The Reserve Bank of India has decided to add an additional layer of security for customers who use their cards to make online international transactions.
The plan is to introduce an additional factor of authentication (AFA) to enhance safety for digital transactions.
“A draft circular will be issued shortly for feedback from stakeholders,” the RBI said.
Until now the additional validation factor was mandatory only for domestic transactions.
Card payments can be made in two ways: first, by physically presenting the card at the point of sale (PoS) or an ATM, which is treated as a CP (card present) transaction.
The other is where the card is not physically present which is treated as a CNP (card not present) transaction. These are mostly in the form of online or mobile banking transactions.
Here banks require two inputs to complete the transaction: a CVV which stands for card verification value. It is the tiny three-digit number at the back of the credit or debit card.
The second factor authentication is in the form of the OTP (one-time password) that is sent to the card owner’s mobile phone.
At present, the requirement for AFA is not mandatory for transactions where there is an outflow of foreign exchange. For instance, these cover purchases made on Ebay, AliExpress etc.
The RBI has decided to introduce the new rule for overseas transactions because of the rising complaints about fraud and theft using cards.
“This decision will bring international digital transactions using Indian-issued cards under the same security standards that have been applied to domestic transactions,” SBI Research said in a report released on Friday.
“By requiring an extra layer of verification such as a One-Time Password (OTP) or biometric authentication, AFA has effectively reduced fraud in domestic online payments. Customers feel more confident making purchases online, knowing that their transactions are safe,” the report added.
According to the India Digital Payment report, the total value of card transactions in the first six months of 2024 for online transactions (e-commerce) increased by 14 per cent to ₹7.08 trillion compared with ₹6.2 trillion in the first six months of 2023.
According to the European Payments Council 2024 Payment Threat and Fraud Trends report, e-commerce is the preferred way to buy goods or services where the payment card is not physically present, and stores must rely on the cardholder information indirectly.
CNP fraud, which is a major concern in the US, Europe and the UK, is increasingly spreading across Asia Pacific.
Fraudsters obtain payment card details in various ways: by malware, data hacks, phishing or fake merchants stealing the information.
This information is later sold on criminal marketplaces on darknet/deep web to be used by other fraudsters, or sometimes used by the bad actors stealing the credentials themselves.
The modus operandi for committing the CNP-fraud is normally either through large volume automated algorithmic attacks on well-known e-commerce websites, trying to hide the fraudulent transactions in the vast volume of legitimate transactions, or by using the credentials more diligently for single high-amount purchases on selected merchants or merchant categories.
