech.com
RBI never sponsored or stated specific systems such as Verified by Visa or Mastercard UCAF/SPA in its directive.
Before, the entire banking industry in India goes on this bandwagon, it is best to simply learn about the experience of cardholders and online merchants as it concerns these two systems. Just google ” verified by visa 2009 ” or go to this link : http://www.boingboing.net/2009/03/28/verified-by-visa-bri.html.
VBV or UCAF/SPA static passwords can be easily phished. Once phished and used by fraudsters, it then makes it very difficult (not impossible) for the legitimate cardholder to dispute a fraudulent online payment made with his VBV or UCAF/SPA credentials.
On the other hand, fraudsters can easily collaborate and share each other’s VBV or UCAF/SPA credentials and then dispute the charges with the issuing banks. The issuing Banks can never prove that the cardholder’s static VBV or UCAF/SPA’s credentials were not phished or compromised.
It surprises me that India, the world’s technical resource, would copy the errors made by the Banks elsewhere in the world that tried introducing VBV or UCAF/SPA. It is relatively simple for anyone to do a google search on Verified by VISA and realize that it has not been successful in other parts of the world. At least banks in other parts of the world and online merchants were not mandated to implement these systems. Be wary of mandated systems. A good security system never needs to be mandated. (added by Mobile using Mippin)
Online Access Control India Website eliminate the risk of phishing completely:
Online Access Control
How does a portal / website secure online access for its registered users?
How does a portal / website eliminate the risk of phishing completely?
By integrating Blue ID 2
Blue ID 2 provides a portal a mechanism to allow the customers to use the Phone as an Authentication device. With the risk of phishing and identity theft removed, access is made safe, easy and a mass market phenomenon.
For editorial queries: Ramesh A, Verity Technologies Pvt. Ltd., Email: ramesh@veritytech.com, Phone: +91 80 25251500
Which transactions on the time and sales display is a buy or a sale?
http://www.gogolingo.com/blog/?p=3