For Finextra's free daily newsletter, breaking news and flashes and weekly job board.
Ketharaman, put yourself into the issuer's shoes. How can you at least try to ensure the CNP transaction is carried out by the authorized party? OTP is not the best solution (from UX and security point of view), but still offers some protection.
If the banks shifted ALL fraud liability to the consumer, we'd be gladly jumping even through ten hoops to stay secure. It's all about perception and perspective.
TY for your comment. The rationale from the issuer's p.o.v is clear: To make online payments more fraud-proof. Question is, will the resultant friction will also make it transaction-proof (for me, it already has).
In today's world, customers are spoilt for choice: They'll simply ditch the MOP that requires 10 hoops to stay secure; cash will make a comeback (as it is, cash-on-delivery accounts for 70% for ecommerce in India); we'll start seeing genuine innovation in
payments viz. COD for otherwise completely digital transactions like e-tickets at no higher transaction processing cost than the MDF/MSC applicable for card payments, as I'd highlighted in The
Death Of Cash Is At Least 190 Years Away.
I've been hearing about the eventuality of biometrics for 9 years. I'll give it one more year before commenting about it since I subscribe to Bill Gates' famous saying about how people underestimate the amount of change that can happen in 10 years. I'm not
sure how EMV is relevant in the present context of CNP transactions but, nevertheless, in my interactions with merchants, banks and regulators in various parts of the world, it's not as though USA doesn't care about fraud. It's just that (a) only it gets friction
and the other here-and-now revenue-threatening problems caused by overzealous implementation of fraud prevention measures, and (b) Even without VbV / SecureCode, there's no evidence that fraud as a percentage of CNP transaction value is any higher in the USA
than other parts of the world that have implemented 2FA / Mobile OTP, etc.
Instead of USA following the ROW on convenience-versus-security, I'd place my bet on the opposite. With several Indian ecommerce companies getting rid of the extra hop involved with ePGs, a couple of them completely shifting to US-based payment processors
in the recent past to circumvent friction, the trend has already commenced.
Some banks send OTP over the email "as well", as registered with them. It saves the hassle of not being on home network or while roaming internationally. I have made multiple online payments using OTP, while I was roaming internationally; with so much ease
that I am a strong supporter of such technical initiatives. Pls note that additional sending of email for same OTP has done away many other cost inconveniences or security apprehensions around SMS. Now, it might open a question around security in emailing;
which I think can be dismissed without even any required discussion.
@RiteshA: TY for bringing up the alternative of Email OTP. While I've no personal experience with it - none of the close to a dozen-odd banks I'm exposed to uses it - Email OTP seems more convenient than Mobile OTP. However, Email OTP is "in band" and, for
that reason, could be viewed by security purists as less secure than Mobile OTP, which is "out of band".
@AlexP: TY for your comment. The same bank has been using hardware tokens for supplying OTPs for a different usage scenario (NetBanking) for several years. In 8+ years, I've never had a problem with it (knock on wood!). I guess it has moved away from a hardware
alternative for online credit card usage due to a myopic focus on cost reduction.
Hardware tokens are not ubiquitious and are "pain in the pocket" to carry. Smartphones offer an adequate alternative.
Agreed but I'd anyday accept the predictable "pain in the pocket" over the unpredictability of the smartphone / mobile OTP alternative. But, that's only me. As I said, "Only time will tell whether Mobile OTP will stimulate online payments or sound its death
AMEX and ICICI Bank...besides many more have been using it for years... :-)
I am coming from end-user convenience and security perspective. If I can get account statement on email..then why not OTP...?
Every thing else on technical concerns are problems of individuals.
It takes just 32 interactions to develop a habit :)
I was almost sold on Email OTP until I saw the analogy with eStatements: How Suitable Is Email For Delivering Bills And Statements? Do you have to supply a password before seeing the
Founder and CEO
GTM360 Marketing Solutions
17 Apr 2009
30 Oct 2020
04 Aug 2020