Two-factor authentication needed for online transactions1 min read . Updated: 26 Aug 2014, 06:33 PM IST
Along with the details available on the card, a second level of identification is needed
Recently, Uber Technologies Inc., a San Francisco-based luxury service provider, came under Reserve Bank of India’s scanner for allowing customers to pay their taxi bills through cards without two-factor authentication. On 22 August the central bank had issued a circular on security issues and risk mitigation measures related to card-not-present (CNP) transactions.
What is CNP?
When you make a payment for a product or a service and your card is not physically present for the merchant to examine, it is referred to as a card-not-present, or CNP, transaction. Online purchases using credit or debit cards would be CNP transactions.
CNP transactions can be particularly vulnerable to fraudulent activities because it is difficult for a merchant to verify whether the person buying a product using the card actually is authorized to use it. It’s true that only the genuine user of a card would be able to enter details such as CVV number, card number and card expiry date, which every online payment section asks for. But these details can also be entered by a person who is not the owner of the card but is privy to such information. Here is where two-factor authentication comes in.
Whenever you do a CNP transaction, you need more than one level of authentication to complete the transaction. Along with the details available on the card, a second level of identification is needed—it could be a long-term password or a one-time password.
It is mandatory for banks to put in place additional authentication or validation based on information that is not visible on the card for all CNP transactions. Two-factor authentication is a must for all transactions where the customer uses cards issued in India for payments on merchant sites in India and there is no foreign exchange transaction. The central bank has also clarified that any linkage to an overseas website or payment gateway cannot be the basis for permitting relaxations from implementing the mandate. Those merchants that don’t use two-factor authentication have been given time till 31 October to comply with the norms to avoid any business disruption.
The good and the bad
You definitely don’t want to risk your money. Two-factor authentication is a welcome step in terms of financial safety and security for online transactions, even if an additional requirement of using passwords is a little inconvenient.