In a bid to make online transactions easier, Reserve Bank of India (RBI) has come out with a circular which states that it has removed the much restrictive two-factor authentication for transactions under INR 2,000.
After examining the trade-off between security and convenience, RBI announced that they have now removed requirement of Additional Factor of Authentication for small value card present transactions. However, relaxation of the norms applied only to ‘card present’ transactions where near-field communication (NFC) technology is used.
The ATM transactions where the card is not present will continue to require the additional factor of authentication, a PIN or one-time password.
RBI in its draft circular said, “It has been decided to relax the extant instructions relating to the need for additional factor of authentication requirements for small value card present transactions only using contact-less card payments using NFC.”
At present, a customer has to key-in the personal identification number (PIN) for authenticating every transaction. If the draft circular gets implemented, customers using contactless cards will not have to key in the PIN for transaction up to INR 2,000.
The RBI has advised banks to explain to customers the NFC technology, its use, risks and also the maximum liability devolving on the customer, and also to put in place a robust mechanism to report of loss or stealing of cards.
It is to be noted that the ecommerce firms have been pitching to remove the two-factor authentication for small value transactions.
Here is the complete circular:
Reserve Bank of India has issued various instructions on security of card transactions and risk mitigation measures, including directions on online alerts as well as on additional factor of authentication. This has resulted in strengthening both card present (CP) and card not present (CNP) transactions. The measures have significantly reduced the misuse of cards.
- Of late, the Reserve Bank has been receiving requests from customers and entities in certain niche segments indicating the need to foster innovative payment products / processes and for enhancing the convenience factor in certain use cases / type of transactions without the need for having the mandatory additional factor of authentication (AFA).
- The requests have been examined from the perspective of the trade-off between security and convenience in card transactions and need for relaxation in extant instructions with suitable safeguards to protect customer interest in light of availability of new technologies. One such technology is that of Near Field Communication (NFC) which is used in contactless cards .The contactless cards are chip card which provides security as well as convenience.
- Accordingly, it has been decided to relax the extant instructions relating to the need for additional factor of authentication requirements for small value card present transactions only usingcontact-less card payments using NFC. In this regard, it is advised that –
- Relaxation for AFA requirement is permitted for transactions for a maximum value of Rs 2,000/- per transaction; banks are free to set lower per transaction limits.
- the contactless cards should necessarily adhere to EMV standards.
- Suitable velocity checks (daily, monthly, etc) shall be put in place by banks as agreed upon by the customer.
- for transaction value above the threshold limit of Rs 2000/- PIN (AFA) will be mandatory.
- Further, in the interest of customer protection the banks are also advised:
- to clearly explain to customers about the technology, its use, risks and liability while issuing contact less/ NFC cards.
- to clearly indicate the maximum liability devolving on the customer, if any, at the time of issuance of such cards, along with the responsibility of the customer to report the loss of such cards to the bank immediately through multiple channels made available by the bank.
- to put in place robust mechanisms for seamless reporting of lost/stolen cards which can be accessed through multiple channels (website, phone banking, SMS, IVR etc.).
- However, it may be noted that the above relaxations shall not apply to:
- ATM transactions irrespective of transaction value.
- Card not Present transactions(CNP).
The directive is issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007 (Act 51 of 2007).
Recently, the Delhi-based ecommerce firm, Snapdeal has also pitched for single-factor authentication regime for small value transactions, starting initially with a cap of INR 3,000. Earlier on August 22, 2014, the RBI had issued a circular requiring every credit card transaction made with an Indian credit card to include two-factor authentication and had made it mandatory starting from December 2014.