RBI’s 2 Factor Authentication A Big Negative For International Online Purchases.


RBI’s new circular in regards to online credit and debit card payments has put a spanner on how many ecommerce sites and online vendors accept payments. The RBI circular has stated that many online companies are still not enforcing 2 factor authentication when they are accepting payments from consumers.

2 Factor authentication means – when a consumer buys something online using credit or debit card there needs to be an additional means of authentication, such as  “Verified by Visa”, “3D Secure” or generation One Time Password.

Reserve Bank of India CNP transactions

RBI in their previous circulars in 2009, 2010 and 2011 had made 2 Factor Authentication a statutory requirement. While some companies implemented it, other’s still did not do it various reasons including that they were using foreign payment gateways which does not come under the purview of RBI.

However, the recent circular seems to be the direct outcome of complaints from Meru and others in respect with Uber taking credit card payments from consumers and directly depositing it in their accounts in foreign shores. Apart from this, any payments done by credit cards to ecommerce sites like Amazon, Alibaba do not have 2 factor authentication.

One of the points that RBI’s circular states is:

It was clarified that the mandate shall apply to all transactions using cards issued in India for payments on merchant sites where no outflow of foreign exchange is contemplated. It was further stated that the linkage to an overseas website/payment gateway cannot be the basis for permitting relaxations from implementing the mandate.

So, the RBI circular essentially has taken strong exception to 2 things: Non-implementation of 2 factor authentication on any online card transaction and outflow of foreign exchange due to it.

As a counter measure, RBI has  advised that cards issued by banks in India are used for making “card not present” (CNP) payments towards purchase of goods and services provided within the country, the acquisition of such transactions has to be through a bank in India and the transaction should necessarily settle only in Indian currency, in adherence to extant instructions on security of card payments.

Our Take

This obviously going to impact Indian buyers tremendously. Any Indian resident who wishes to buy a product from Amazon, Alibaba or any other foreign site will now have to go through 2 factor authentication that those ecommerce site will need to implement. Additionally, they will need to tie-up with an Indian bank payment gateway, without which Indian consumers cannot make purchases.

Given that Indians are not heavy purchasers on foreign sites, most of them will opt-out of it (except probably a few).

This is also going to effect mobile app purchases on Google Play store and Apple App store purchases as 2FA is currently not available with them.

While just 2FA could have been ok, introduction of “transactions only through Bank in India” is going to be very difficult for foreign players, as it will bring in lot more legalities and clearances. In addition, RBI has also put a restriction of type of authentication namely VBV, 3D Secure and OTP’.

All in all, this is going to negatively affect every online player wanting to business in India (or with Indians).

RBI has given time till October 2014 to implement the above said changes.

Now, we will have to wait and see how Uber, Amazon and others react to this! Uber may not find India too attractive anymore I guess!

  1. […] like RBI has taken note of this – In one of our previous articles, we had pointed out that while security is necessary, RBI needs to come up with a balanced solution […]

  2. […] every transaction made with an Indian credit card, no matter how small the amount, has to include two-factor authentication (2FA). While RBI has done this for security purposes, it is extremely difficult for companies like Uber to […]

  3. K.Sunil Raghu Vamsee says

    I guess the rules apply to e-commerce sites that provide wares in Rupees and not in Dollars. The sites like Amazon.in, flipkart and all come into this category not Amazon.com

  4. […] RBI’s 2 Factor Authentication A Big Negative For International Online Purchases. […]

  5. Rakesh Gupta says

    I think, RBI is correct in their stand Arun. I live in UK and I need to provide 3D secure for foreign transactions and this is nothing new. We need to educate ourselves in terms of such implementations and after effects. As Ravi also mentioned; “do we hear CC frauds anymore”? RBI is not stopping you to pay. Do they?

  6. Ravi Shanker says

    RBIs position is correct. When you pay using your credit card the money goes out of Indias kitty in USD. This depletes the minimal dollar reserve we have. It not healthy for the countrys economy that individuals and specifically businesses should use Forex on demand. There are specific FEMA and Capital Account convertibility rules in India. They are meant to (and has in the past) keep India safe from short term money making business houses.

    Moreover RBIs initiative has actually made online transactions one among the most secure in the world. Do we hear of CC frauds anymore?

Leave A Reply

Your email address will not be published.

who's online