Don't frown upon our security regulations for e-commerce

The recent action by the Reserve Bank of India to reiterate the regulations mandating "two factor authentication" for credit card transactions in a "card not present scenario" (ie: for internet transactions), has led to sharp criticism in the media. It is contended that "old fashioned" rules and regulations that inhibit entrepreneurship and initiative and act as a brake on growth of the "new" economy must be done away with. Such regulations, it is asserted, result in major inconvenience to customers and the security concerns cited in their favour are invalid.

Online payment systems are critical for both e-commerce and e-governance, given the growth that has happened and, more importantly, that is planned for, in coming years. It is, therefore, essential that all issues related to the development of such systems be debated and "appropriate" regulations put in place to ensure security, efficiency and ease of use.

Past lessons in this context are not unambiguous. Overregulation of the financial and other sectors has crippled growth before; but an under-regulated financial sector in the developed world brought down not just the Lehman Brothers, but much of the world economy in recent years. We need to look at the issues on merit, putting aside considerations of pro or anti regulation ideology that determine the fashion of the day in matters of public policy.

Sometime in late 2004, a little more than two years after the launch of www.irctc.co.in, I asked MasterCard and Visa executives if there were any security measures that were available that could enhance transaction security and prevent credit card fraud. The question arose from the fact that all the information required to "clear" a credit card transaction on the internet was data available on the card itself viz: type of card, name of card owner on card, expiry date and CVV number.

If a thief stole my card details he could, without any problem, use it on the internet until I blocked it. Very hesitantly I was advised that a simple but powerful security provision existed for both Visa and MasterCard cards, but it had not been made mandatory. The provision was indeed simple - to "clear" a transaction a PIN would be required that would not be available on the card; the customer would create the PIN online, Visa/MasterCard would store it and ask for it at the time of transaction and clear the transaction only if the correct PIN was given. A thief who had my credit card details would not be able to use them for any transaction on the internet. The reason why Visa and MasterCard had not made this verified by its secure system mandatory was the fear that customers would find the requirement of creating, remembering and using the PIN "inconvenient". We insisted on implementing the security measure on IRCTC’s site and it is evident from the way IRCTC has grown, that it has not constrained the customer from using the site at all.

Years later, as e-commerce grew exponentially, the RBI mandated that this "two factor authentication" for "card not present" scenarios be implemented for all e-commerce transactions. The e-commerce honchos at the time protested vigorously - the customer would be inconvenienced and e-commerce transactions would be adversely impacted! The RBI remained adamant and after a small blip for a short time in some cases, e-commerce has continued to boom in India.

The customer, it appears, is happy to accept the inconvenience of "two factor authentication" rather than suffer the inconvenience of credit card fraud. As a regular customer on the internet, I, certainly, am happy too. If my card, or to be more precise, my card data, is used to pay for something on the internet by someone other than me, I have every right to refuse to pay the credit card issuing bank and do what is called a "charge back". I can claim that I did not do the transaction and the burden of proof is then on the online merchant to prove that I indeed did the transaction; otherwise, my money has to be refunded. If it was indeed a fraudulent transaction, I, the customer, would suffer serious inconvenience - dealing with banks is never easy if one wants the money back!

The merchant, of course, suffers a financial loss. As a merchant, therefore, in both the government and later, in the private sector, I was happy to enforce the "inconvenience" of "two factor authentication" than suffer, and have my customer suffer, the consequences of credit card fraud.

The reluctance of MasterCard/Visa to make "two factor authentication" mandatory and the initial brouhaha by e-commerce merchants when the RBI enforced it, is based on an unthinking imitation of American business attitudes - minimise the effort on part of the customer, then only will he love your site! While the US remains the Mecca of e-commerce and every start-up imitates a spiritual Californian parent, we must be free to think of systems and processes most suited to our socio-economic milieu.

Even today, we in the e-commerce space know and suffer from the reluctance of the Indian online customer to pay online. This conservatism on part of our customer has led to high cost payment schemes like "cash on delivery", which is a completely retrograde step in an environment where online payment systems are available. Nonetheless, we use it because our customer is very reluctant to pay online and we need the customer. Security is the customer’s primary concern and we must convince the customer that our systems are completely secure if we want to expand e-commerce with online payments. The "two factor authentication" is a "good thing" and we must use it to convince more and more customers to buy and pay online.

E-commerce is barely 12 years old in this country and has a long way to go before it becomes part of mainstream economic life. We have to enforce secure systems without compromising excessively with customer convenience - and "two factor authentication" is far from being any major inconvenience to any customer. The occasional minor irritation is more than compensated by the warm feeling of my transaction being a secure one.

Customer convenience ends where customer security begins. Credit card transactions are both safe and easy now, and so they should remain. We have a "middle" path between excessive and inadequate regulation, and we must tread it with confidence.