RBI’s 2 Factor Authentication A Big Negative For International Online Purchases.
RBI’s new circular in regards to online credit and debit card payments has put a spanner on how many ecommerce sites and online vendors accept payments. The RBI circular has stated that many online companies are still not enforcing 2 factor authentication when they are accepting payments from consumers.
2 Factor authentication means – when a consumer buys something online using credit or debit card there needs to be an additional means of authentication, such as “Verified by Visa”, “3D Secure” or generation One Time Password.
RBI in their previous circulars in 2009, 2010 and 2011 had made 2 Factor Authentication a statutory requirement. While some companies implemented it, other’s still did not do it various reasons including that they were using foreign payment gateways which does not come under the purview of RBI.
However, the recent circular seems to be the direct outcome of complaints from Meru and others in respect with Uber taking credit card payments from consumers and directly depositing it in their accounts in foreign shores. Apart from this, any payments done by credit cards to ecommerce sites like Amazon, Alibaba do not have 2 factor authentication.
One of the points that RBI’s circular states is:
It was clarified that the mandate shall apply to all transactions using cards issued in India for payments on merchant sites where no outflow of foreign exchange is contemplated. It was further stated that the linkage to an overseas website/payment gateway cannot be the basis for permitting relaxations from implementing the mandate.
So, the RBI circular essentially has taken strong exception to 2 things: Non-implementation of 2 factor authentication on any online card transaction and outflow of foreign exchange due to it.
As a counter measure, RBI has advised that cards issued by banks in India are used for making “card not present” (CNP) payments towards purchase of goods and services provided within the country, the acquisition of such transactions has to be through a bank in India and the transaction should necessarily settle only in Indian currency, in adherence to extant instructions on security of card payments.
This obviously going to impact Indian buyers tremendously. Any Indian resident who wishes to buy a product from Amazon, Alibaba or any other foreign site will now have to go through 2 factor authentication that those ecommerce site will need to implement. Additionally, they will need to tie-up with an Indian bank payment gateway, without which Indian consumers cannot make purchases.
Given that Indians are not heavy purchasers on foreign sites, most of them will opt-out of it (except probably a few).
This is also going to effect mobile app purchases on Google Play store and Apple App store purchases as 2FA is currently not available with them.
While just 2FA could have been ok, introduction of “transactions only through Bank in India” is going to be very difficult for foreign players, as it will bring in lot more legalities and clearances. In addition, RBI has also put a restriction of type of authentication namely VBV, 3D Secure and OTP’.
All in all, this is going to negatively affect every online player wanting to business in India (or with Indians).
RBI has given time till October 2014 to implement the above said changes.
Now, we will have to wait and see how Uber, Amazon and others react to this! Uber may not find India too attractive anymore I guess!