RBI Eases Some Card-Not-Present Authentication RequirementsBut Some Critics Fear the Move Could Increase Fraud
Following the government's recent demonetisation initiative to help fight tax fraud and counterfeiting, the Reserve Bank of India had removed its two-factor authentication requirement for small-value card-not-present transactions. But some critics fear the move, designed as a catalyst for cashless transactions, could lead to an increase in fraud.
The change will affect transactions up to Rs. 2,000 ($30 U.S.), for card network provided authentication solutions. The directive was issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007 (Act 51 of 2007).
Removing the two-factor requirement is seen as a way to facilitate easier electronic transactions for consumers and enhance the efficiency of retail payment systems.
But some security experts fear the change in authentication requirements could prove harmful.
"All other things being equal, a relaxation in one security control will clearly make fraud easier to commit," says consultant Tom Wills, director of Ontrack Advisory. "The relaxed requirement here is only regarding one type of control, being multifactor authentication, referred to by the RBI as AFA."
Given the RBI's move, banking and security leaders must be prepared for an increase in electronic transactions and the need to scan them more thoroughly for anomalous behavior, experts say.
Easing Transaction Security
RBI says it had received numerous requests for reviewing the two-factor authentication requirement for small transactions.
"As most requests were for merchant-specific relaxations on AFA requirements, they were not appropriate at the system level. An alternate solution provided by authorised card networks is expected to meet the objective of customer convenience with sufficient security for low-value transactions," it notes.
That optional alternative solution involves consumers undergoing a one-time registration process. Thereafter, registered customers won't need to re-enter the card details for every transaction at merchant locations, saving time and effort. Card details already registered would be the first factor; credentials used to log in to the solution (as confirmed by the card network providing the solution) would be the additional factor.
The conditions for elimination of two-factor authentication are:
- Only authorised card networks shall provide such payment authentication with participation of card issuing and acquiring banks;
- Customer consent shall be taken while making this solution available to them;
- The relaxation of authentication is applicable only for card-not-present transactions for a maximum value of Rs. 2,000 per transaction across all merchant categories;
- Banks and card networks are free to set lower per transaction limits.
For transactions with a value greater than Rs. 2000, the CNP transaction must uses two-factor authentication.
T. R. Ramachandran, group country head, India and South Asia, at VISA says, "This is a welcomed move by the RBI as it will help streamline the eCommerce checkout process while maintaining adequate levels of security for small value transactions (below Rs.2,000). We know that the friction involved with the authentication methods currently used has impacted transaction completion rates, particularly with commerce moving to smartphones where screens and keypads are smaller."
Critics Raise Concerns
Some security practitioners question why the RBI is scaling back its authentication requirements because of the greater risk for fraud, and they say it could lead to other security headaches.
Mumbai-based cybersecurity researcher Nitin Bhatnagar says the move will create challenges for security practitioners who will need to find ways to integrate their back-end systems with payment authentication solutions gateways and authorized card agencies while going through rigorous application security validation testing process.
"Besides, there's the challenge of ensuring card holder data is compliant with the PCI-DSS to protect the transaction's integrity," he says.
Prepare for Change
Security experts say the financial sector must take steps to mitigate the risks raised by the new authentication process.
"Cashless transactions will increase risks of fraud," Bhatnagar says. "CISOs must implement secure technologies like point-to-point encryption or tokenization that will safeguard sensitive card holder data."
Wills expects a significant increase in electronic transactions as a result of the authentication change. "The higher risk created can be mitigated through compensating controls like transaction monitoring combined with behavioral analytics for authorization decisions."
RBI says banks and authorised card networks must educate customers about the new policy, the risks involved and the mechanism for addressing customer grievances and reporting complaints.