I recently received an SMS from one of my credit card issuing banks - the Indian subsidiary of a British high street bank that has a global presence - informing me about the following change in procedure for using its credit cards online:
"With immediate effect, for each online transaction on your BANK1 Credit Card, an OTP (One Time Password) will be sent via SMS to your registered mobile number. In order to complete the transaction, this OTP will have to be entered by you instead of the
erstwhile Verified by Visa password."
As though making online payments isn't terribly painful as it is, this bank has just raised the friction in the process to the
next level. Successful completion of a transaction is no longer just a function of quality of Internet connectivity and the uptime of merchant, acquirer, issuer and epayment gateway websites. It now also depends upon the mobile network coverage, message delivery
times and availability of the mobile phone at the point of transaction.
Even before this new step, the end-to-end payment chain had so many moving parts that almost one in 12 payments failed, as I'd highlighted in my earlier post Skating Away With Online Payments (hyperlink removed). Now, I expect failure rates
to shoot up with Mobile OTP because network coverage is spotty while indoors and in roaming mode, messages could be delayed by several hours during peak volumes observed on holidays and the presence of the regular mobile phone at the point of transaction is
not guaranteed when the shopper is traveling abroad since most people tend to use a different SIM to avoid the exorbitant international roaming charges charged by their primary Mobile Network Operator. All these will only reinforce my recent shift to Cash
on Delivery for online shopping and avoidance of online bill payments.
Going back a couple of years, BANK1 introduced two-factor authentication for all types of card-not-present payments - via web, mobile and phone. It had also started sending SMS Alerts for all card transactions (more on that here).
In all those cases, the bank had ascribed the new security measures to the Reserve Bank of India, which is India's central bank cum banking regulator. BANK1 hasn't (yet!) chanted the "As per RBI rules" mantra to backstop its latest move. I fervently hope that
the regulator doesn't mandate mobile OTP and instead focuses on the huge problem of failed payments. Ideally, it should issue a mandate to all card issuers to reverse debits in the event of all incomplete payments, no questions asked. But I digress.
If it's not to comply with regulation, I wonder why BANK1 chose to implement mobile OTP, a move that could diminish interchange revenues by further alienating experienced users away from online card transactions.
Is it to persuade 70% of online shoppers who currently use cash-on-delivery to switch over to credit cards? It's quite possible that, when they hear about mobile OTP, many fencesitters might feel comfortable about exposing their card information online.
Until they actually experience online friction and failed payments, the heightened security promised by the new step might just nudge them towards using their credit cards to make online payments, thereby boosting the bank's interchange revenues.
Only time will tell whether Mobile OTP will stimulate online payments or sound its death knell.