MUMBAI: From August 1, you need not think twice before letting your credit card out of sight at a restaurant, petrol pump or any other merchant establishments. The details printed on your card including the card number, expiry date and three-digit card security code (popularly known as the CVV) will not be enough to make fraudulent online transactions.
A RBI directive has ensured that from August, credit and debit card-issuing banks must provide for additional authentication of information over and above what is visible on the physical card. In other words, the cardholder must key in an extra security code or some other data to complete a online transaction.
This consumer-friendly instruction, issued by the RBI on February 18, also mandates a system of online alerts to the cardholder for all `card not present' transactions that exceed Rs 5,000. The circular adds that banks would be penalised for non-adherance to the directive under the Payment and Settlement Systems Act 2007.
In an email response to TOI, RBI though specifies, "Banks are free to decide on the technology they wish to use to fall in line with these instructions.'' On their part, banks have been beefing up their online security. Virtual cards, which have been around for a while, are a secure option offered by the likes of HDFC Bank, ICICI Bank and Kotak Mahindra Bank. HDFC Bank's NetSafe, for one, creates a code that can be used for one-time transaction. "It is a limited period validity number,'' says Sanjeev Patel, EVP and head, direct banking channels, HDFC Bank.
Virtual cards create a code separate from your CVV number so you don't have to key it in on the merchant website. Any unused amount from the card is credited back to the credit or debit card account.
Banks also offer increased security via MasterCard's Securecode and Visa's Verified by Visa, which offer personalised passwords. T V Seshadri, vice-president and country general manager, South Asia, MasterCard, says, "Much like the authentication process required for payment card use at ATMs, SecureCode requires cardholders to enter their personal code in an online window on their PC before a transaction can be processed. Even if someone knows their credit or debit card number, the purchase cannot be completed without their SecureCode at a participating merchant.''
But these initiatives can work only if the cardholder is prompted to enter the code by the merchant site. Says Seshadri, "The card-issuing bank, the retailer and the retailer's acquiring bank will all have to participate. Even if one of these entities does not participate, the cardholder is not prompted to enter the SecureCode.'' Seshadri, though, adds that a number of banks in the country no longer allow their cardholders to transact on e-commerce sites without entering such the code.