From paying bills to buying groceries, almost all of our transactions appear to be heading online. On the surface, online payments are supposed to make transactions cashless and effortless, but the popularity of cash on delivery shows this isn't exactly true. Security concerns, unfamiliarity and relatively low credit card penetration in India are just some of the factors that are preventing the widespread use of online payments. Having said that, another issue that definitely complicates things a bit, if not hinders the entire process, is the need for two-factor authentication - a cumbersome process that many users dislike, even though the added security should make it a beloved feature.
As a result, e-commerce websites are inadvertently training users to prefer cash on delivery services, despite the many challenges this mode of payment brings to sellers.
Umesh Chandra, a TCS employee based in Hyderabad who regularly shops online has all the tools at his disposal to choose multiple payment options. Yet, he often ends up shopping using cash on delivery.
"When there is a big sale, like Flipkart's Big Billion Day sale, paying by COD is much faster," says Chandra. "You just have to select the product and click one radio button to process the order."
Why do we need two-factor authentication?
In 2009, the Reserve Bank of India (RBI) made two-factor authentication mandatory for all online payments in India. An RBI circular dated February 18, 2009 reads, "It would be mandatory to put in place with effect from August 01, 2009: i). A system of providing for additional authentication/validation based on information not visible on the cards for all on-line card not present transactions... ii) A system of 'Online Alerts' to the cardholder for all 'card not present' transactions of the value of Rs. 5,000 and above."
This is the reason why you have to enter a one-time password sent via SMS/ email or a Verified By Visa/ MasterCard SecureCode password to authorise payments. You need to enter this each time you make a payment, after you enter your card/ netbanking credentials. This makes it a lot harder for hackers to steal your money and, to a large extent, ensures that your online payments are secure. Although there are no precise statistics on credit card fraud in India, Visa Group Country Manager for India and South Asia Uttam Nayak said at a press conference, "Our country witnesses the lowest number of fraud cases in the credit cards space."
But an unintended side effect of this strong security feature is inconvenience. If you've ever received the one-time password (OTP) late or if the Visa/ MasterCard password page is down when you want to pay, then you know what we're talking about. Even if everything works as it should, two-factor authentication means you can never have the convenience of Amazon-like one-click checkout even if the store already has your credit card details, or you can't simply walk out of the cab when you reach your destination via Uber.
Of course, there are several workarounds - regulations that would allow spending small amounts with an OTP, or digital wallets that let you store money with authentication beforehand, and then spend easily. But these systems come with their own flaws, that make it clear why two-factor authentication is important.
Jan Valcke, CEO of Vasco, a company that provides two-factor authentication solutions to banks such as HSBC and Standard Chartered, warns that if two-factor authentication is removed, hackers could easily carry out multiple low value transactions instead of stealing a high amount in one go.
"For smaller transactions, a customer won't necessarily like an extensive authentication cycle... With the removal of two-factor authentication, the hacker may take advantage by doing multiple transactions of the permissible value bar (as decided by RBI) which will have a similar after-effect as single high-value transaction," says Valcke. Most banks don't even send SMS alerts for low-value transactions, further alleviating the problem in such a scenario.
Regulations need to improve
Despite the importance of two-factor authentication, talk to almost any customer who spends money online and it's clear that the existing systems need to improve.
Umesh Chandra says he avoids paying online because of issues with refunds as well as the inconvenience involved.
"Sometimes e-commerce websites send the refund to the [digital] wallet," he says. "Then you have to buy something else from that site. I had an issue with Airtel where the money was debited from my account but I didn't receive the recharge on my mobile. I had to coordinate with both Airtel and HDFC [for a refund]."
This has a direct impact on new offerings in India as well. Restaurant listings website Zomato just announced a new feature called Zomato Cashless Payments, which will be available in Dubai from February 1. Deepinder Goyal, the CEO and founder of Zomato, says that the ease of use of credit cards in Dubai is the reason why the service was first being launched there. Goyal says the users in India have gotten used to the two-factor system, but believes it is still highly inconvenient.
"The user experience needs a lot of improvement and it does have a negative impact on online transactions in India," says Goyal. "Some transactions fail because of network related issues and the time-limit between authentications. We hope for a better regulatory framework keeping in mind the ever-innovating product offerings by companies in India."
Archit Gupta, co-founder of tax filing startup ClearTax, had told NDTV Gadgets in July that "online payments are still broken in India". We asked him for more details about the problems his company faces with payments.
"Two-factor authentication is a barrier to online payments," Gupta said, adding, "We get many support tickets related to [transactions failing due to] timeouts or from people who don't know about OTP. Many of our clients are older people [who aren't familiar with online payments]. If it is so difficult to complete a transaction, then it becomes another barrier."
Of course, part of the problem lies with the fact that the e-commerce companies - who have the greatest incentive to improve two-factor authentication - are not the stakeholders who can bring about change.
The e-commerce websites' involvement is only till you enter the card details, after which you're redirected to the bank's gateway for verification. If the payment fails at that stage, then the bank's gateway is at fault.
Online payment service Paytm lets you recharge your phone and pay bills as well as make purchases on various online portals using the Paytm Wallet. Paytm processes a large number of online transactions in India every day and its customers regularly face some of the issues described above.
Paytm's Vice President of Business Amit Lakhotia told NDTV Gadgets that Paytm sees a payment success rate of 88-89 percent. That may seem like a good number but on a large scale 11 percent of payments failing looks quite bad for the state of online payments in India. Let's assume that a company handles an average of 10,000 transactions every day. A payment success rate of 89 percent means that 1,100 of those transactions will fail.
Lakhotia echoes ClearTax's Gupta's views on the primary reasons for payment failure. Lakhotia said many people face session timeouts due to delay in receiving OTP. He said invalid card or password errors are two other common reasons for payment failures.
"Many people press the back button or switch apps [while paying] and the session gets over. We try to educate people a lot," says Lakhotia.
RazorPay is an Indian payments startup that aims to provide "frictionless transactions". Harshil Mathur, co-founder of RazorPay, said the company handles around 50,000 transactions a month with a payment success rate of 83 percent.
"Our infrastructure almost never goes down as we use AWS (Amazon Web Services). But payment failures happen because the bank's gateway goes down. [For example], if the 3D Secure website goes down, we can't do anything about it," Mathur said.
We reached out to various banks such as Kotak Mahindra Bank, ICICI Bank, Standard Chartered, and Axis Bank, but all of them refused to comment for this story despite multiple calls and emails over a week.
Reinventing the OTP
One possible solution for foolproof two-factor authentication is to use an app or a device to generate a security code. Vasco deals in hardware and software authenticators, which generate one-time passwords. Since the authenticator device or app is with the person using the service, it adds a second layer of security.
Some banks such as ICICI Bank print a group of codes behind debit cards and ask users to enter these numbers to authorise net banking payments. The bank prints sixteen alphabets (A-P) behind some debit cards and there are two digits under each alphabet. It asks people to key in the digits under three of the alphabets when they try to authorise payments. While this type of payment method circumvents network-related payment failures, Vasco's Valcke called it a "cheap or crude form of authentication".
"A hacker would require to physically have the card to be able to hack into one's account (using the code combinations printed on the back of the bank card)," he says. "A waiter or a service man on a petrol station could copy those details when they are handed the cards by people to pay."
Although this method of authentication provides better security than user created passwords, Vasco says one-time passwords generated via mobile or hardware tokens are far more secure for the reasons mentioned above.
Of course, this kind of solution (or an app based one, where a trusted app generates OTP's on your phone every time you need to make a transaction) would be a big change, and could scare of some customers at first. But in all likelihood, the customers would quickly adapt.
When RBI first made two-factor authentication mandatory, many feared that there would be a big drop in online payments in India, according Paytm's Amit Lakhotia. "I was with MakeMyTrip at the time. There was a drop in online payments but it wasn't massive," he says.
Lakhotia says the added layer of security is reassuring for the people who are new to online payments.
"Two-factor authentication is necessary to build the confidence of people," he says. "Those paying online for the first time are more comfortable when using two-factor authentication."
Small changes, big results?
Being the regulatory body, RBI is the big game-changer here. The RBI has been considering removing two-factor authentication for small transactions. RBI Governor Raghuram Rajan recently told NDTV, "We have solutions [for] doing low value transactions without too much jhanjhat (extra effort) as they call it."
This is an important move to increase e-commerce activity in India, but the existing regulations still act as an obstacle to adoption, says Zomato's Goyal.
"Despite initiatives taken by the Indian government, adoption of mobile payments technology in India has been relatively cautious," Goyal explains. "Regulations and marketing models in India will also need to work on developing a strong client base. Better innovation with respect to m-payments technology based regulations will put India on the map with markets like Dubai."
But the need for caution is equally important. Vasco's Valcke says, "There will always be a trade-off between security and convenience. In our opinion, RBI's act of mulling removal of two-factor authentication will be customer friendly." Merchants are inclined to agree. ClearTax's Gupta says if RBI relaxes rules regarding two-factor authentication, it would have a positive impact on ClearTax's customers. "The bulk of our transactions involved are in the Rs. 300 and Rs. 600 tiers. These payments will become one-click," he says.
With e-commerce being one of the fast growing business verticals in India, improving two-factor authentication so that safety and convenience can improve hand in hand, but with the banks avoiding comment, we have to worry that this process will continue to be a slow, painstaking one - much like waiting for an OTP to arrive.