In a recent communication RBI has pointed out the need for supporting digital transactions in offline mode in order to overcome the handicap of “lack of stable connectivity” as a hindrance to digital adoption. I thought it is a good time to talk about offline authorization, when it comes to processing payment transactions.
Some definitions first:
Authentication: Every payment transaction goes through two steps, authentication and authorization. Authentication is the step that validated the card user. Historically for transactions done using card plastic, this step was performed by taking signature of the customer on the merchant copy of the transaction slip. Then in order to ensure better security, RBI mandated the use of PIN inputted at the encrypted PIN-pad of the point of sale (POS) terminal.
For transactions performed without the plastic, i.e. used on a website, mobile app etc. this step is taken care of by asking the user to input a transaction password or OTP on the authentication page.
Authorization: Authorization is the step that validates the availability of funds. It is this step that is responsible for posting the transaction in your account.
Settlement: Settlement is the step that is responsible for movement of funds from Issuer Bank to Acquirer Bank. As part of this step the merchant claims the money from the acquirer bank and acquirer bank sends this claim to Visa/MasterCard/RuPay, which they then share with respective issuers for processing.
In online transaction scenario authentication and authorization are performed in real time, while the settlement is an offline step, that happens by exchanging the transaction data through the network and does not depend on connectivity at merchant location.
Offline Transaction: When a transaction is processed without connecting to issuer bank’s system in real time. This means the debit in your account will not appear immediately at the time of transaction.
There are two possible ways they will appear in your account, first is at the time of processing settlement, the issuer bank as part of their reconciliation process identify all the transactions where authorization was not performed online, but a settlement was received and post these transactions in customer’s account after reconciliation.
Second possibility is by syncing the offline transactions stored at the card/app next time the card interacts with another POS terminal that has connectivity or app finds the network connectivity. Don’t worry, will try to explain it in more details below.
This offline method of processing payment transactions has been in use in many countries but not in India. There are two primary reasons we did not see such transactions in India, (Transit cards and FasTag are two cases, where India does use offline method). First is low risk appetite. These transactions are riskier and there is possibility of more disputes and even possibility of loss to banks. Second is India is primarily a market driven by savings account and not credit cards. In savings accounts banks pay interest that means if a transaction is processed offline and is posted at a gap of few days to customer’s account (traditionally the gap between authorizations and settlement could be few days in many cases) the bank would in effect be paying interest to customer on money that she has already spent.
Floor Limit: Many countries have this concept called floor limit. What a floor limit means is at certain merchant categories payment transaction can be processed without online authorization provided transaction amount is below a certain amount. This amount in card terminology is referred as floor limit. So far floor limit in India has been Zero. Now from what I understand RBI is planning to make this floor limit as 200 Rs. That would mean any transaction below 200 Rs, processed at specific merchant categories will not require authorization from issuer bank. This transaction will be approved and stored at the terminal level and will be sent to acquirer at the time of settlement.
In this case no authentication or authorization is performed, just the details of the card are captured so that the claim can be prepared for settlement.
Now imagine if this was done few months back, would we have even needed FasTag. One of the very popular use case for this floor limit globally is toll payment.
EMV Cards: I am not sure how many of you know this but besides EMV being more secure, one of the reasons EMV was introduced was because of its capability to process transactions in offline mode, thus avoiding the need of sending every transaction through network and save on cost of communication. For countries where telecom cost is high, this could mean significant savings.
EMV protocol supports offline mode of transaction processing by provisioning for offline PIN, something that can be validated at card itself, thus taking care of the authentication step. There are various other parameters like last known balance (i.e. the balance at the time of last online transaction), cap on number of transaction (total number of transaction that can be approved at card chip level before it will force the transaction to go online. For example if this parameter is set up as 4, the chip will force every 5th transaction to be online. This 5th transaction will carry with it all the other past offline transactions thus syncing the issuer systems in the process.) and amount (cumulative amount up to which the chip on the card can process transaction in offline mode. Similar to the cap on number of transaction the moment this threshold is hit the chip forces the transaction to be processed online). From what I have read, it looks like RBI is proposing to set this amount limit at 2,000 Rs.
Most of the systems at banks these days are capable of the methods described above and should be able to implement without making much changes, thus can be rolled out fast.
Similar principles can be used in order to build the capability for other modes, which do not follow card protocol. In fact in case of modes like UPI, where a mobile device is involved this can be done in much better way considering unlike card a mobile device in capable of connecting to the issuer directly as soon as it finds network.