Switch on/off for card payments means additional security.
With the digital transaction push, must come a digital security push. Digital transactions have grown in the past few years, but so have frauds related to online payments—the RBI Ombudsman’s December report shows that digital-related complaints have doubled in the last two years. In FY19, digital complaints accounted for a quarter of total claims, even as complaints relating to use of stolen and cloned cards more than doubled. As the Ombudsman only receives a fraction of these complaints, actual numbers are expected to be much higher. RBI’s latest move, to allow a switch-on/switch-off option for digital transactions, thus, is welcome.
RBI has made it mandatory for banks to provide a switch-on/off facility for both credit and debit cards, for all transactions, starting March 16. Currently, most purchases require two-factor authentication—entering of a CVV followed by an OTP—but, the new rule will mean another level of security as consumers will be able to deactivate their cards when not in use. Users will also be able to set and modify transaction limits for all kinds of transactions. Additionally, it will give users the choice to activate/deactivate international payments and allow/disallow contactless payments. More important, this facility shall be available via all mediums, viz, mobile app, internet banking, IVR, and ATMs. Although some banks like SBI and Axis already offer this facility, awareness was quite poor. What is not clear though is the time banks will take to switch card payments on or off. In the case of Axis bank, for instance, deactivation takes 24 hours from request. If this can be done instantaneously, it shall mean better security. For example, a person will be able to activate the card service only when they shop, and block once that is done.
Although no data is available from RBI on economic losses due to online fraud, Indian banks have long been a target for hackers. Details of 1.3 million card users had been put online last year, of which 98% were linked to Indian accounts. Cyber-security giant Norton last year highlighted that, in 2017, consumers in 20 big economies, including India, lost over $170 billion in cybercrime. India alone lost $18.5 billion. Had this technology been available, hackers would not have been able to use card details as easily. RBI, however, still needs to address security concerns relating to the digital economy. Pushing mediums like UPI can be one solution, but even these are authenticated by debit card. RBI must do more to make sure banks are security-compliant. It has mandated banks to conduct security audits, but it also has to keep introducing new mechanisms. For instance, IDBRT has been talking about blockchain to ensure additional security, and RBI can create a framework for banks to take-up the technology. Given that the central bank spends `3,000 to address each complaint, and complaints have been growing, it would save more if it were to invest in a more secure architecture.