Ceding to requests from various segments of the industry, the Reserve Bank of India (RBI) on Tuesday issued a notification for an alternate solution for relaxations on the additional factor authentication (AFA) for low-value online card transactions.
So customers can now opt out of the process of two-factor authentication (or TFA) for online card transactions involving payments up to Rs 2,000 across all merchant categories. However, banks and card networks are free to facilitate their customers setting lower per-transaction limits.
In the new model, the card-issuing banks will offer the “payment authentication solutions” of the respective card networks to their customers on an optional basis.
Customers opting for this facility will have to go through a one-time registration process requiring the entry of card details as well as an additional factor authentication by the issuing bank. Hence, the registered customer will no longer be required to re-enter the card details for every transaction at merchant locations which will offer this solution, saving time and effort.
This implies that the card details already registered will be the first factor of authentication while the credentials used to log into the solution, as provided by the card network, will function as the additional factor of authentication.
Further, this relaxation is subject to the following:
However, there is no change suggested by the RBI in the existing chargeback process.
The RBI in its notification also states that in the interest of customer awareness and protection, banks and authorised card networks offering such solutions are advised make customers aware that the solution is an optional facility for card not present (CNP) transactions for values up to Rs 2,000 and that they are free to make payments using other forms of AFA.
A card not present (CNP) transaction is usually when a cardholder does not or cannot physically present the card for a merchant's visual examination at the time that an order is given and payment effected. These are usually in the case of online, telephonic transaction.
The RBI also expects to educate the customers about its use, risk, and the mechanism for customer grievance redressal and reporting of complaints through multiple channels (website, phone banking, SMS, IVR, etc.).
Moreover, banks and card networks are expected to bear the full liability in the event of any security breach or compromise in the authorised card network. The authorised card network operators may also facilitate the participation of card holders from other authorised card networks through appropriate network level arrangements/agreements.
Many in the industry have been calling this a threat to digital wallets since two-factor authentication created friction while making card payments online.
This puts card networks like Visa and Mastercard at par with the Unified Payment Interface (UPI) from the National Payments Corporation of India (NPCI), launched earlier this year.
However, UPI's edge lay in eliminating the merchant discount rates (MDR) or the interchange rate altogether.
Moreover, earlier this year, Visa had already introduced a similar feature in India — Visa Checkout — which allowed customers to save cards, details, and addresses to speed up online payments.
This new regulation by the RBI really eliminates the problem of bank OTPs not reaching customers on time. It also removes the pressure of inputting the wrong CVV or 3D secure pin.
However, with India still grappling with slow telecom connections, how effective the logging in for this new solution is remains to be seen.
Tarush is driven towards delivering unbiased and accurate reportage while engaging with as many mediums as possible to narrate a fresh perspective. Working for the past few years in the digital space with YourStory, he has covered the Indian technology ecosystem extensively, focusing on new age Fintech companies, while building strong connects within the industry.