A new notification by the Reserve Bank of India (RBI) says that banks no longer need to have an additional layer of authentication for transactions under Rs. 2,000. In ordinary language, that means that you don't need to use an OTP to transact with a credit or debit card, as long as the amount is under Rs. 2,000. No more Paytm for Uber, and faster checkout from Amazon, right? Well, if you read the notification, it's not about that at all.
In the notification, the RBI states that customer consent has to be taken when making this solution available, which means that you, the customer, get to choose whether you should stick to having OTP for every transaction, a rule that was introduced in 2014.
"This waiver is a big leap in the right direction to bring ease and convenience to the use of cards over cash and will strengthen the foundation for India to become a leading digital economy," said Amit Jain, President, Uber India.
Rival Ola meanwhile stated: "We welcome the timely move from the Reserve Bank of India to do away with two factor authentication for low value, card-not-present transactions. This will definitely encourage more users to switch to debit and credit cards for online payments." Snapdeal CEO Kunal Bahl tweeted that removal of two factor authentication for low value transactions will boost online commerce.
What does the RBI say?
In the notification, the RBI outlines a system where you can move from the existing systems of authentication, to one where the card networks are responsible for keeping your data secure. Here's the actual text from the notification (emphasis ours):
The Reserve Bank has been receiving requests from certain segments of the industry for reviewing the requirement of AFA for low value online card not present (CNP) transactions. As most of the requests were for merchant specific relaxations on AFA requirements, they were not appropriate at the system level. An alternate solution, provided by authorised card networks is expected to meet the objective of customer convenience with sufficient security for low value transactions. In this model, the card issuing banks will offer the “payment authentication solutions” of the respective card networks to their customers on an optional basis. Customers opting for this facility will go through a one-time registration process requiring entry of card details, etc. and AFA by the issuing bank. Thereafter, the registered customers will not be required to re-enter the card details for every transaction at merchant locations that offer this solution and thereby save time and effort. In this model, the card details already registered would be the first factor while the credentials used to login to the solution (as confirmed by the card network providing the solution) would be the additional factor of authentication.
In order to use the relaxed authentication (for transactions under Rs. 2,000), you will have to first register with your card network, create a login and password, and then save all your card details. To make a payment, you will be able to use these credentials instead of having to type in all your card details, but every individual transaction still has to be verified with your password.
The RBI is not ready, it seems, to let you save your card details with Ola, Uber, or Amazon, and then use it without any further hassles. Instead, it's just replacing an OTP with another password. Your bank can choose to offer to allow MasterCard or Visa to offer a secure login - so you choose to pay, and then you're taken to a webpage where you will have to sign in with your username and password, in order to transact. This kind of system is already present in other parts of the world, under the aegis of MasterPass, and Visa Checkout.
Recurring transactions will not become easier
Want to pay your Ola fare quickly without any hassle? Fill your Ola money and the rest of the process is frictionless. Planning to buy a couple of HDMI cables on Amazon? Use Amazon Pay for a faster checkout. If you were thinking that you could use this new functionality to speed up your card transactions, we have some bad news for you.
If you're transacting regularly on apps such as Ola, Swiggy, Amazon, and so on, you probably have your credit or debit card on file with them already. In such a scenario, when it's time to pay, you select your card, type in the CVV/ CVC and then you're taken to the authentication page. This could be done through an OTP or your ATM PIN like it’s done right now, or the new password we talked above above.
In short, if your card is already on file, then this notification is not going to affect you at all, and will just leave you with another password to remember - and we all know how bad people are when it comes to working with passwords. If you're looking for a way to make your recurring transactions simpler, then the RBI notification doesn't bring you any relief - the new system of authentication won't be faster or more convenient.
Is there any benefit?
If you shop from a number of different sites, then using this system will be useful as you won't have to type in your card details at every single store you visit. That's not a small use case - this new system will make it easier to make use of a number of different sites, without having to share your card details in so many places.
Also, a lot of people feel insecure about saving their card details across sites they're not familiar with. You might not trust the security precautions that sites take to keep your card details safe, and thus would not want to save your card details. In such a scenario, being able to quickly transact by entering just a username and password is an appealing prospect.
This of course assumes that your bills are going to stay under Rs. 2,000 - and note that this is the upper limit of what's allowed, banks can set lower transaction limits for customers as per the notification - but for a lot of us, that should not be a problem. If you're hopping between a number of different apps to take benefit of offers and cashbacks, then having this facility will make it easier to use them all without saving your details in dozens of hands.
You should probably just stick to OTP
If you're using a handful of apps regularly, then it might not be worth the effort to set up this new form of authentication. Yes, waiting for an OTP to arrive is extremely annoying, but it gives you some additional security, and you'll need to do this for any large order anyway.
If you're an early adopter of online services, then you might already have your card on file in a few different stores, and you'll not really save time by switching to this new form of authentication. And if you're worried enough about security to not keep your cards on file, then do you really want to use a system where a simple username and password is the only layer of security in your hands?
Stick to OTP for all transactions, and it's much less likely that someone else can use your card - no matter what the value of the transaction is.