Indian E-Commerce Braces For Changes In Credit Card Verification Norms
By Nikhil Pahwa ⋅ July 6, 2009 Post a Comment ⋅ Email This Post Email This Post ⋅ Print This Post Print This Post ⋅

The e-commerce industry in India needs to brace for the coming of a lull in transactions, which owes its origin to a notification from the Reserve Bank of India.

According to the notification, it order to enhance the security of online card transactions, it will become mandatory from August 1st 2009 onwards, to provide:

1. A system of providing for additional authentication/validation based on information not visible on the cards for all on-line card not present transactions except IVR transactions.  (Editor's Note:  How about making the "card present" by swiping the magnetic stripe and encrypting it through Zones 1-4?, then entering the PIN and encrypting it through Zones 1-5?

2. A system of “Online Alerts” to the cardholder for all “card not present” transactions of the value of Rs. 5,000/ and above. 

Implications

Travel Portal Cleartrip recently set up a page to help its users register at various bank sites for Verified by Visa and Mastercard Secure verification norms which banks in India are adopting in order to comply with point 1 mentioned above.

Hrush Bhatt, co-founder, Cleartrip, told MediaNama that for completing transactions, merchants will have to re-direct consumers to bank sites, which will require the additional password for verification of payment. For methods that involve redirection, payment failures are around 10 times more.

Bhatt said that though the RBI circular is correct in spirit, but the manner in which this is being implemented, is going to cause disruption for customers and merchants. Cleartrip is gearing up for at least a 2-3 week disruption, “when people won’t know what this stuff is. Hopefully, after that people will enroll.” ICICI Bank is planning to mandate usage of these additional passwords on July 20th, while the rest are expected to switch between July 20th and August 1st, except American Express. “AmEx already has billing address verification in their API,” he said.

Bhatt added that this also puts Indian online companies at a disadvantage to international ones, because “International companies do not have this extra hoop to jump through. Any (Indian) company that wants to serve an international audience is also at a disadvantage.” This is because international customers will not be able to use sites from Indian merchants unless they have the additional password.

Alternatives & Why Banks Went For Additional Passwords

“Last date we heard, less than 8% of the world is enrolled in any of these programs,” Bhatt said, referring to Verified by Visa and Mastercard Secure. “In the US, merchants are provided with a variety of fraud control measures like billing address verification, date of birth verification; obviously, the banks have this information.” Bhatt said that the biggest processors of transactions online - Amazon and iTunes - do not support the additional password.

“There could be other ways, but the banks have chosen to go with the method that involved the least amount of work for them.

The existing gateways and the APIs don’t process these fields right now, so they will have to reverse integrate with wherever that information sits in their system to ensure that that an additional field is provided to the gateways.” 

Editor's Note:  Why mess with all that when it doesn't solve the problem anyway?  Additional passwords are not needed.  Encrypted True 2FA is needed.  If anyone can tell me a better way to authenticate the user than swiping their own card in the safety of their own home, followed by entering their PIN, (besides using EMV and entering PIN) and transmitting the encrypted data safely with a derived unique key per transaction (DUKPT) I'd love to hear about it.  In my opinion, redirecting will only create another link in the chain and another way for fraudsters to find the Gap in that system.

Impact On WAP?

Bhatt wonders how this will work on WAP, because with this additional layer of security involves a redirection to the bank sites: Do mobile browsers support those redirects?

Continue Reading

DUKPT, online banking