What could quite possibly be the first step to one of the largest reforms in India’s digital banking system, RBI has now removed 2-factor authentication from transactions below INR 2000. In a circular issued on March 13th, The Reserve Bank has directed all concerned financial institutions, to apply this system with immediate effect.
2-factor authentication, which has been publicly dubbed as “outdated” and obsolete by a number of new-age company founders and chief execs, had really been a thorn in India’s surging e-commerce segment growth. The outdated security mechanism had more specifically hurt startups, dependent on online payment, as they had to re-structure their entire payment mechanisms just to fit in RBI’s 2-factor authentication.
The Reserve Bank, acknowledging that it has heeded to requests from customers and entities for the need “to foster innovative payment processes”, directed all commercial, urban co-ops and district/central banks, to ward off 2-step security from transactions below INR 2000.
Interestingly, RBI has made a special mention about NFC-backed payment mechanisms (cashless mechanisms), saying that it had also taken contactless payment methods under consideration while taking the decision. RBI’s circular says,
The requests have been examined from the perspective of the trade-off between security and convenience in card transactions and need for relaxation in extant instructions with suitable safeguards to protect customer interest in light of availability of new technologies. One such technology is that of Near Field Communication (NFC) which is used in contactless cards .The contactless cards are chip card which provides security as well as convenience.
The new guidelines however do not apply to transactions done using ATMs or Card-Not-present (CNP) situations.
Here’s the entire text from the circular :
Card Payments – Removal of requirement of Additional Factor of Authentication for small value card present transactions
Reserve Bank of India has issued various instructions on security of card transactions and risk mitigation measures, including directions on online alerts as well as on additional factor of authentication. This has resulted in strengthening both card present (CP) and card not present (CNP) transactions. The measures have significantly reduced the misuse of cards.
2. Of late, the Reserve Bank has been receiving requests from customers and entities in certain niche segments indicating the need to foster innovative payment products / processes and for enhancing the convenience factor in certain use cases / type of transactions without the need for having the mandatory additional factor of authentication (AFA).
3. The requests have been examined from the perspective of the trade-off between security and convenience in card transactions and need for relaxation in extant instructions with suitable safeguards to protect customer interest in light of availability of new technologies. One such technology is that of Near Field Communication (NFC) which is used in contactless cards .The contactless cards are chip card which provides security as well as convenience.
4. Accordingly, it has been decided to relax the extant instructions relating to the need for additional factor of authentication requirements for small value card present transactions only using contact-less card payments using NFC. In this regard, it is advised that –
- Relaxation for AFA requirement is permitted for transactions for a maximum value of Rs 2,000/- per transaction; banks are free to set lower per transaction limits.
- the contactless cards should necessarily adhere to EMV standards.
- Suitable velocity checks (daily, monthly, etc) shall be put in place by banks as agreed upon by the customer.
- for transaction value above the threshold limit of Rs 2000/- PIN (AFA) will be mandatory.
5. Further, in the interest of customer protection the banks are also advised:
- to clearly explain to customers about the technology, its use, risks and liability while issuing contact less/ NFC cards.
- to clearly indicate the maximum liability devolving on the customer, if any, at the time of issuance of such cards, along with the responsibility of the customer to report the loss of such cards to the bank immediately through multiple channels made available by the bank.
- to put in place robust mechanisms for seamless reporting of lost/stolen cards which can be accessed through multiple channels (website, phone banking, SMS, IVR etc.).
6. However, it may be noted that the above relaxations shall not apply to:
- ATM transactions irrespective of transaction value.
- Card not Present transactions(CNP).
7. The directive is issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007 (Act 51 of 2007).