Anand Sharma (not his real name) is a practiced hand at online shopping. But even he does not know that from August 1 he will not only require his 16-digit credit card number, card expiry date and 3-digit CVV number (on the back of the card) when he buys something online but will also have to enrol his card with VBV (Verified by Visa) or MSC (Mastercard Secure Code) to complete a transaction.
The additional step is the result of a Reserve Bank of India's guideline issued this February that mandates additional authentications/verifications based on information about the card-holder that is not contained on the card. This measure is expected to contain online card fraud.
The problem here is that most banks have not yet started updating their systems to accommodate this change. An ICICI Bank credit card-holder, said, "My bank has not contacted me about any additional requirement." Banks, on their part, say the onus is on the customers to register themselves for a new password on their bank's websites or activate this service while shopping online.
But it's Indian e-commmerce players who are the most worried, since around 80 per cent of their business comes from the use of credit cards.
Acknowledging that online shopping for India's 24 million-odd online credit card and 140 million debit card users will be much safer from August 1, they fear an almost 30 per cent drop in business owing to the additional authentication steps involved and non-preparedness of banks.
Anupam Mittal, chairman and managing director, People Group, explained that while he's not against additional security measures, e-commerce players stand to lose revenue to the tune of around Rs 2,500 crore. "As a result, the exchequer may stand to lose up to Rs 300 crore (Rs 3 billion) in service tax," he added.
Around 45 per cent of Cleartrip's customers transacting by credit card on this website are Visa card holders. Next come Master cards at 34 per cent, followed by netBanking, debit cards, cash cards and Amex credit cards.
An eBay India spokesperson said the move was 'neutral to positive'. She pointed out that the onus would now be on customers to recall that extra password.
The Internet & Mobile Association of India, meanwhile has requested the RBI to extend the deadline by 60 days. "We believe the major banks have registered less than 40 per cent of their active base, despite active advertising by all our major members to their customers," a memo from the association said.
The association thinks the directive may end up being the biggest deterrent to India's nascent e-commerce business rather than an enabler.
It has pointed out that online fraud is just 0.16 per cent of the e-commerce industry in India which does not even feature in the top 10 online fraud-perpetrating countries. According to the Internet Crime Complaint Center (IC3), the US and UK are the largest online fraud-perpetrators.
Online card frauds primarily originate from international cards and not Indian cards, and these cards will not be governed by this directive, so we can expect little respite from online card fraud even with the directive, IAMAI noted.
Subho Ray, president, IAMAI also pointed out that in the current e-commerce environment in India, banks are merely payment enablers -- the risk arising from non-payment or fraud is borne by the merchant site and not the banks
nor the card companies Visa and Master. Implementing these guidelines will have serious implications for the already-troubled online merchant, he added.
If we were to look at international trends, even countries with much larger e-commerce markets than India as well much higher online card fraud levels like the US and UK do not have mandatory requirements for additional verifications like the one RBI is proposing, these practices are at best recommendatory in nature, Ray said.
Meanwhile, an ICICI Bank spokesperson said it has already started communicating the importance of these guidelines to its customers through statements. "We will be soon sending out SMS alerts and emails to our entire base. We will also be using the print media to educate all online customers (irrespective of bank) of the need and process to register and make online transactions safe and secure," she added.
ICICI Bank has the largest base of about 7 million credit cards.
Other large card issuers are also hastening to make sure they are compliant with the new directive. SBI Cards, a joint venture between GE Capital and State Bank of India, said it now only processes transactions that are verified by a separate password. SBI Cards has 3 million credit cards.
A bank spokesperson said customers will be required to create a password that they would have to enter when transacting online. SBI Card has gone live with these measures on July 1.
However, customers have been given some leeway and can do up to three transactions without a password. Most foreign lenders including Citibank already require customers to have an I-PIN before they can use their credit cards to transact online.