Online merchants worry as govt enacts anti-fraud measures

An anti-fraud measure has online merchants fuming over a decrease in mobile payments and customers greatly inconvenienced.

The latest measure enforced by the Reserve Bank of India (RBI) to check credit card fraud has led to an immediate drop in the number of people using their mobile phones to make payments, claim several retailers who are dissatisfied with the measure.

The new rules make it mandatory for customers who use their phones to carry out financial transactions that call for revealing their credit card numbers - such as buying an airline ticket or paying a utility bill - to also clear an additional security layer before the transaction is processed.

This new security layer is the one time password, or OTP. When a customer starts a transaction, the bank that issued his credit card automatically texts a one-time password to the number it has on file for the customer. Only after the customer repeats the OTP successfully, is the payment order validated.

Sounds simple, but customers are fumbling with it. According to Hrush Bhatt, one of the founders of travel portal, which launched a mobile phone payment gateway six months ago, payments through this mode fell by 73% the day after OTP came into effect. Two months later, payments by mobile are still half of what they used to be.

"The one time password the banks are currently using is painful, inconsistent and prone to failure. Early indications are that it's not the best thing for users or merchants"
Hrush Bhatt
"The process of generating an OTP is painful, inconsistent and prone to failure," says Bhatt. "Early indications are that it is not the best thing for either users or merchants. If the password does not arrive immediately when the customer is making his payment, he usually hangs up and never calls again." Bhatt also points out that the system could inconvenience customers with more than one mobile phone, since only one mobile number can be registered with the credit card company.

Gautam Shiknis, CEO of mobile payment provider mChek, confirms that mobile transactions through his company's gateway have fallen to half of what they used to be. "Right now mobile payment has become a very cumbersome process," he says.


The concerned RBI circular to the banks-whose draft was first sent out nearly a year ago-directed them to use a security system called Two Factor Authentication, or TFA, for all transactions conducted, using Interactive Voice Response, or IVR. This technology forms the backbone of most phone payment systems.

What exactly is TFA? It requires that for any credit card transaction where the credit card holder is not physically present to hand over his card-that is, during online or mobile phone payments- he must provide not only his credit card details but also one more piece of information not recorded on his credit card. It is akin to asking a customer, even when he presents his credit card in person, to show his photo identity and confirm he is indeed the one to whom the credit card belongs.

"The idea is to match what you have (a credit card) against what you know (the OTP)," explains Shiknis. For payments made using the Net, RBI started insisting on TFA nearly two years ago.

Accordingly, Visa and MasterCard introduced an additional security layer, Verified by Visa and Securecode, respectively-which require customers to register a separate personal identification number, or PIN, for online transactions. Cleartrip's Bhatt says his portal saw a sudden fall in purchases over the Net (although not quite as drastic) at the time as well, although sales eventually did recover.

The apex bank has similar guidelines for mobile banking too. But, so far, payments through mobiles had been left out. Mobilelinked payments are different from those made online because the keyboard in most mobiles is limited and cannot produce the range of alphanumeric passwords-including symbols and special characters that make them difficult to crack- that a computer keyboard can.

The idea that online merchants should ask for a second form of identification was first proposed by a regulatory agency in the United States in 2005. Since then, many other countries and international agencies have followed suit and made it mandatory. The intention globally has been the same: to check fraudsters from making purchases using someone else's credit card number.

At present, mobile payments are a tiny fraction of the total payments market. At Cleartrip, for instance, even before the guideline came into effect, mobile payments made up barely 10% of the site's transaction volume. But reports suggest this segment is set to grow enormously in coming years. Nearly 75% of Indian respondents to a recent survey by Accenture said they would be interested in making mobile payments, which put the Indians second only to the Chinese in their enthusiasm for this form of payment.

As India's demand for alternative methods of payment has grown in past few years, so has the number of security systems available. Many banks, for instance, operate several different TFA gateways simultaneously, striving to keep their systems user-friendly, even while complying with the Reserve Bank's recent guidelines.


"We are likely to introduce a system where customers can pre-request an OTP that will be good for several hours," says Suresh Sethi, president of the transaction banking group at Yes Bank. "We are calling it a dynamic pin. It's the simplest system and also provides the best experience," he says.

Yes Bank plans to roll out its own TFA system for IVR transactions soon, and has evaluated several different systems before choosing one. Most banks have already opted for some variation of a dynamic pin, but each bank has a slightly different system. Some provide a password in the middle of the transaction. Sethi says Yes Bank discarded this system because not all customers can view their SMS inbox while making calls.

Nearly 75% of Indian respondents to a survey said they would like making mobile payments, which put them second only to the Chinese
Before the OTP system was introduced, mChek used to ask customers for a PIN for their mobile transactions, which had been provided to them earlier. But the PIN stayed the same for every financial transaction, much like the PIN a cardholder uses at an ATM stays the same. If a fraudster, making a purchase over a mobile phone while impersonating another person, were to equip himself beforehand with the PIN of that person as well, he would slip through.

Experts also point out that even if mobile payments technology gets more sophisticated, developing systems far more advanced than IVR, security concerns will always remain. "Security is a key concern for anyone looking at mobile payments," says Ashok Jhunjhunwala, a professor at the Indian Institute of Technology, Madras, who is also Chairman of the Mobile Payment Forum of India. "While the one time password may be a good solution, there are also other technologies, like voice recognition, that are more interesting."

Even Bhatt and Shiknis acknowledge the need for greater security and support the idea of additional verification, while opposing the specific step RBI has taken. Whatever the problems faced by online merchants, RBI has no plans to reconsider its TFA guidelines yet. "Banks are working out the best way to implement them," says an RBI spokesperson, confirming that the guidelines were there to stay.

The currently tiny base of mobile payments in India might be a saving grace in the current situation. "Because the base is so small, nobody minds a little experimentation," says Shiknis. "I'm not as concerned about a payment drop in 2011, I'm concerned about 2015. At that point, we will have TFA, but I don't think the one time password will still be the way to go."

Courtesy: Business Today