The Economic Times
English EditionEnglish Editionहिन्दी
| 29 November, 2020, 06:25 AM IST | E-Paper
Search
+

No ATM PIN for online transactions and other measures to make digital payments safe

Synopsis

The guidelines state that payment aggregators, such as Razorpay, CC Avenue etc., will now have to stop giving the option of using ATM PIN to users to complete online transactions. Here is a closer look at the guidelines and how it can keep your digital life safer.

Getty Images
RBI, in December 2016, relaxed the requirement of additional authentication for low value online transactions for transactions up to Rs 2,000 per transaction.
The Reserve Bank of India (RBI) has issued a set of rules for payment aggregators and payment gateways to make digital payments safer for users.. The central bank issued these rules through a notification, 'Guidelines on regulation of payment aggregators and payment gateways', on March 17, 2020. The guidelines aim to minimise the risk of digital payment frauds and to keep customers' financial data safe

The guidelines state that payment aggregators, such as Razorpay, CC Avenue etc., will now have to stop giving the option of using ATM PIN to users to validate/complete online transactions. This means that for payments over Rs 2000 users will be able to use only OTP for verification. This way a person's ATM PIN will not be available online to the aggregator or payment gateway (or even a hacker) and therefore be safer.

Further, RBI has asked such aggregators to make sure that all refunds are credited back to the original source of payment, unless specifically agreed by the customer to credit to an alternate source. Currently, many e-commerce companies either compulsorily or by default credit refunds into e-wallets of customers. Consequently, the payer is unable to get the money back into his bank account.

Here is a closer look at the guidelines issued by RBI and how it can keep your digital life safer.

  • Option of verification via ATM PIN for online transactions cannot be given
According to the RBI notification, payment aggregators cannot ask for ATM PIN for authentication of online payments. At present, some payment aggregators give the customer the option of using their ATM PIN to authenticate online payments.Kunal Varma, Chief Business Officer and co-founder, MoneyTap says, "All the digital payments above Rs 2,000 will have to be mandatorily verified via one-time password (OTP). However, according to RBI guidelines, verification of payments below Rs 2,000 via OTP is optional. The decision is taken to ensure that your ATM PIN is not available to anyone and your card is protected."

RBI, in December 2016, relaxed the requirement of additional factor of authentication for low value online transactions for transactions up to Rs 2,000 per transaction.

Sometimes referred to as multi-factor authentication or two-factor authentication, verification via OTP is an additional security layer to minimise the risk of digital frauds while using internet banking or other electronic payment method.

  • Refunds shall be made to original source of payment
RBI has also asked payment aggregators to credit the refund (made due to cancellation of transactions) back into the customer's account from where the original payment was made.

Currently, certain e-commerce companies credit refunds automatically into the e-wallet of the customer (created on the company's own platform)and not to the bank account, credit card etc. from where the original payment was made. This is troublesome for the customer since this amount can only be used for transactions on that e-commerce portal and nowhere else.

The notification states, "All refunds shall be made to the original method of payment unless specifically agreed by the customer to credit to an alternate mode." This would mean that if you have made a payment on an e-commerce website using the Unified Payments Interface (UPI) from your bank account, then in case of a refund, the amount has to be refunded to your bank account, and not into the e-wallet you have linked to the e-commerce website, unless you specifically ask for this.

However, this might not apply in the case of cashback. Varma says, "In case of cashbacks, they are not really transaction refunds that the merchant or payment aggregator owes to the customer. This is an optional benefit that may be given out by the merchant/payment aggregator to the customer as part of some loyalty or marketing initiative. So the choice of how this money will come to the customer would ideally still remain with the merchant/brand/payment aggregator."

  • Background check of merchants
Payment aggregators have been asked by the RBI to undertake background checks of merchants.

The notification states, "Payment aggregators shall undertake background and antecedent check of the merchants, to ensure that such merchants do not have any malafide intention of duping customers, do not sell fake / counterfeit / prohibited products, etc. The merchant's website shall clearly indicate the terms and conditions of the service and time-line for processing returns and refunds."

Varma says, "It seems that RBI is trying to minimise the chances of frauds taking place in the name of reputed websites by asking payment aggregators to ensure that money debiting from the customer's account is actually being credited to the merchant's account. Further, at the time of making payment, the customer has to be informed about how long it will take to get the money back in case of refund. This is to ensure that customer has clarity when to expect money in their account"

  • Customer grievance
Payment aggregators have been asked to appoint a nodal officer to handle customer complaints and grievances. According to the notification, "Payment aggregators shall put in place a formal, publicly disclosed customer grievance redressal and dispute management framework, including designating a nodal officer to handle the customer complaints / grievances and the escalation matrix. The complaint facility, if made available on website / mobile, shall be clearly and easily accessible."

The notification adds, "Payment Aggregators shall have a dispute resolution mechanism binding on all the participants which shall contain transaction life cycle, detailed explanation of types of disputes, process of dealing with them, compliance, responsibilities of all the parties, documentation, reason codes, procedure for addressing the grievance, turn-around-time for each stage, etc."

Also Read