The year 2014 for India's fledgling yet technologically sophisticated Rs 1,200 crore worth digital payments industry has been one that can be best described as being 'eventful'. It saw a host of start ups in this space successfully securing funding as well as well-established players staying abreast with the latest technologies to roll out new products and services that are aimed to change the way Indians make payments and facilitating their transition from cash to digital modes. However, it is the trade-off between safety and convenience of using these digital modes of payments which has been focal in the second half of the year.
Setting the Context
The Reserve Bank of India's directive of making companies adhere to the two-factor authentication (2FA) process for making online card payments more secure created much of a furor and reached a crescendo with taxi aggregators demanding 'level-playing field' with a foreign player who instead offered a friction free check out process to the cab user by side-stepping this stipulation.
In recent weeks, industry bodies such as NASSCOM have been rather vocal in support for a shift to single-factor authentication for small value transactions in view of the changing technology landscape as well as offering a fillip to companies in the e-commerce space; something which the Reserve Bank of India is giving a consideration.
Two-factor Authentication (2fA): Making Safety Paramount
Before we dive in into the merit worthiness of such a move, it's worth examining what Two-factor authentication (2FA) exactly is and why it kindles so much debate. Imagine your cheque book, which has all your bank account details, bank codes etc. Although you might lock your cheque book away, you don't necessarily panic when you misplace it. Reason being that you're confident that nobody excepting an expert forger can fake your signature. Given that there is a lead time for the cheque to be deposited, you can issue 'stop-cheque' instructions. Therefore, what protects you is, not just what you have (cheque leaf) but also who you are (your signature).
Cut to the online world where you click on the 'pay' button in any e-commerce or biller website. You are redirected to a payment page, where you enter your 16-digit card number, expiry date, name on card and three-digit code. All these are actually printed on your card, so it just proves 'what you have', which can be easily copied by someone who's handled your card. To prove 'who you are or what you know', you are redirected to another website where you have to enter your PIN or One-time Password (OTP) to successfully complete the payment. This process of taking an additional factor of confirmation akin to the signature is called 'Two-factor Authentication' (2fA)wherein the risk associated with the physical possession of the card with a fraudster or the cloning of card details stands mitigated due to a secret code known only to the card holder.
In a brick and mortar store, the merchant can ask for some identity documentation to prove that the cardholder is bonafide. The 2FA is the online equivalent of an ID check. When it was introduced, there was some noise from the then-nascent e-commerce industry, saying that this additional step in online payments will lead to higher 'drop-outs' and consequently lower sales. However, history has proved the naysayers wrong as the industry has grown exponentially from $2.5 billion in 2009 to over $13 billion at present according to a joint report by KPMG and the Internet and Mobile Association of India.
Though 'Cash on Delivery' has contributed to this growth to a large extent and constitutes over 55 per cent of the e-commerce payments, the share of online transactions have now touched $5 billion in value terms constituting over 30 per cent of the payments pie, albeit the 2FA. This proves that it is not perceived as an impediment; rather it boosts the confidence of consumers who have been otherwise apprehensive to adopt digital payment modes.
Convenience: A Costly Trade-Off
With single step authentication and its perceived benefits of 'frictionless' payments, what remains to be seen is whether these benefits would outweigh the obvious risks of fraud. The whole process of recourse for card payment frauds can be nerve-wracking for the card holder, as law enforcement will investigate only if there is a formal complaint, making the victim grapple with complex jurisdiction issues, technicalities of fraud etc.
So why does online fraud become scarier than offline fraud? The key difference is that in the online world, the fraudsters are anonymous, faceless individuals who could be based in any part of the world where law enforcement may never be able to reach. Moreover, no differentiation is made between low-value and high-value fraud. If there are relaxed norms for low-value, the fraudster would simply perform multiple fraud transactions of low-value to escape detection.
Developed markets like US are now reviewing their payment security norms since they have huge legacy systems to contend with. India has leapfrogged technologies by mandating 2FA much ahead of the rest of the world. That's the attributed reason why online card payment fraud rates in India are one of the lowest in the world.
We live in an increasingly crime-ridden and interconnected world. Let us not lower our guard just because of some perceived benefits for a vocal minority. The large silent majority of cardholders have not been complaining anyways.