Dec 06, 2016

RBI relaxes two-factor authentication for transactions below 2K

BYJayadevan PK

India’s central bank has relaxed the mandatory two-factor authentication for transactions that are less than Rs 2000 in value in favour of “card network provided authentication”.
What does this really mean?
In a statement on Tuesday, the Reserve Bank of India said that under a new model proposed by authorized card networks, issuing banks will offer “payment authentication solutions” to customers who opt-in and register. They will not have to enter card details after a one-time registration.
Why did the RBI decide to do this?
The RBI statement says: “The Reserve Bank has been receiving requests from certain segments of the industry for reviewing the requirement of AFA (Additional Factor of Authentication) for low value online card not present (CNP) transactions. As most of the requests were for merchant specific relaxations on AFA requirements, they were not appropriate at the system level. An alternate solution, provided by authorised card networks is expected to meet the objective of customer convenience with sufficient security for low value transactions.”
An example of card-not-present or CNP transactions are online transactions where the card details are pre-registered and the payment is made directly through this card, for instance when you register your card with Uber, or Ola, or Amazon. Currently, these transactions would also go through a second layer of authentication, most often through the One Time Password (OTP) sent to your mobile phone.
The RBI says that “…in this model, the card details already registered would be the first factor while the credentials used to login to the solution would be the additional factor of authentication.” This means online transactions below Rs 2000 won’t require two factor authentication.
Is this secure?
While new economy companies like Ola and Uber have hailed the move as a positive step, a critique of the move is that it could potentially lead to more credit card fraud. Hackers typically defraud customers of small amounts of money in the hopes that it goes unnoticed.
In May last year, the Reserve Bank had relaxed two-factor authentication for contact-less cards for transactions less than Rs 2000.
Mobile wallet companies might be marginally impacted by this move because many credit and debit-card holders use them for low-value online transactions only to avoid the hassle of the OTP step.

FactorDaily’s journalism is produced by some of the best brains in the story-telling business. If you like our body of work – deep reportage, domain specialist write-ups, data stories, podcasts and the like – consider supporting the FactorDaily journey.

Support FactorDaily

Jayadevan PK is a writer of FactorDaily.