Mumbai: The Reserve Bank of India (RBI) has removed the so-called two-factor authentication for online card transactions involving sums up to Rs2,000, in a move aimed at simplifying and encouraging electronic payments.
The move will likely help cab aggregators, online movie ticket sellers and even e-commerce marketplaces.
Currently, any online transaction involving a card requires users to first enter card details on the merchant’s payment gateway, wait for a one-time password (OTP) to be sent to their mobile phone, and then use this number to complete the purchase.
To be sure, discarding two-factor authentication for purchases up to Rs2,000 is an opt-in service, which means that customers will have to specifically opt for it.
RBI said that card network providers and banks will have to inform customers about the availability of such services and take their consent.
Customers opting for this facility will go through a one-time registration process requiring entry of card details and additional factor authentication by the issuing bank, RBI’s notification said.
“We would have to wait and see how the registration process will come up, but it should be largely online," said Sangram Singh, head of card and payments business, Axis Bank.
Banks and card networks will be free to allow their customers set lower transaction limits, RBI said. They will also have to indicate the maximum liability on the customer (if any) at the time of registration and educate customers that it’s their responsibility to report any frauds while transacting, the regulator added.
Vijay Jasuja, chief executive officer, SBI Cards Pvt. Ltd, says that the central bank’s intent is to provide a level playing field to everyone in the payments ecosystem.
“As of now, customers can make payments using mobile wallets without a two-factor authentication. If you provide a facility to one company then it must be provided to everyone," Jasuja said.
App-based payments service providers say the move will boost digital transactions. “We welcome the timely move. This will definitely encourage more users to switch to debit and credit cards for online payments," said a spokesperson for cab-hailing service Ola.
Experts say that customers are likely to welcome the move as well. “Service providers will have to be careful in ensuring that security in these services is maintained. Multiple fraudulent small value transactions can add up to a large amount, if card details are compromised," said Bhavik Hathi, managing director, Alvarez & Marsal India, a consultancy.
However, there seems to be confusion over what exactly these new guidelines imply.
“The guidelines aren’t saying that AFA (additional factor authentication) will be removed fully. It seems to suggest that certain payments solutions providers such as Visa and MasterCard will be able to take charge of the second factor authentication from banks. This would hasten the process and there would be better execution of payments. However, we would have to wait and hear from the regulator about some clarity," said the chief executive of a large digital payments company, speaking on condition of anonymity.
In 2014, US-based cab services provider Uber Inc. was pulled up by RBI for providing payments without a two-factor authentication process. RBI had then said all transactions, including electronic ones, involving credit cards issued in India for goods or services in the country must have an additional authentication system at each point of sale.
In May 2015, RBI said that two-factor authentication was not necessary for transactions up to Rs2,000 through contactless cards. However, such cards constitute a minuscule proportion of all debit cards issued in India.