Ecommerce in India may not be on the same level it is in the US or Europe but it has grown considerably in the past few years. The expanding online market has attracted the attention of unscrupulous individuals out to make a quick buck. The Reserve Bank of India (RBI), following the concept of ‘Prevention is better than cure’ (February 2009) issued a directive, mandating all banks issuing credit and debit card to add and employ a ‘Third Factor’ Authentication process for all card not present (online) transactions.
These steps have been initiated by the RBI to dispel any insecurity amongst online consumers and to encourage growth of the Indian eCommerce market:
It would be mandatory to put in place with effect from August 01, 2009:
i) A system of providing for additional authentication/validation based on information not visible on the cards for all on-line card not present transactions except IVR transactions (for which separate instructions will follow).
ii) A system of "Online Alerts" to the cardholder for all 'card not present' transactions of the value of Rs. 5,000/ and above.
Banks are advised to strictly adhere to the instructions and time discipline indicated in this circular. Non-adherence to the directives shall attract penalties prescribed under the Payment and Settlement Systems Act 2007 (Act 51 of 2007).
The `third factor’ authentication process is a significant step towards to ensuring the security of the cardholder’s sensitive card data. It involves using non-card based cardholder information i.e. a secret 6-digit unique pin number given by the card-issuing bank to the cardholder to verify the cardholder’s identity. The logic is that since this number does not appear anywhere on the card, it is known only to the cardholder and therefore not likely to be accessed by fraudsters. Verified By Visa (VBV) and MasterCard Secure Code (MSC) are some of the third factor authentication processes in the industry.
This mandate is beneficial to the customer as well as the merchant. It is an additional safeguard against cybercriminals and since it uses non-card based cardholder information as verification, the cardholder cannot deny that he has not done the transaction at a later point in time. He will then have to bear the liability in case there are any disputes. This is markedly different from the pre-third factor authentication rules that allow a cardholder to dispute non-VBV and non-MSC transactions by simply writing to the issuing bank saying that he has not done the transaction.
With the Indian eCommerce market still in the evolutionary stage, the implementation of this mandate will have a serious implication on the already troubled online merchant for the following reasons:
- Many of the banks have not updated their systems to accommodate this new process and less than 40 per cent of the Banks’ active customer base (Source: IAMAI) has an active VBV or MSC number. The banks are still in the process of updating their systems to accommodate this new directive. Until they complete the upgrade and issue VBV or MSC numbers to all their cardholders, this could mean a temporary slowdown in the online growth rate.
- Currently, in India, banks are merely payment enablers – the risk arising from non-payment or fraud is borne by the merchant and not the customers, banks or card companies. This means that customers as well as banks are safeguarded from online card fraud while the merchants bear the brunt of any online card fraud. The merchant is already burdened with issues such as recurring downtime and charge backs, this additional authentication process will increase their problems to include a loss of conversion rate, overall profitability and an increase in the number of transaction failures.
- The e-commerce Industry in India experiences only 0.16% online fraud and most of the online card fraud is international. The problem with RBI’s directive is that it is only applicable to Indian Banks. International cards that are the largest perpetrators of fraud are not governed by RBI’s directive. So, merchants can expect little respite from online card fraud even with the directive.
To simplify, the conundrum of this situation is that the directive that aims to enhance online transactions process may in fact become a potential deterrent to online growth.