To minimize online transaction frauds in India, RBI has come out with more safer guidelines for online transactions. As per RBI, both credit and debit card holder have to validate their identity while performing an online transaction.
There can be multiple ways thru which identity validations can be done. One option is to send a transaction code as SMS to user’s mobile on each transaction, using which the transaction can be completed. Another option is to provide users a code generator device.
SBI, ICICI, Kotak Mahindra Bank and Citibank sends one time code as SMS to mobile for authenticating the transaction. HSBC provides a digital code generator which has to be used for any transaction online. HDFC uses a image and text to validate the user which has to be configured at time of net banking registeration.
Its difficult for a hacker to have access of everything including username, password, mobile phone or code generator.
Most of the banks do validation one time only at the time of activating third party beneficiaries. In all future transaction with activated third party accounts are not authenticated.
In case of credit card, Both MasterCard (called MasterCard SecureCode) and Visa (called Verified by Visa) uses password for authenticating online transactions. Some credit card have a feature of limiting the amount maximum of which a transaction can be done online.
RBI never sponsored or stated specific systems such as Verified by Visa or Mastercard UCAF/SPA in its directive.
Before, the entire banking industry in India goes on this bandwagon, it is best to simply learn about the experience of cardholders and online merchants as it concerns these two systems. Just google ” verified by visa 2009 ” or go to this link : http://www.boingboing.net/2009/03/28/verified-by-visa-bri.html.
VBV or UCAF/SPA static passwords can be easily phished. Once phished and used by fraudsters, it then makes it very difficult (not impossible) for the legitimate cardholder to dispute a fraudulent online payment made with his VBV or UCAF/SPA credentials.
On the other hand, fraudsters can easily collaborate and share each other’s VBV or UCAF/SPA credentials and then dispute the charges with the issuing banks. The issuing Banks can never prove that the cardholder’s static VBV or UCAF/SPA’s credentials were not phished or compromised.
It surprises me that India, the world’s technical resource, would copy the errors made by Banks elsewhere in the world that tried introducing VBV or UCAF/SPA. It is relatively simple for anyone to do a google search on Verified by VISA and realize that it has not been successful in other parts of the world. At least banks in other parts of the world and online merchants were not mandated to implement these systems.
Be wary of mandated systems. A good security system never needs to be mandated.
Hi… Could you please talk about the current scenario of ecommerce in India. I would like to know more about it as i am doing a project on online marketing