The info that is usually needed for transacting is:
1. The 16-digit card number
2. Expiry date of the card
3. The CVV ( Credit Verfification Value ) found on the back of the card
4. The card holder's name
Since, all this info is present on the card, the customers always had security concerns related to credit card usage online. To address customers' security concerns Visa and MasterCard came up with initiatives like Verified by Visa and MasterCard SecureCode. Basically both of them worked on the same principle.A separate password, apart from the info already found on the card is required to complete a credit card transaction.
The diagram below will help you understand the "Verified by Visa" or "MasterCard SecureCode" better.
But there are 2 limitations to "Verified by Visa" or "MasterCard SecureCode" which might have hampered its popularity in India.
1. The merchant ( i.e. merchant's payment gateway ) must support these features.
2. Also, the credit card issuing bank must support these security features. Although most large private banks ( like ICICI, HDFC ) support these security features, most of the PSU Banks still do not support "Verified by Visa" or "MasterCard SecureCode" for online transactions.
If either the payment gateway or the bank does not support them, the customer cannot use "Verified by Visa" or "MasterCard SecureCode" for online transactions.
Now RBI has made such authentication, based on info not found on the card( i.e. with a separate password ), mandatory for all online transactions. Also it is mandatory to send SMS and online alerts for online transactions exceeding Rs. 5000. What this means is that all payment gateways and card-issuing banks will have to support authentication by a separate password. Please note that these regulations are applicable only from August 2009.
As per this report, RBI is also working on security features to be employed for credit card transactions over the telephone. These regulations will go a long way in ensuring the safety of your online & IVR transactions. Thanks, RBI.
RBI never sponsored or stated specific systems such as Verified by Visa or Mastercard UCAF/SPA in its directive.
ReplyDeleteBefore, the entire banking industry in India goes on this bandwagon, it is best to simply learn about the experience of cardholders and online merchants as it concerns these two systems. Just google ” verified by visa 2009 ” or go to this link : http://www.boingboing.net/2009/03/28/verified-by-visa-bri.html.
VBV or UCAF/SPA static passwords can be easily phished. Once phished and used by fraudsters, it then makes it very difficult (not impossible) for the legitimate cardholder to dispute a fraudulent online payment made with his VBV or UCAF/SPA credentials.
On the other hand, fraudsters can easily collaborate and share each other’s VBV or UCAF/SPA credentials and then dispute the charges with the issuing banks. The issuing Banks can never prove that the cardholder’s static VBV or UCAF/SPA’s credentials were not phished or compromised.
It surprises me that India, the world’s technical resource, would do the same error as was made by the Banks in other parts of the world that tried introducing VBV and UCAF/SPA. At least, the banks and online merchants in these other parts of the world were not mandated to use these systems. Be wary of mandated systems. A good security system never needs to be mandated.