RBI: No “Cheating” Two Factor Auth. Clamps Down on Uber and Others.

43 comments Written on August 23rd, 2014 by
Categories: RBI

RBI has, in a notification, banned companies like Uber (the taxi service) from charging Indian customers through US gateways and circumventing two factor authentication.

What the Heck is Going On?

Uber, a taxi service, takes your credit card details (card number, CVV2, expiry date). In India, of course, this would be safe to give, because online web sites cannot use your card to deduct money with just these details. Each transaction needs a “second factor” authentication, where a preset second password has to be entered on the credit card’s website for every transaction. Just with the card details, Uber couldn’t do a thing.

That’s what you thought.

Uber, though, wanted to do its thing. You take a taxi, but you don’t know how much it costs. Uber can’t bill you upfront because they don’t know how much, and they can’t "swipe” your card in the taxi because hey, that would ratchet up their cost tremendously (swipe machine in every car!).

So what they do is to effectively “work around the system”. The card details you give are used in a transaction gateway abroad.  These foreign gateways do not require a second factor auth, and will bill your card using just the details you provided. At the end of the ride, the driver clicks an “end ride” button, which then prompts Uber to bill you from their foreign gateway.

Uber would bring that money back in some other way (either as income or investment from their US entity to the Indian one), and use it to pay the taxi driver.

Uber ensured that the rupee amount billed to you was correct, using real time exchange rates (so you never saw a “dollar” charge, just a rupee fee for the exact amount). But some people might have been charged a conversion charge since the billing was effectively in dollars.

Why is this “cheating”?

The two factor auth was introduced to protect people on a per-transaction basis. So no one could steal your card and use it to transact online without your second password (which is not provided to anyone).

If someone takes your card in India and notes down the details, they can easily register on Uber and start using it. For you to find and reverse these transactions will have to involve complaints to your card company, the foreign gateway and the legal system, which is just too much of a pain. The Two Factor Auth prevents this madness.

That’s one reason. The other is that if the transaction’s being done in India between residents, why send the money out and bring it back, and incur unnecessary volatility on the currency? It may not happen today but if unchecked, obviously it will result in USD conversion of every rupee transaction. (The telecom equivalent is that you connect to an Indian website from India, but through hops that take you to the US and back)

Here’s an example of why this can be dangerous: Uber doesn’t call me to confirm I need a ride. My kids use the phone and can accidentally book something; and by the time I realize it and cancel, I might be charged a cancellation fee of Rs. 100 to Rs. 150. This is something they charge to my card anyhow, and they can do so because they have card details; and this is unfair, as they can charge any arbitrary amount any time and I have to find out and refute each one!

Two factor auth is what makes me comfortable in using cards online - this way I can be sure that the sites that take my details (including Flipkart and the like) don’t have access to one detail that will only put on the bank website (the second password). To bypass this security is to reduce such comfort.

(This isn’t about Uber; it’s just an example to demonstrate context. Indian CC transactions are safer for end-users because of the two factor, though as a system we need to ease the friction in two factor)

But I can’t even Buy Hosting?

There is a fear that legit purchases of foreign services will be banned. But the notification is clear - it’s only for transactions between residents where it’s clearly something that should have stayed in INR.

So buying Hosting on Amazon is fine; the service is provided abroad and normally this kind of thing would involve a forex transaction. Buying books off Amazon US is fine. But you will need two factor auth to buy from Amazon India.

The Technical Details

Here’s the relevant part of the notification.

3. It has come to our notice that despite the above clarifications there are instances of card not present transactions being effected without the mandated additional authentication/validation even where the underlying transactions are essentially taking place between two residents in India (card issued in India being used for purchase of goods and service offered by a merchant/service provider in India). It is also observed that these entities are evading the mandate of additional authentication/validation by following business / payment models which are resulting in foreign exchange outflow. Such camouflaging and flouting of extant instructions on card security, which has been made possible by merchant transactions (for underlying sale of goods / services within India) being acquired by banks located overseas resulting in an outflow of foreign exchange in the settlement of these transactions, is not acceptable as this is in violation of the directives issued under the Payment and Settlement Systems Act 2007 besides the requirements under the Foreign Exchange Management Act, 1999.

4. In view of the above, it is advised that entities adopting such practices leading to willful non-adherence and violation of extant instructions should immediately put a stop to such arrangements.

5. It is further advised that where cards issued by banks in India are used for making card not present payments towards purchase of goods and services provided within the country, the acquisition of such transactions has to be through a bank in India and the transaction should necessarily settle only in Indian currency, in adherence to extant instructions on security of card payments.

What does this mean?

  • RBI doesn’t like it when both parties are in India, but a payment is made by one to the other through a foreign gateway. Not because of any other reason, but because each transaction would result in outflow of forex and then an inflow, which is both unnecessary and a violation of the payments act.
  • So Uber is bad.
  • Amazon webservices is good (since the server is located abroad, and there’s no round tripping of the money).
  • Paying your web host is good.
  • Companies like Uber (and there are many now) should just stop this practice.
  • Banks need to be vigilant about services that are provided between Indian residents, and will have to introduce checks to ensure this happens. This is not rocket science: they can create a complaint mechanism where if you complain, they investigate, and if needed, effectively block such services through the Visa/Mastercard/Amex network.

Who Else?

It’s not just Uber. Companies like Freshdesk too have US entities that charge money from Indian subscribers in dollars, according to qz, because they need to do recurring payments. (Not possible in Ind due to need for second authentication).

Some other online companies do it because they don’t know how much they need to chare customers. Others because the billing details are stored and so rebilling an existing customer is easier.

All these will have to stop. They get until Oct 31, 2014 to fix things, so nothing changes overnight. But for companies like Uber, the business model will need to change. (It could still hold credit card details and ask for a prepayment for every ride, with an adjustment of the actual amount later)

Note: Yes, Uber is not a Taxi Service. But it’s a service you use to call a car for hire that will take you from place A to place B. You say Tom-ay-to, I say Tom-ah-to….

Update: Aditya in the comments mentions an elegant solution. That Uber be allowed to charge a certain amount on your card, as a "lien". This just blocks the amount from the card, but doesn't charge you yet - when your ride is done, it deducts the actual amount, and frees the rest of the lien. This transaction can use a 2 factor authentication, and might be more palatable. However, if the billed amount is greater than the lien (because someone changed destinations) it could be a problem but come on, this kind of stuff will even out eventually (and they can just pay the driver the difference, or agree to pay later). 

Related Posts Plugin for WordPress, Blogger...

Tags:

About the Author:
http://www.capitalmind.in
The man behind Capital Mind. Deepak is a co-founder at MarketVision, a financial knowledge company. Deepak also provides data research and consulting services, and now lives in Bangalore. Connect with him at deepakshenoy@capitalmind.in.

43 comments “RBI: No “Cheating” Two Factor Auth. Clamps Down on Uber and Others.”

I’d like to ask a question on this issue. Let’s say for ex; I’d like to charge online for the services I provide to Customers in India as well as to overseas. Secondly I’d like to do a service like that of Elance. What are procedures to follow to do that. What are the tax repercussions if I charge overseas customers in USD. Could I claim it as services exports and ask for IT exemption from RBI? Could you please let me know the details on these instances?

For an elance like service, you will need to create a marketplace of such users, and register with a payment company to accepts both USD and local payments. Because of FEMA you may find it difficult to pay out dollars (all sorts of withholding tax issues) so best to create teh entity in a different jurisdiction and only operate it from India.

Services exports no longer get IT exemption.

Two-factor auth is available on foreign credit cards. But, merchants have the option of not using it. So, Amazon does not use it because of its one-click feature. Many other online merchants outside India use it. Its a VISA (and Mastercard, etc) feature available around the world.

In India, there is probably a mandatory regulation of merchants having to use it. Which is actually a stupid thing. I mean, if a merchant wants to take the liability and risk of fraudulent transactions (because of not using VbV), then why does RBI have a problem with it?

Instead, why don’t they make it optional and put the liability on Uber for fraudulent transactions. Simpler solution, more democratic, less infantilizing and accommodating Uber’s business model (who won’t have to use foreign gateways).

Actually, the real regulation loophole here is that card issuers do not own the liability of fraudulent transactions (like in the US). Transactions can be easily canceled in the US with no questions asked, whereas in India, one has to go through an onerous, insurance claim-like process to revert a fraudulent transaction. If RBI plugged this, this wouldn’t be an issue in the first place.

The even more funny part of this is that if you have forgotten your two-factor auth password, then you can reset it immediately by entering the card details and maybe an additional date of birth. So, its practically useless. It just gives you a warm feeling, like urinating in your pants, but its just as useless. In fact, its actually worse, because security experts have pointed out that now its possible to set up phishing sites to get your card information online, by mimicking the two-factor auth web page and the reset form.

I agree that card fraud should be the banks’ thing. This should be addressed of course, but banks pass it on to merchants who by and large don’t seem to want to take the hit. Uber’s case may be different (it might be happy to take the hit for now) but the problem is that someone at Uber can screw people by overcharging them, or their database gets hacked like what happened with Target. There is no protection for the consumer and merchant both, and we need that.

2FA is good, I think. The wallet concept can be used to mitigate smaller transactions (just put some money in a wallet to use for Uber type transactions, and let Uber charge the wallet on demand, this is still fine)

The two-factor auth reset has implications – first, that banks can render the new password useless for a period (say 48 hours) in which time only an OTP can be used (code sent to mobile phone), with a note saying your password has been changed, or require an OTP confirmation. Either ways, the 2FA is far more secure than using only info given in the card. I think its worth it…

If fraudulent transactions could be easily reversed like in other countries, then the OTP process/2FA is unnecessary. Because, one can achieve the same thing by getting notification of all transactions on their mobile and requesting a cancel if they see a fraudulent transaction.

The only reason why we feel better today with 2FA is because issuers won’t cancel a fraudulent transaction easily so it is upon us (card holder) to prevent bad transactions.

So, the only regulation RBI really needs to introduce is the prompt canceling of fraudulent transactions with no questions asked (and not the onerous insurance claim like process) and assigning the liability to the card issuer. Its available in other countries so I don’t understand why we don’t do it.

This is necessary even with 2FA/OTP/whatever so we need to do it anyway. And, if we did it, we wouldn’t care about 2FA as we would always be able to cancel transactions easily, with the click of a button. Merchants/issuers might still want to use 2FA but that can be a democratic decision for the merchant/issuer to make.

Agree that liability must go to issuers. This part has some history, where frauds online by customers (skimmed card numbers etc) triggered the proposal. But good to revisit.

2FA is useful – all they ask for is that the customer provide auth that is not on the card. The banks have decided to do things with VBV or OTP which aren’t easily usable. Unlike the west criminal investigations are very slow in India so regulation exists to work around that also!

There’s a straightforward solution to this, so not as optimal as charging your card without 2-factor authentication.

This solution is particularly useful when there are upper bounds on how much can be charged for a single transaction- either strict bounds, or reasonable bounds. Uber has reasonable upper bounds. They are limited to ferrying people within a city and will likely charge a couple of thousand Rupees at the upper end of the spectrum- let’s say 3000.

They can simply have the customer go through the 2FA process while booking the cab for an amount of 3000, but instead of charging the card, they can mark a lien of 3000 on the card (this is called an authorization).

When the ride is over and the actual fare is known (say Rs. 1000), Uber can simply capture Rs. 1000 from the lien and expire the balance. This is common practice with hotel bookings and some e-commerce companies (although this practice is more popular abroad than in India- the option is available here).

This is a great point, thanks mate!

This is how tipping works in a restaurant. When the card is swiped, they put an additional amount to cover the tip that customer might put on the slip.

Anyways, coming to the topic, I believe if I authorize Uber to charge me 3000, and Uber charges me more than the actual fare (1000), I won’t have the option to dispute. I believe with the introduction of 2FA, I lose that privilege (Am I correct?)

Dispute is always an option :) You can also connect with Uber of course. ANd then you are protected by Consumer Protection laws too.

In case of 2 stage credit card trxn (auth and capture) gateways put limit on the amount difference between auth and capture transaction. For ex TIP cannot be added say 100% of bill amount later at the time of capture. Few gateways ask for re-auth as well if amount exceeds certain limit. If re-auth need to be done then as per RBI rules 2FA has to come into picture. I have coded on these stuffs ;)
So solution is not that simple as it seems. Moreover if you put auth for 3000 Rs then that amount gets blocked for x number of days… so people will not like this especially guys with lower credit card limit.
Correct way should be to put liability on merchant and not on customer if 2FA is not used, else continue with whats going right now.

Awesome input, thanks!

With 2FA, you basically lose the ability to dispute whether or not you authorized the transaction (because of the second factor, they know YOU did, not someone else who stole your card).

However, you still have the ability to dispute (directly with the card issuer, if you aren’t happy with the merchant) other aspects of the transaction- such as whether or not you received the services you paid for, etc.

Good move by RBI. Perhaps I am in the minority, but I would prefer 2FA for all transactions on my credit card. Gives me peace of mind. For example, the scenario you mentioned could still happen – someone notes down my credit card details and shops on amazon usa. What is my protection against that happening?

I am in the camp that doesn’t like visa debit cards not asking for a PIN at POS transactions. Thankfully some banks still issue maestro debit cards that need pin for each transaction.

Yes I agree, and protection for this kind of thing is limited in India. So I have to use one time cards for such transactions (HDFC bank has one such option)

What about purchases on itunes?

Apple stores the credit card information (in fact they bill $1 (Rs 60/-) when changing card information on apple devices) and there is no further authorization required (except for the apple password) to bill the credit card on any further purchases.

This is not a forex round tripping thing so likely it will be allowed anyhow. The point here is that money is actually being sent abroad

I’m confused. So, the regulation is applicable only for local transactions because only frauds where money is not sent abroad need to be prevented? If the 2FA rule is about preventing frauds, why does it matter where/who the money is going to, whether there is forex tripping or not?

Yes 2FA has a specific exemption for forex transactions; and all cards have been told that they should create customer specific (and configurable) limits for forex transactions. This limit will soon default to zero; you will have to go change it yourself.

The reasoning is that 2FA isn’t universal yet. It’s getting to be, though. ECB has gone that way, BoC has, and likely that the US market too shifts to some form of it. (They’re doing it in patches)

I don’t get it. Why does it matter to RBI what other markets are doing? It didn’t matter to them when they made this rule for local transactions!! So, why should it matter to them for foreign transactions? Foreign gateways support 2FA, so I don’t understand what is meant by “it isn’t universal yet”.

Its funny how RBI constraints/limitations apply to normal Indians, but exceptions are made for NRIs, foreigners, corporates. We have an inverted self-discriminatory regulatory system. No rationality here, as usual. Very amusing.

Foreign gateways for the most part don’t support 2FA for Indian cards, no? If no VBV then that sending of an SMS for OTP etc is absent. Btw, there’s exemptions for Mail order transactions too.

Yes, RBI isn’t a saint in these cases, and I hate some of their regulation especially when it comes to KYC. But I support a 2FA standard, honestly. I personally think it should apply to all transactions using cards, as I would be more comfortable. The west generally has a better legal system to deal with frauds, and I think we should improve ours too!

Umm… why would foreign gateways not support 2FA for Indian cards? That would be strange. VbV (verified by visa) is obviously a Visa feature, and not an Indian card specific feature. So, I don’t see why foreign gateways would not support a Visa feature?

I use my card internationally (both direct, when I think I trust the merchant, or a one-time card) and have VbV enabled for years, but I have never ever been redirected to the VbV thingy for international online transactions. But I’ve always had one (since 2009 or something) for Indian cards. So I assumed something in this link up wasn’t working…

Ok, the visa website indicates that both the card issuer and the merchant have to participate in the VbV program. It has nothing to do with domestic or foreign gateways. In Aug 2009, RBI mandated that all Indian merchants have to use it, whereas there is no mandate for foreign merchants, which are also, obviously outside the jurisdiction of RBI. So, gateways are irrelevant.

THe point is that foreign gateways don’t ask for VBV when you transact from India; RBI doesn’t require it and even if VBV is supported by the merchants don’t seem to support. Has anyone used a foreign gateway with VBV with Indian cards?

It might interest you to chech booking.com

It collects the credit card details for a domestic hotel booking in India. However the money is charged by the hotel. In the event, if one doesn’t show up the hotel can charge on the card.

Booking.com is registered in the UK

Why would Freshdesk an US entity be required to adopt an indian payment gateway? The transaction is between an US service provider and an Indian end user just like AWS or Amazon purchase and not between two indian residents.

You’re right, since the Freshdesk entity that’s being paid is the US entity, I suppose. That may still be acceptable I think.

Well, for one thing, Indian payment gateways are a BIG pain. It takes 30 minutes to get going with an US based payment gateway to process credit cards from across the world (as an Indian co). Compare that to Indian gateways who need tons of documents/agreements, take 1-2 months to get everything going, charge hefty fees and, most importantly, behave as if they are doing a favor. And then they do have lot more payment-related or technical issues. Anyway, for 5% of my online customers who are Indian, I have to now find an alternative – may be just offer plain vanilla net banking / NEFT option…

ANil, supposedly things are changing fast with the likes of PayTM, Payzippy etc. getting on with things really fast…

PayTM is disappointing. PayZippy is responsive but too much bureaucracy.

I partially agree with you on the point that closing the loophole is justified and was required to level the playing field, but the deeper issue that led Uber to exploit this loophole merits consideration.

As things today, RBI regulations do not permit me to waive authentication requirement to a certain limit on my own money, neither do they allow proportional risk management by payment service providers. I would wish to give up the advanced security provided by additional factor of authentication for the convenience of conducting small value transactions quickly. Perhaps payment service providers would want to take a risk-based approach, with a range of authentication methods.

Regulations are so specific and uniform that there is little room for proportionality or innovation around payment security. That is what makes me uncomfortable with RBI;s micro-management role. Had there been a little more economic freedom with consumers and service providers, Uber would probably have found a local, compliant solution that provided the functionality it had globally (after all, we are talking a few hundred rupees worth of transaction per trip).

For you, the wallet concept might work best. You simply put your money into a wallet and allow Uber like services to transact. (Uber doesn’t yet allow this, but others do). No 2FA required, and given you’re tech savvy enough, you can do this with whatever amount you fancy.

The range of authentication methods is free to be chosen by the bank, since RBI doesn’t mandate any specific type. Only that the second factor must be information that is not present on the card.

Like we’ve said they can still be compliant, and take a lien on a card on every trip. Or use a prepaid card. It’s not going to be the death of them.

Payment security can be innovated. The only rule is to have a second factor of auth. OTP is nice but not a must, they can do multiple levels of second factor (biometric, pre-assigned password, behaviour, GPS/Time tag photo, code generator on phone etc) This doesn’t mean that banks can’t innovate into the second factor (they can) or that they can’t have further fraud protection through transaction analysis (this is needed anyhow).

So what happens to Google Apps’ business? They certainly don’t do two factor authorization. The Uber analogy can be applied to them too yes? The service provider is in India (i say this because all sales and support emanates from India), the pricing is in INR but the payment gateway is in the US.

That should be fine because there is no forex roundtripping. INR is for convenience I suppose. 2FA not required if forex round tripping not envisaged..

After reading the other comments, I feel that this is a move to stifle innovation and has been taken by RBI under intense lobbying by Meru and other can operators who have so far not been able to come out with the service standards Uber has set within a few months of being present in the country. It is the same mindset which prevents competition in many industries in India.

The forex round tripping argument doesn’t make any sense, considering that the persons who should be affected by it, are not complaining. I as a user pay in INR, the driver receives the commitment to him in INR in the bank account. It reduces cash usage in the country, takes cab service to a new level for Indian consumers.

RBI’s micro management on these things is a big time eyesore!! They are basically stifling innovation and overriding consumer interest in its zeal to preach better security on electronic payments!! What’s the protection on cash??

It’s not really a move to stifle innovation. It’s like Paypal, these rules have always existed, and they have been told to stop breaking them.

There is no protection on cash and that’s well understood. But cash doesn’t scale – tech does. So it’s important to protect consumers from fraud, and not to pass on fraud costs to merchants. India has a lot of consumer side fraud as well, and largely going through courts doesn’t solve anything – the 2FA allows for a much bigger barrier to fraud and has more safety.

I have stopped using my car and use only Uber. I hope they find a elegant solution. I really liked the fact that its simple to call, no haggling, get a sms with amount as i get down and a bill emailed.

I’m confused about one more aspect (Sorry :D).

So, if foreign merchants are anyway allowed transactions without 2FA, then a person who has got hold of my card details can use it to buy something from some random foreign merchant, without 2FA, right? And, this rule doesn’t change that, does it?

All this rule does is prevent someone who has my card details from conducting a transaction on the Uber site because Uber will now require 2FA.

So, my question is this: if someone stole my card details, will they really be eager to make transactions on Uber, or will they be looking to use it on some other website (some foreign merchant which does not use 2FA)? What exactly will they buy from Uber? A free taxi ride where they have to show up in person, where they have to give a functional mobile number to Uber? I hope I’m missing something obvious, because it doesn’t make any sense to me.

The point about Uber is not about 2FA. The point about Uber is to settle transactions locally since its between the driver and the passenger here (and RBI believes such transactions should be settled in rupees locally). THe 2FA is then going to happen because locally settled transactions need 2FA. It’s not a direct result of the other.

Buying something from a random foreign merchant – this is messy only if goods are digital, I think, like maybe a Netflix subscription or such. Also, don’t international transactions have automatic liability protection from MC/Visa? Not sure how that works. India should really get better liability protection or fraud monitoring too.

Foreign merchant authorization will usually have a security from both parties, I think, with many merchants abroad not accepting Indian cards (due to chargeback fraud) and many Indian cards rejecting certain international payees (due to merchant fraud). But that’s not the point, I think it’s just a phased system. The RBI has already suggested that banks get more secure about international payments (use chip and pin, consider 2FA on international transactions etc.) See: http://rbi.org.in/scripts/NotificationUser.aspx?Id=7874&Mode=0

To answer your question, card fraud can be used to do stuff on Uber too, and that’s fraud as well. However this is not really a scenario that RBI will really care about. The point here is – there was a local transaction, no 2FA, and fraud occurred. If a large database is compromised (and you might not even know) and Uber’s strategy is used by hundreds of different merchants (to avoid 2FA) then the scale of such fraud can be enormous with little or no protection – so the hit will be taken by either user or merchant. ANd it’s in violation of hte payment and settlement rules which means RBI needs to act.

To answer DJ’s point, there is no 2FA when buying from foreign sites. For example, when i buy kindle ebooks on amazon.com, they just charge the card immediately, without any 2FA. So yes, i do think that if someone can copy card details, they can do this kind of online shopping. RBI has not blocked it, i wish it could, maybe there are limitations as discussed above in comments.

They could also shop a physical item (say a TV) and get it shipped. I thought that there used to be some check on card issuer’s address and shipping address earlier, but don’t think it is there anymore.

We can keep talking about stifling innovation, but let there first be consumer protection, and then i am all for removing 2FA. There is no way we can depend on our courts or filing cases with RBI etc for consumer redressal – given the current systems, prevention is the best method.

I do agree though that if individuals want to explictly waive off 2FA on their cards, RBI should allow that. But the default should remain as it is today.

“The point here is – there was a local transaction, no 2FA, and fraud occurred.”

Are there examples of credit card fraud with Uber in India? I didn’t find any examples via Google.

—-

That RBI notification is mostly unnecessary. Instead, all that RBI needs to say is that customers will have 0 liability for fraudulent transactions like in the US. And, leave it to the banks to use 2FA or whatever else they want to use. All that is needed from RBI is what this gentleman is saying:

http://www.thehindubusinessline.com/industry-and-economy/banking/credit-cards-rbi-keen-on-zero-liability-to-customer/article2788358.ece

This is real consumer protection, not a micro-managed list of security details.

—–
“Also, don’t international transactions have automatic liability protection from MC/Visa?”

I doubt if that is the case. Terms and conditions come from the issuer who may or may not use certain features (for fraud protection) from Visa/MC.

—–

It is also RBI’s job to accommodate business models that have negligible risk. They could have said that merchants like Uber can opt for a waiver of 2FA requirement (in which case they wouldn’t have an issue using domestic gateways) under certain conditions (if they get agreement from some number of card issuers and take liability on themselves, get customers to sign off, etc). How hard is this to do?

You won’t find fraud cases. Indian banks dont’ reveal it (even at an aggregated level for credit cards!!!! I have been trying to find) and RBI releases some fraud data but not on type of fraud sadly.

RBI notification is far more than that. No international use for new cards unless user specifically allows. LImit on international use set by user but defaults to some amount, etc. This part I don’t particularly agree with but it is because of 2FA protection only. I don’t think the 2FA protection is micromanagement, and in the interest of discussion let’s agree to disagree. To me, it’s good regulation, and they don’t specify how. As we have seen the ECB and BoC have also gone down that route.

Merchants can’t opt out of 2fa in India at all. Allowing some to do so is probably an idea the RBI should think about, and probably for smaller amounts – but I wouldn’t do it at no upper bound if I were them, because if fraud occurs, there is a big impact on the system (a chargeback, dispute resolution, onus on customer to come to court if case filed. Raise the bar, and such fraud instances reduce). Edge cases (and it seems, quite often done in India, sadly) are things like customers charging back even after they have received goods, people using stolen card info to transact on sites exist in abundance and a major problem is that the legal system works too slowly.

THe level playing field is better. I know this sounds like a non-free market thingy, but this is what regulation helps with, and there is no real “drop” of experience. I have been transacting online since 1999 in India and even then I feel far safer with 2FA.

Btw, here are the ECB recommendations:
http://www.finextra.com/finextra-downloads/newsdocs/recommendationsforthesecurityofmobilepaymentsdraftpc201311en.pdf

and one provider (Paypal’s) response to them:
http://www.smartcardalliance.org/resources/pdf/CNP-WP-FINAL-022114.pdf