Something for people who use a Visa or MasterCard Credit /Debit card to make online transactions in India.

credit card securityOnline transactions in India have always lagged behind those of other countries in terms of usage and demographic penetration because a lot of people are afraid that their credit card details will be misused if they divulge them online. The truth, of course, is that there is a greater chance of mischief occurring when you absent-mindedly hand over your card to the waiter in the restaurant than if it were used for an online transaction.

Anyway, there’s now a bit of news that ought to decrease the risk of fraudulent online transactions occurring in India. The Reserve Bank of India recently issued a directive asking banks and online vendors of Indian origin to beef up security for all credit card transactions that have a value of INR 5,000 or more. So whether you buy a home stereo system on eBay or book air tickets by calling up MakeMyTrip.com, you’ll need to provide an additional password for completing that transaction.

What is Verified by MasterCard / Visa

Effective August 1, 2009 (tomorrow), all online credit card and debit card transactions in India will require an extra level of verification.

Visa calls its service “Verified by Visa” (VBV) while MasterCard users will be offered the “SecureCode“. A number of banks also refer to this as 3D Secure Service – so although the terminology might vary depending on the bank, the underlying principle is the same. This service, through a simple checkout process, confirms your identity when you make purchases on the Internet. Through a personal assurance message it also reassures you of the authenticity of the online store.

While it was optional earlier, the RBI’s directive makes it mandatory effective 01 August 2009, for all online card transactions to be processed using these enhanced security procedures. While this means an additional verification step for a user, it most certainly brings yet another layer of security to the entire process.

How is 3D Secure Different?

As things stand, users authenticate an online payment by specifying details such as the Name of the Card Holder, date of expiry of the Card and the CVV2 number (usually the 3 digit number located behind the card). This is all well and good for users while the Credit Card is in their possession but it doesn’t offer any protection in the case when your card winds up in the hands of an unscrupulous person.

That’s because all the details required to authenticate an online payment are already present on the card. So if someone has physical access to your card or even a photocopy of both sides of your card, they can always ensure that a transaction is validated even without your knowledge.

What “Verified by Visa” and “MasterCard SecureCode” do is that these services add an intermediate authentication step before the payment is authorized. Quite simply, you’re asked for a password. That password is something that only you would know and it certainly will not appear on the card. So, even if your card is stolen, misplaced or misappropriated, online transactions above Rs. 5,000/- will NOT be validated without the correct password.

How to Register your Debit & Credit Card(s)

Registering your existing Visa/ MasterCard Debit and Credit cards for the 3D Secure service is simple. You can either register for the “Verified by Visa” or “Master Secure Code” service while you are shopping on the Internet or you can visit your bank’s website right now and register all your cards.

If you have an add-on card for your spouse or relative, the card holder will have to register separately to create his/her own personal PIN. The PIN should be all numerals because it will also be used for IVR transactions that happen over the phone and most phones don’t allow you to type alphabets or special characters.

If you have multiple debit or credit cards, you can assign the same Internet PIN to all these cards. For more information, visit your bank’s website   – here are a few links of popular Indian banks & their information pages on these authentication services:

HDFC Bank, ICICI Bank, Citibank, HSBC Bank, Standard Chartered, State Bank of India, Axis Bank, ABN Amro, Deutsche Bank, Karur Vysya Bank

Set a Personal Greeting

Although certainly NOT foolproof, these systems certainly increase the security of online transactions. However, security experts in other countries, differ on certain aspects of this system, citing the fact that it becomes quite easy for phishing scams to garner the VbV password thereby allowing for fraudulent transactions. The risk is somewhat mitigated if one is careful about retaining one’s password, not clicking on links received in emails – type out the URL in your browser’s address bar instead, and of course using some basic common sense like using only a secure and verified HTTPS connection to perform any financial transactions online.

When you register your debit or credit card for Verified by Visa or MasterCard SecureCode, you will be asked to create a Personal Assurance Message – set this to something memorable (e.g., “my wife loves shopping at Macy’s”). Now when you pay online, this Personal Assurance Message will be displayed on the checkout page of the website to ensure that your bank is authenticating your transaction and not a phishing website.

By Shahrzaad M Parekh.