24 February 2018
Ketharaman Swaminathan

Talk of Many Things

Ketharaman Swaminathan - GTM360 Marketing Solutions

93Posts 582,076Views 2,923Comments

How Security Can Actually Cause Vulnerability

03 June 2014  |  2846 views  |  1

Security increases friction. That's not news. I've written a few blog posts - click here, and here - on this perennial tradeoff in payments.

However, I recently realized that security measures can actually cause new sources of vulnerability.

Ironic but true.

Since December 2013, India's central bank RBI has made it mandatory for all debit and credit card transactions at the point of sale to require PIN. This is in addition to signature, which has always been required for card present transactions. So, while some other nations are debating about "PIN or Signature", India has already enforced a "PIN and Signature" regime. But I digress.

In theory, PIN makes card transactions more secure. When implemented properly - as Europe did with EMV over a decade ago - PIN does reduce card fraud without a disproportionate increase in inconvenience.

However, when the same enhanced security measure is implemented in a half baked manner, it not only reduces convenience but increases vulnerability.

Friction from the RBI's latest mandate arises from the fact that most credit cards have 6 digit PIN numbers, which are more difficult to remember than standard 4 digit PIN applicable for debit / ATM cards.

Now, on the ground: 

  • PIN entered by payers in the existing POS machines is visible to everyone around them. Instead of changing their POS machines to higher models with hoods, banks are dishing out stupid advice like “Use your hand or body to shield your PIN".

https://twitter.com/GTM360/statuses/413255102192168960

  • Because they can't access the POS machine in multiplexes, pharmacies, restaurants and many other merchant establishments, customers are asked to speak out their PIN numbers aloud.

As a result, the purpose of PIN is defeated. 

While things might improve in future, at this point the "PIN + Signature" regime has caused greater friction and increased vulnerability.

As an aside, the central bank apparently implemented this new security measure to provide more confidence to people to use their payment cards and thereby usher in a cashless society.

For more than one reason, we might be headed for exactly the opposite effect.

  • When people received their PIN mailers along with their credit card welcome kits several years ago, they didn't bother with the PIN number since it was only required to make cash withdrawals from ATMs via credit cards, a feature that people used rarely since it was very costly. As a result, most people don't know their credit card PIN numbers today and few would take the trouble to contact their banks to get their PINs reissued.
  • Not all POS machines are equipped to accept PIN for credit card transactions. As a result, many merchants, including two of my Mobile Network Operators, have stopped accepting credit cards.

Ergo, RBI's recent mandate has rendered many credit cards unusable at the POS and it's back to cash for many customers.

How's that for "unintended consequence"?

Half Baked Security Measures Can Cause Vulnerabilities TagsCardsSecurity

Comments: (2)

A Finextra member
A Finextra member | 04 June, 2014, 12:38

What a story!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 25 June, 2014, 15:52

A couple of updates since I wrote this post: 

  • My auto workshop owner got his credit card 10 years ago. Like many others, he doesn't know the PIN # and hasn't bothered to contact his bank to get it. He tells me that he regularly charges close to INR 100K (~US$ 1667) per month to his credit card and has never been asked for the PIN # so far. 
  • Both my MNOs are back to accepting credit cards and neither of them asks for the PIN # now. 

Not sure how these merchants manage to sidestep the PIN requirement but, for now, the cash-cashless pendulum swings in the other direction.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Ketharaman

Flight Delay Insurance - Why Blockchain?

07 February 2018  |  5576 views  |  2 comments | recomends Recommends 1 TagsBlockchainInnovation

Atlas Etherisc - Another New Kid On The Blockchain

15 January 2018  |  4750 views  |  5 comments | recomends Recommends 0 TagsBlockchainInnovation

AXA Fizzy - The New Kid On The Blockchain

02 January 2018  |  7136 views  |  3 comments | recomends Recommends 1 TagsBlockchainInnovation

A Killer Feature For PFM On The Eve Of PSD2

04 December 2017  |  7617 views  |  1 comments | recomends Recommends 1 TagsMobile & onlineRetail banking

Cheque - The Unsung Hero Of CashlessIndia

08 November 2017  |  6346 views  |  0 comments | recomends Recommends 1 TagsPaymentsRetail banking

Ketharaman's profile

job title Founder and CEO
location Pune
member since 2009
Summary profile See full profile »
As Founder and CEO, S. Ketharaman provides overall direction and leadership toward setting and achievement of GTM360's goals and objectives.

Ketharaman's expertise

Member since 2009
90 posts2,923 comments
What Ketharaman reads

Who's commenting on Ketharaman's posts

Ramdas Narayanan
Christoph Mussenbrock
Mike Ray
James Piggot
Charmaine Oak
Dharmesh Mistry
Chandrashekar Rao Kuthyar
João Bohner
Chetan Ghadge
Shaju Nair