Issuers Need To Provide Extra Code To Complete Transaction
From August 1, you need not think twice before letting your credit card out of sight at a restaurant, petrol pump or any other merchant establishment. The details printed on your card — including the card number, expiry date and three-digit card security code (popularly known as the CVV) — will not be enough to make fraudulent online transactions.
A RBI directive has ensured that from August, credit and debit card-issuing banks must provide for additional authentication of information — over and above what is visible on the physical card. In other words, the cardholder must key in an extra security code or some other data to complete a online transaction.
This consumer-friendly instruction, issued by the RBI on February 18, also mandates a system of online alerts to the cardholder for all ‘card not present' transactions that exceed Rs 5,000. The circular adds that banks would be penalised for non-adherance to the directive under the Payment and Settlement Systems Act 2007.
In an email response to TOI, RBI though specifies, ‘‘Banks are free to decide on the technology they wish to use to fall in line with these instructions.'' On their part, banks have been beefing up their online security. Virtual cards, which have been around for a while, are a secure option offered by the likes of HDFC Bank, ICICI Bank and Kotak Mahindra Bank. HDFC Bank's Net-Safe, for one, creates a code that can be used for one-time transaction. ‘‘It is a limited period validity number,'' says Sanjeev Patel, EVP and head, direct banking channels, HDFC Bank.
Virtual cards create a code separate from your CVV number so you don't have to key it in on the merchant website. Any unused amount from the card is credited back to the credit or debit card account.
Banks also offer increased security via MasterCard's Securecode and Visa's Verified by Visa, which offer personalised passwords. T V Seshadri, vicepresident and country general manager, South Asia, MasterCard, says, ‘‘Much like the authentication process required for payment card use at ATMs, SecureCode requires cardholders to enter their personal code in an online window on their PC before a transaction can be processed. Even if someone knows their credit or debit card number, the purchase cannot be completed without their SecureCode at a participating merchant.''
But these initiatives can work only if the cardholder is prompted to enter the code by the merchant site. Says Seshadri, ‘‘The card-issuing bank, the retailer and the retailer's acquiring bank will all have to participate.”
Source:- The Times of India 22 May 2009 P. 21 Delhi
Source:- The Times of India 22 May 2009 P. 21 Delhi
For any query:- legalbuddy@gmail.com
1 comment:
RBI never sponsored or stated specific systems such as Verified by Visa or Mastercard UCAF/SPA in its directive.
Before, the entire banking industry in India goes on this bandwagon, it is best to simply learn about the experience of cardholders and online merchants as it concerns these two systems. Just google ” verified by visa 2009 ” or go to this link : http://www.boingboing.net/2009/03/28/verified-by-visa-bri.html.
VBV or UCAF/SPA static passwords can be easily phished. Once phished and used by fraudsters, it then makes it very difficult (not impossible) for the legitimate cardholder to dispute a fraudulent online payment made with his VBV or UCAF/SPA credentials.
On the other hand, fraudsters can easily collaborate and share each other’s VBV or UCAF/SPA credentials and then dispute the charges with the issuing banks. The issuing Banks can never prove that the cardholder’s static VBV or UCAF/SPA’s credentials were not phished or compromised.
It surprises me that India, the world’s technical resource, would copy the errors made by the Banks elsewhere in the world that tried introducing VBV or UCAF/SPA. It is relatively simple for anyone to do a google search on Verified by VISA and realize that it has not been successful in other parts of the world. At least banks in other parts of the world and online merchants were not mandated to implement these systems. Be wary of mandated systems. A good security system never needs to be mandated.
Post a Comment