Visa Drops 2FA for Low-Value TransactionsAnalysts Weigh the Pros and Cons of the Move
Visa's move to no longer offer one-time passwords for smaller card-not-present transactions - up to INR 2000 - in India is drawing a mixed reaction. While proponents say the move will lead to wider use of digital payments, critics argue it will weaken security.
The card brand had been offering the authentication method as an option for e-commerce transactions.
The Reserve Bank of India in December 2016 dropped its requirement for one-time passwords for small value transactions after payment companies said that it was deterring customers from using payment cards for these purchases.
Commenting on Visa's move, Prakash Kumar Ranjan, IT security manager at CNH Industrial, a capital goods firm, says: "I think it is a practical move given that RBI has asked banks to take into account certain security measures. Also, the banks and payment companies have to bear the full liability in the event of any security breach or compromise in the card network."
But C.N. Shashidhar, founder of SecurIT Education, a cybersecurity consulting firm, says that Visa's move will lead to more fraud. "As someone from the security industry, I am not comfortable with any transaction without a second factor of authentication," he says (see: Visa Contactless Cards Vulnerable to Fraudsters: Report).
'Visa Safe Click'
Visa says it will activate 'Visa Safe Click' across leading online merchants for transactions below INR 2000. This is a lightweight, secure software plug-in for mobile app-based e-commerce merchants.
"For transactions up to Rs 2000, customers do not need OTP as the solution. Visa Safe Click uses cryptographic validation along with Visa's global risk engine to authenticate each transaction," says T.R. Ramachandran, Visa's group country manager, India and South Asia.
The Times of India reports that Flipkart, a top ecommerce firm in India, is one of the early adopters of Visa Safe Click.
"The Indian e-commerce market is expected to reach $1.2 trillion by 2021, Ramachandran says. "However, digital payments transactions are trending below 80 percent, resulting in significant revenue loss for e-commerce industries. E-commerce merchants are grappling with an ever-growing number of consumer issues such as connectivity, incorrect passwords during the payment leg of their transactions."
What RBI Had Mandated
Although RBI stopped requiring an additional factor of authentication for payments up to INR 2000 in 2016, it required:
- Only authorized card networks shall provide single-factor authentication with participation of card issuing and acquiring banks;
- Customer consent shall be taken while making this solution available to them;
- Suitable velocity checks (i.e., how many such small value transactions will be allowed in a day / week / month) may be put in place by authorized card networks;
Rohan Vibhandik, a security researcher with a multinational company, said Visa's move to eliminate one-time passwords for smaller transactions makes sense.
"Avoiding two-factor authentication for smaller transactions would not only make payments easier but also will reduce the financial and resource overhead for payment companies," Vibhandik says.
He notes that Visa cards will be pre-registered, pre-authenticated, and pre-validated with mobile apps for smaller transactions using secure global 3D Secure protocol. "This protocol enables consumers to authenticate themselves with their card issuer when making card-not-present transactions. If a consumer needs to change card details, he/she needs to revalidate, re-register and re-authenticate the new card details using his mobile app with the payment companies."