Uber cool but unsafe?

Over the past couple of days, there has been a lot of din around ‘RBI shutting down Uber’, igniting a debate on how the Reserve Bank of India is ‘micro-managing’ online security rather than allowing ‘free-market’ forces to determine the best way.

Whenever a debit or credit card is used, the seller assumes the following: One, the card legally belongs to the buyer and two, once he’s received an electronic authorisation to honour the card, his bank (acquiring bank in payment parlance) which provided the point-of-sale machine will settle the transaction. From the customer’s side, if it’s a debit card, the cardholder’s bank (called the issuing bank) will debit the funds from the cardholder’s savings account. If it’s a credit card, the issuing bank will assume the amount will be paid by the cardholder by the due date.

In a face-to-face transaction (like in a physical store), the store owner can demand to check the bona fides of the cardholder by asking for a proof of identity bearing a photo of the cardholder such as a driver’s license or a PAN card. The store owner could also check the cardholder’s signature on the receipt generated against that behind the card. In an online transaction, how is the online merchant supposed to do this?

In the early days, an authentication method entailing the input of the 3-digit security code appearing on the back of your plastic next to the signature line ‘card verification value’ (CVV) was introduced, that was meant to be the cardholder’s online signature. Soon, fraudsters started copying both sides of the card. What this led to was an unprecedented increase in online card fraud, where hackers who had access to card number databases, would systematically defraud online merchants. Therefore, about a decade ago, card schemes like Visa and Mastercard developed an issuer-led protocol called ‘3D Secure’ to create an online Personal Identification Number (PIN) created and known only to the cardholder. This is akin to an online signature which cannot be copied unless it’s revealed to a third person. However, this led to a huge backlash from the cardholder community which felt that this led to another level of friction in the system. Many online retailers too balked at this, as it was leading to higher dropout rates and therefore lower sales, making them perpetuate the cash-on-delivery approach. In India, the RBI mandated 3D-Secure for online card transactions way back in 2009. This was a smart move as it coincided with the explosive growth in debit card issuance. India is a very different electronic payments eco-system where different issuing banks and retailers had varying degrees of awareness about online security and measures needed to counter them. The RBI recognised early on that 3D-Secure is a confidence-building measure for an already reluctant Indian cardholder who still preferred to transact in cash. With debit card issuance today at 400 million versus 20 million credit cards, the Indian cardholder is more at risk without 3D-Secure. Also, the nascent electronic payments industry did not have efficient dispute resolution mechanisms.

Today, proponents of the Uber model aver that ‘innovation’ allows the customer to enjoy his ride and disembark at his destination without fumbling for cash or having to enter an authorisation PIN, as card details are pre-stored. This innovation is not new; the hotel industry has been using it for a long time with a pre-authorisation taken at the time of booking. The only difference being, that if mandated, you will still need to use 3D-Secure whilst making the booking.

So, in a trade-off between risk and convenience, what would you choose? Risk your card being used by a hacker in ‘Nigeria’ or protect it using 3D secure? As for the wait time, a few extra seconds which can ensure the security of your sensitive information should not be perceived as an inconvenience.

The writer is the CEO of TechProcess Payment Services

COMMENT NOW