Fintech in the time of Coronavirus

We are now living in the time of highly contagious COVID19 caused by novel Coronavirus infection. Since there is still no vaccine or cure for this the only way being recommended to control the spread of this disease is social distancing. This means everyone is requested to stay at home unless absolutely necessary and avoid social contact as much as possible, leading to most of the businesses requesting their employees to work from home also shutting down all the avenues facilitating any form of social gathering like pubs, nightclubs, theaters etc. Any form of travel is restricted affecting entire travel and hospitality industry. Airports are deserted, Airbnbs are getting cancelled, airlines are under pressure to let go of cancellation fees, Ola and Uber are also seeing significant declines in their daily rides. Schools are colleges have shut down their campuses, with critical courses being run on google hangouts or zoom. Many Edtech platforms have made their courses free so as to reach a wider audience and benefit them. Personal hygiene and cleanliness is at all time high with people washing their hands for at least 20 seconds with soap multiple times a day. Many social media influencers are making videos teaching everyone how to wash their hands properly. I was wandering if they ever make a movie about this pandemic Akshay Kumar may play the role of Dettol Handwash. Kids making fun of Bunty for washing his hands for too long are now following his lead. Bunty is the new hero.

He is my new hero. Sab marenge, sirf Bunty bachega.

Some of these behavior changes maybe temporary like people may start going on holiday again once the dust settles, however some of these changes will be here to stay. In this post I will be talking about some very obvious and some not so obvious impacts of long term changes in Fintech industry. So brace yourself and pay attention for this post might reveal some key opportunities in time to come.


In long term I don’t see this impacting digital payment industry very significantly, however this could be a good opportunity to promote contactless payment options like QR Code, NFC, RFID, Tone etc. If your new hygiene conscious self is now worried about touching the cash that may have exchanged unknown number of hands before you, same logic should be extended for exchanging of plastic and entering the PIN on the keypad touched by so many people before you. While many of us may not go to that extent, if one can appeal to the Maya Sarabhai inside the consumer, they can utilize it to gain traction on these payment modes.

This situation of social isolation will also increase online shopping specially daily use perishable items, thus shifting the transactions from offline brick and mortar stores to mobile apps like Grofers, Big Basket, Prime Now etc.


While travel insurance might be taking a temporary hit a situation like this reminding whole world of their mortality is a perfect opportunity to sell protection products like health and life. I would be expecting to see a significant boost in sale of insurance products in next few months specially life and health variants. This situation is not only making us sensitive about our personal health but also of the people around us that includes our household staff. We may see the premium go up slightly though.

A marketing mailer from Religare Insurance

I would not be surprised if we see some interesting products coming from the industry with affordable premium. We should see insurance companies creating special policies for household staff and promote them through housing societies. Many organizations relying on gig workers like Ola, Uber, Zomato, Swiggy, Dunzo etc may now be more willing to buy insurance cover for their contract workers. It may even be recommended to them as part of their business continuity and disaster planning.

An interesting variant of insurance cover would be to cover for loss of income during such lock-downs offering protection to gig workers and other daily wage operators to protect themselves in case of another such disaster. Even small businesses will be interested in such kind of protection. This needs to be done now and fast when the memory of the disaster is fresh in everyone’s mind. Few years down the line this product may again not find many takers.

Investing and Wealth Management

With markets correcting 30%-40% primarily due to the pandemic we might see entry of new investors. While old investors would be licking their wounds and crying over the loss of wealth, new investors who were sitting on cash will find this an opportunity of cheap entry. As is evident by the following graph shared by Nithin Kamath of Zerodha, new account opening on their platform has seen a significant spike.

New account opening on Zerodha platform have shown a significant spike. Source twitter @Nithin0dha

Market at so low coupled with Yes Bank disaster customer might be feeling, if his bank FD is also at risk then why not take bigger risk and aim for better returns by investing in Equity rather than sitting on Cash. However the investors who would have lost significant wealth due to this crash may decide to sit quietly for few months in future.

*Please note that I am only talking about retail investors here and not traders or institutions.

Mutual funds may also observe a spike in new to investing customers. Some customers who were relying on their own for equity investment may now be open to seeking an advisor or moving to actively managed funds after this sudden crash.


One of the most commonly used financial service will continue pushing in the direction they have been for years now i.e. to avoid footfalls in the branches specially for service needs. Social distancing should help their cause further. While Banks have been working on creation single man branches (I personally worked on one project in HDFC Bank called Ultra Small Branch years ago) in rural areas, we may even see banks go for branches with fewer staff in future even in urban centers.

Ghar se banking Corona.

Bank branches have the potential to become the most effective center for selling other financial services products like Insurance, Mutual Funds etc. While many banks have been doing this for years and commission from sales of third party products form a significant part of their revenues, however they have not been exploiting their full potential. With sales of third party products becoming their primary responsibility they may end up becoming more effective. This would require banks to carefully re-brand and re-position their branch network. Most of the Financial Services products are push products, what better way to sell them through a bank branch. This means the composition of a bank branch is going to look considerably different with fewer tellers and more insurance and investing experts.

In my opinion if banks play it right the new stream of wealth management start-ups will find their biggest competition from large banks. The “if” in the beginning of previous sentence is a very big if though. Are banks ready to transform their entire way of working. If they are not, then they should only focus on holding the money and managing the treasury, outsourcing entire sales and services to third parties, wherever digital mode doesn’t work well.


Short term lenders like SmartCoin, Early Salary may see temporary spike in their loan book with new customers seeking temporary respite from loss of income relying on these short term lenders to fill the gap. On the other hand POS lenders like Bajaj Finance, Home Credit etc may find a significant drop in their transactions due to customers shopping less because of lock-down. Similar drop is expected in Credit Card transactions as well.

So if we refer to the other post on this blog, “phone pe loan” will spike while “loan pe phone” will see temporary drop.

SME lending is another area that will observe spike because most of the small businesses will need loan to support themselves for temporary loss of business due to significant drop in overall commerce.

In the end my theory is that India will emerge stronger once this crisis is over. We are much better placed to tackle this situation because of 1. median age ~26, 2. older population largely socially isolated because of cultural reasons and 3. our hygiene practices like washing our hands often, keeping out of the kitchen unless washed and things like these. Financial power center globally will incline further towards India. So cross your fingers and hope for the best.

Transit Payments

Coronavirus (COVID19) has made us all conscious about avoiding unnecessary human contact to protect oneself from getting infected. This made many people think about how cash can be one of the careers. I am not familiar with the biology of the virus and how exactly this transmission would work. However if people are worried about cash then exchanging cards during transaction or touching POS machine to input PIN can also be a problem. That means in the days of COVID-19 safest mode of payments (talking from health perspective here) would be contactless payments like QR codes, NFC, RFID, Tone etc. Transit payments is one of the most popular use case of contactless payments around, which has been even more mainstream since the push for Fastag for toll payments by Indian Government.

During my banking days, I got the chance to lead the solution for Jaipur Metro (JMRC), which was being managed by DMRC. So essentially I got to study how Delhi Metro payments work and also design the solution for JMRC using the learning from Delhi project. In this post I would like to explain some of the key factors to be kept in mind while designing such a solution.

Transit payments are a different category for a very simple reason because of its need to be exceptionally fast, much faster than any other payment method we use. If the transaction is not processed with-in a fraction of second end-to-end we can see endless queue of angry customers forming, be it payments at toll-booth or entry and exit points of metro stations or entry and exit points of your city bus. We do not have the luxury to take 10-15 seconds to process the transaction, when it comes to this particular use case. That takes online authentication out of the picture. Offline authentication is the method of authentication where transaction is authorized locally by the instrument itself without traveling to issuer host system over the network.

The technology commonly used for this type of transaction processing is RFID (Radio Frequency Identification). When you are issued a card or a sticker or any other form factor, it typically contains an RFID chip, which communicates with the receiver installed at the gates of transit system to read the balances and post transactions. The instrument used for this purpose is typically a prepaid card, where the balance is updated at the CHIP locally, hence eliminating the need to communicate with the server every time transaction needs to be processed.

There are combo version of these cards also popular, which are nothing but debit/credit cards with either an additional RFID Chip embedded inside the plastic dedicated for transit payments prepaid card or have a separate dedicated block in the EMV chip for this purpose. Essentially they are for all practical purpose two cards linked to a single plastic.

How a typical transaction works?

Transaction at single interaction point like toll-gate is very simple because there is a fixed amount to be deducted every time you pass through the gate. The receiver installed the gate access the balance on your Fastag and update the balance by deducting the fixed amount.

Transactions with two gates i.e. interactions at entry and exit points like metro gates or city bus are slightly more complex. In this case at the time of entry the receiver installed at the gate checks the balance and updates the entry point on the CHIP. At the point of exit when you flash your card the receiver at the exit gate calculates the fare based on the entry point and deducts the amount from the prepaid card updating the balance accordingly.

How the card is reloaded?

Reloading of these cards works very similar to any other prepaid wallet or prepaid SIM, where you go to partner bank’s point of interaction Branch, ATM, NetBanking, Mobile Banking etc (depends on the partner bank) provide your unique ID (ID tagged to the RFID Chip) and make the payment.

The bank then communicates this to the transit partner and this reload transaction is updated in their system. The moment your card comes in contact with the sensors at transit partner the balance is updated in the CHIP. You can alternatively access special devices installed by the transit partner for specific purpose of load/reload of transit card. This can even be done over the counter by transit partner.

In JMRC project we even had provision of stand-in instruction wherein every time sensors at transit partners read the balance in your transit card go below a pre-set threshold the bank will get a file from the transit partner with all such card IDs, banking partner will then debit their respective linked accounts by a predefined amount and send the file back to transit partner to update the balances in their systems.

NPCI has developed specifications under Rupay Contactless Product umbrella, which is now the basis for NCMC (National Common Mobility Card), which is expected to be the dominant mode for transit payments in near future.

Sahamati and Account Aggregator Ecosystem

First time I became aware of the consent layer iSPIRT was working on was sometime around late 2016, when my then boss (who happened to meet Nandan during some event they both attended and heard about it from him), asked my keep my eyes on it because this is going to be something really big for Indian digital ecosystem. I scanned to through my contacts and found out that it was work in progress and I will get to know when they are ready. After that conversation I put it in the back-burner.

Then sometime during July 2019, I came across this article and I was eager to find more about the next big thing happening in Indian digital ecosystem so I attended a workshop on Sahamati conducted by iSPIRT in Aug, 2019. In this post I will attempt to explain what all the noise is about, what excites me and my disappointments with this entire venture based on what I know about it through various sources and what I learned in the workshop I attended.

What is an Account Aggregator?

Around the time when I had joined HDFC Bank in 2005, HDFC Bank used to have a product called Oneview. If you happened to have multiple accounts in different banks, you could register for Oneview and provide Netbanking credentials for all the bank accounts and we will do something called “screenscaping” through all those bank’s netbanking sites, use the credential provided by you to show the information available across all these places as a single view.

Then few years later I heard about Yodlee and then Perfios, who were offering similar services to customers or businesses, who needed to access data across multiple bank relationships. Later came multiple other businesses with similar offering and most of them were dependent on screenscaping.

The problem with screenscaping is that every time a bank made any changes to their netbanking pages, it needed changes at aggregator’s end as well. In short if was not a very efficient way of managing access and data and to top it all they were all self regulated. Considering the sensitive information they were accessing RBI decided to come up with guidelines governing these “Account Aggregators”. After these guidelines everyone was confused how to approach this. Nobody knew what to do, not even RBI (based on my conversations with some of the players in the space, who happened to seek clarifications from RBI on this subject matter). Some of these players applied for the license from RBI under AA-NBFC category but there was still confusion, till came Sahamati.

As per the information shared at the time of workshop there were total eight entities who had received in principle approval from RBI to set up AA-NBFC. The names I remember from those 8 are, FinServ (CAMS), FinVu (Cookiejar Technologies), OneMoney (FinSec AA Solutions), Jio Information Solutions, Yodlee Finsoft and National E-governance Services (NeSL).

What is Sahamati?

As their website says: DigiSahamati Foundation is a Collective of Account Aggregator ecosystem set up as a non-Government, private limited company (With the new Companies Act of India, not for profit companies are governed under Section 8).

What Sahamati has built is a consent protocol that is approved by government and a way for customers to legally provide their smart and informed consent to the information user (FIU) for then to use one of the Account Aggregators (AA) to access your data from information providers (FIP).

Representation of flow of consent and information in AA ecosystem (Image Credit: Sahamati)

How it works?

Step 1: Account aggregator will be establishing connectivity with various FIPs like Banks, Mutual Fund AMCs, Insurance Companies, Government Portals like Tax/GST etc (the scope might be extended to non-financial data sources as well, depending on the adoption of the platform). Once that connectivity is established AA will be ready to access the customer information from these institutes.

Step 2: Customers will have to register with one or more of these AAs and link his/her various financial relationships with his profile created on the AA platform. AA will seek one time authentication as prescribed by FIPs from the customer and link the details, upon successful validation.

Step 3: When customer visits the FIU for any service (could be Financial Advisor or Loan Application etc) that requires them to access his/her financial information they will ask the customer to select their AA and provide their consent to access the information to the AA.

Key attributes of consent (Image Source: Sahamati)

Key Attributes of the Consent: The consent given by user will clearly state the duration for which the data is to be pulled, the time period for which the data can be accessed, frequency, revocation allowed or not, access type along with the purpose of the consent. This is to make sure the user is clearly aware of the access being granted and tag the usage of this information along. Use of this information for any other purpose than what is stated in the consent artifact is not allowed.

Step 4: After validating the consent AA will access all the information requested from respective FIPs and transfer it to the FIU in encrypted form. AA will have no access to this information and they will just act as a pass-through.

Why is this the next big thing in Indian Digital Eco-system?

In order to enhance the digital eco-system ownership, access and sharing of data is very important. AAs coupled with consent architecture proposed by Sahamati is a great first step in that direction because it enables seamless transfer of data from FIPs to FIUs, with informed consent of the user, while restricting the use of data thus shared with-in the stated purpose. This is a certain upgrade over sharing photocopies of various statements and other documents at the time of application.

Why am I disappointed?

Imagine you buy a SIM card from Airtel and you are told that with this SIM card you will be able to call only Airtel numbers and not Jio or Vodafone numbers, in order to do that you will have to buy Jio and Vodafone SIM cards. Would you like this scenario.

In the current way it is structured there is no interoperability among these AAs, meaning an FIU or FIP will have to partner with all the AAs to ensure full coverage. It may even mean that customer may end up registering with multiple AAs. Forcing organizations or users to maintain multiple relationships for the same service seems like a very inefficient way of doing something. Imagine multiplication of resources needed to run this kind of set-up, setting aside the inconvenience it would be for all the parties involved. This one problem can prove to be the biggest reason this entire exercise will fail to reach its full potential.

What disappoints me even more is that this comes from same set of people, who proposed UPI, where one of the key strengths of the protocol is the interoperability it offers. This is one of the key aspects, why it could be even called a wallet-killer. If wallets were interoperable, a user would have found lesser motivation to switch to UPI (I am not saying this is the only point of comparison, but in the context of this post I am sticking to this one.) After working of so many years and coming from an independent body, I would have expected this construct to provision for interoperability. We may need to create a new central body for this purpose or assign this responsibility to one of the existing and capable organizations like IDRBT or CERSAI. We may even explore to build this entire thing on blockchain to eliminate the need of having a trusted central body.

In fact I would really be happy to see this entire thing was built on blockchain based trustless architecture and I am sure we have enough capable minds among us to give this a shot and come up with something genuinely innovative and superior than what has been proposed.

EDIT: An error was pointed out by one of our readers regarding the interoperability bit. While what I meant with interoperability was AAs connecting among themselves, there is no need for all FIU and FIP to tie up with all AAs. I am copying below the relevant section from Sahamati website that highlights how it can be achieved.

As an AA, does an AA have to seek out, build partnerships with, and integrate with each new FIP or FIU separately?

No. The AA ecosystem is designed so that each FIP and FIU is enabled to work with every AA in the ecosystem network, rather than only with those with whom they have a bilateral situation. Once any FIP/FIU is certified and added to the Central Registry, any approved AA can connect with them. This Central Registry is akin the DNS server of the internet world.

For any queries regarding Sahamati, one can check out their FAQ page. They also have a very rich blog where they keep publishing about various aspects of AA ecosystem and interesting use cases.

Co-branded Cards: Can It Go Beyond Branding

I had come across multiple news items regarding various co-branded cards like RBL Bank launching co-branded card with Zomato and HDFC Bank launching co-branded cards with Indigo Airlines. These stories prompted me into writing down my thoughts on this very popular product category among payment cards.

During my days in Banks I had worked on a co-branded card program in partnership with Jet Privilege. Apart from printing the Jet Privilege logo and customer’s JP number on the card the partnership also brought a common/shared reward program. From customer’s perspective customers could earn their credit card reward points in the form of JP miles and also get other promotional benefits that Jet Privilege was offering to its members. It has been years since and so far the fundamentals of co-branding remains the same.

In today’s day and age when mobile phone is increasingly becoming the preferred payment instrument instead of card plastic, specially with brands like Zomato and Indigo Airlines, I would have expected co-branded cards to offer benefits beyond shared promotions and rewards. Call me a demanding customer but if the common goal of co-branding exercise for both the brands is customer acquisition and retention, wouldn’t offering superior transaction experience across shared brand will enhance the offering even further. While banks are still in denial about UX being a key part of customer acquisition and retention strategy, brands like Zomato must know this very well.

One of the examples of how co-branding can go beyond shared rewards and also offer superior transaction experience between shared brands (specially for mobile phone universe) is single click transaction with partner brand. As part of co-branding exercise both entities exchange the customer identities at their respective ends, why not shared authentication.

When I implemented 3 D Secure, which is the back bone of online 2 factor authentication process for Visa (branded as VbV – Verified by Visa), MasterCard (branded as MasterCard Secure Code) and Diners cards, there was a model called Issuer Trusted Party of ITP, which allowed issuers to enable trusted third parties to perform 2nd factor of authentication during online transactions.

If I take Zomato and RBL Bank as sample case here, RBL can register Zomato as trusted third party and allow Zomato’s customer authentication as 2nd Factor Authentication by-passing Bank’s OTP during the transaction. This would mean that RBL Bank’s Zomato co-branded card holders will not only get the shared rewards and promotions, they will also have better transaction experience than any other card holders, thus making the case even stronger for customers to go for this card.

I am not sure how strong Zomato’s customer authentication mechanism is to be used at 2nd factor authentication for payment transaction but in this digital age they should have a strong authentication, if not they must work on it then.

Phone pe Loan or Loan pe Phone

These days every other Fintech struggling to find a sustainable revenue model is trying to become a lending company. While the bigger ones with enough capital are going with their own NBFC, smaller players are using credit lines from other NBFCs. However even when these start-ups are using credit line they end up offering FLDG (First Loss Default Guarantee) up to a certain degree to the NBFCs, thus actually owning the risk. This phenomenon has become so common that many pundits of the start-up ecosystem have proclaimed lending a feature.

As the title of the post suggest, two key models emerge:

Phone pe Loan: This model involves user downloading the app of the lender and then lender using various data points collected from the phone to underwrite the loan. Linking the lending to a mobile app gives lender access to multiple non-traditional data points like SMS, Call logs, Location etc, giving lender information like users finances (through SMS), your social connects (through call logs), your home and work address (through location data) etc providing lender enough information to underwrite the loan even without traditional credit score. This works well in Indian context considering only a small population in India has credit history. This also gives user anytime-anywhere access to the loan thus closely mimicking the credit card business. These loans are usually low ticket short duration loans where the lions share of lenders income comes from processing fee instead of interest. Multiple loans taken and paid back over a period of time constantly feeds into your profile with the lender and helps in the underwriting.

Start-ups like SmartCoin, MoneyTap, Early Salary are some key names in this space. Nowadays even companies like Ola and PayTM have come up with Postpaid offerings, which can be categorized in this category with difference being access to certain proprietary data like your activity in Ola Cabs and your PayTM app transactions respectively.

Loan pe Phone: Other prominent model perfected by Bajaj Finance and Home Credit is consumable financing i.e. offering loan linked to a purchase giving customer an option to pay in EMIs instead of upfront payment. In this model lender usually strikes a deal with either the merchant or the manufacturer to subvent the cost of loan thus making the loan to customers practically interest free. Since the subvention money is paid to the lender by merchant or manufacturer onetime makes this much more lucrative to the lender, when compared to the interest paid by customers as part of EMIs. When you get into the details you will be able to see the interest rate applied and the amount subvented by the manufacturer or merchant.

Merchants or manufacturers in this process effectively let go of some of their margin in the interest of gaining a transaction, which they may have ended up loosing due to customer’s inability to make upfront payment. Entire credit card industry had been built on this very concept. Originally one of the key reasons merchants had agreed to pay MDR from their margin because credit cards increased customer’s capacity to pay. (Merchants pay higher MDR for American Express or other premium variants of Visa, MasterCard and Diners, because of the belief that these cards offer higher capacity to spend)

In fact nowadays most of the credit card companies have also started offering EMI option under similar arrangements to its customers. Recently I have seen many banks extending this option through their debit cards.

This model is not new though, many manufacturers of high value goods like cars run their own lending companies to finance the purchase. This was later adopted by bike manufacturers. Now when your phones are as expensive and sometimes even more expensive than a bike why would phone manufacturers stay behind. That is why now we are seeing companies like Xiaomi (Mi) getting into lending business adopting “loan pe phone” model.

Online variation of similar model is nowadays popularly being referred as “pay later” and companies like Zest Money, Lazy Pay (PayU) etc are operating on this very model with varying degree of subvention.

UPI for Cash Transactions

Recently two news items hit the round, one with PhonePe launching ATM services through their merchant partners and another with NPCI releasing guidelines for cash withdrawal at local retailers on the lines of Cash at POS model. How this transaction works will be easy to understand once we know that the accounting for Cash Withdrawal transaction at merchant outlet is same as purchase transaction i.e.

Dr Customer Account

Cr Merchant Account

This gave me an idea, why not extend this to business correspondents to offer Cash Deposit and Cash Withdrawal both to customers through UPI. The accounting entry for Cash Deposit is as follows:

Dr BC Account

Cr Customer Account

Business correspondent will process the transaction as a push credit to customer’s VPA through the UPI app offered by his/her Bank. Most of the big banks are already having their own UPI apps and it will not be of any difficulty to integrate these APIs with their BC app or app provided by their agent service provider. This will not only ensure an easy way to offer cash services to a wider network, while also ensuring interoperability. The guidelines to cover transactions across Business Correspondents network are already in place.

Cash Remittance: This service can also be extended to offer third party cash deposits, under the already existing Domestic Money Transfer (DMT) guidelines.

This transaction set can even be extended to offer innovative Cash Management services by tracking the cash needs at local retailers and moving cash among nearby retailers depending on their cash needs and the Cash Management company can even register as a third party provider under the UPI framework supported by one or multiple Banks as PSP. A Google Pay for B2B, if you must. If this service becomes successful, one can petition NPCI to increase the limits for such types of transactions to allow for larger sums. I am certain with UPI at the back-end it will be much cheaper than Bank fees.

Feel free to reach out to me, if any of you want to brainstorm further on this.

How will UPI based payments app make money?

I have come across multiple articles highlighting how after abolition of PSP fees for UPI transactions, there will be no way for UPI apps like Google Pay, PhonePe etc, to make money. I tried to do some thinking on this subject and will try to present my thought process here.

The purpose with which UPI was launched was to offer merchants a convenient way to accept and process payments, meaning every merchant with a decent technology team will be able to become a PSP and accept payments from customers. This meant that instead of going to a CCAvenue or Billdesk or TechProcess or Atom, merchant will be able to become a PSP to accept payment through UPI. Under traditional arrangement merchant would be paying a fee to the payment gateway (since we are talking UPI, the equivalent payment mode for this in traditional way would be Netbanking) to the tunes of around 1.4% thus becoming a PSP would be a cheaper and preferred way for merchants.

If we look at it from above perspective the motive of UPI P2M was never to offer new business models to players like PhonePe instead it was intended for Amazon to accept payments at cheaper rate with more convenience by launching Amazon Pay as a native payment mode. Many players in the industry like MakeMyTrip, Swiggy, Cleartrip etc are using UPI with the intent of giving a native payment experience.

If we talk specific of Google Pay, Google’s primary source of revenue is ads. So far google was able to track efficiency of an ad up to the point of click. With a native payment mode, google can actually track right up to fulfillment step. This was one of the reasons Google has been trying to launch a payment app for many years now. UPI offers them a cheap and efficient way to do that thus making their job much easier. Even if they don’t make a single penny from processing payments, they gain a lot by way of gathering valuable information, which can generate significantly higher returns in the form of helping them enhance the efficiency of their ads.

Let’s talk BharatPe now. I think they will face the biggest heat of this decision even to the extent of making their entire current business model unviable and force them to think of alternate sources of revenue. Most of their merchant base is smaller businesses and their business is completely dependent on UPI P2M. In my opinion, one of the key sources of revenue for them will be providing access to various online/offline products dedicated for SMBs to their merchant base and generate commission income in the process. In the long run they will have to create additional products and services for their target client base and charge them for those.

PayTM is another big player, who will be hit with a double edged sword in the form of WhatsApp Pay for P2P and zero fee for P2M. However based on their recent move they have already made peace with zero P2M fee and seems like they know what they are doing.

Last big player in this bandwagon is PhonePe. What would be the fee being paid by Flipkart and its other group entities for processing NetBanking payments? If that entire volume shifts to UPI, that would be the extent of saving PhonePe would be generating for Flipkart group. Would this make PhonePe a multi-billion dollar entity it has been projected to be? The simple answer is, no. They would not have become that multi-billion dollar entity relying only on UPI P2M revenue anyway. They already have shown their ambition of becoming a financial services conglomerate in the lines of PayTM and continuing to acquire users and merchants on their platform and processing transactions for them is in their interest, even at the cost of burning cash.

डिजिटल भुगतान: कार्ड पेमेंट (पार्ट-४): धोखाधड़ी की रोकथाम

यह कार्ड भुगतान पर मेरी श्रृंखला का अंतिम भाग है और इस पोस्ट में मैं कार्ड उपभोक्ताओं को लक्षित कुछ आम धोखाधड़ी के तरीकों को कवर करने की कोशिश करूँगा। हम यह भी देखेंगे कि आप इन सबसे अपनी रक्षा कैसे कर सकते हैं।

स्किमिंग: लेनदेन के समय आपके कार्ड की जानकारी चुराने और फिर उस जानकारी का दुरुपयोग करने की प्रक्रिया ‘स्किमिंग’ है। स्किमिंग के द्वारा आपके कार्ड पर धोखे से लेनदेन की जाती है। इसमें जब भी कार्ड को पीओएस या एटीएम डिवाइस पर स्वाइप किया जाता है तो जालसाज स्वाइप के समय कार्ड की जानकारी चुराने के लिए एक बाहरी कार्ड रीडर को अटैच करता है।

इस तरह की धोखाधड़ी को रोकने के लिए सबसे प्रभावी उपाय चिप (ईएमवी) कार्ड का प्रयोग है। आरबीआई ने सभी कार्ड जारीकर्ताओं को यह सुनिश्चित करना अनिवार्य कर दिया है कि जारी किए गए सभी डेबिट और क्रेडिट कार्ड चिप कार्ड हों। एटीएम मशीनें अपने कार्ड रीडर्स को ऐसे डिजाइन कर रही हैं ताकि किसी भी अतिरिक्त बाहरी घटक को अटैच करना मुश्किल हो सके। पर अपने-आप को इससे बचाने के लिए कुछ सावधानियाँ इस प्रकार हैं:

एक स्किम्मर का उदाहरण

१. सुनिश्चित करें कि कार्ड हर समय आपकी दृष्टि में रहे और जिस डिवाइस पर कार्ड स्वाइप किया जा रहा है वह आपको स्पष्ट रूप से दिखाई देता रहे। और इसमें कोई बाहरी घटक डिवाइस से जुड़ा हुआ नहीं रहे।

एटीएम स्किम्मर

२. एटीएम का उपयोग करते समय सुनिश्चित करें कि एटीएम के कार्ड रीडर से कोई बाहरी घटक जुड़ा हुआ नहीं है (कई एटीएम जो अभी भी चुंबकीय रीडर का उपयोग करते हैं, कार्ड रीडर में कार्ड प्रविष्टि को बाधित करने के लिए “जिटर ” का उपयोग करते हैं; जो यह सुनिश्चित करता है कि कार्ड डेटा बाहरी डिवाइस द्वारा कैप्चर नहीं किया जा रहा है)। कार्ड रीडर पर किसी बाहरी घटक संलग्न होने की पहचान करने का एक तरीका कार्ड रीडर से प्रकाश के “ब्लिंक” होने को सुनिश्चित करना भी है। यदि आप स्पष्ट रूप से कार्ड रीडर पर प्रकाश नहीं देख सकते है तो उस एटीएम का उपयोग करने से बचें।

इस प्रकार की धोखाधड़ी लोकप्रिय पर्यटन स्थलों में विशेष रूप से प्रचलित है। कारण यह है कि कार्ड एक पर्यटक का है जो अपनी अपने घर लौटकर बाहर में की गयी कार्ड गतिविधियोँ की समुचित जाँच और पूछताछ नहीं कर पाता। यात्रा के समय आपको कार्ड को लेकर ज्यादा सचेत रहना चाहिए। अपने हाल के ऑस्ट्रेलिया दौरे पर मैंने देखा कि वहाँ के दुकानदार आपको खुद से कार्ड स्वाइप करने के लिए प्रेरित करते हैं, जो एक सुरक्षित तरीका है।

फ़िशिंग: फ़िशिंग वही है जो इसका शाब्दिक अर्थ लगता है (मछली पकड़ना)। इसमें जालसाज, लोगों को अपनी संवेदनशील जानकारी प्रकट करने के लिए लक्षित करता है। फ़िशिंग के बारे में जानने का एक और मनोरंजक तरीका है, नेटफ्लिक्स “जामतारा” वेब-सीरीज जो एक दूरदराज शहर के युवाओं के एक दल द्वारा चलाए जा रहे टेली-कॉलिंग फिशिंग रैकेट पर आधारित है।

विकिपीडिया परिभाषा के अनुसार, “इलेक्ट्रॉनिक संचार में फ़िशिंग एक छुपे हुए जालसाज द्वारा उपभोक्ता का नाम, पासवर्ड और क्रेडिट कार्ड विवरण के रूप में संवेदनशील जानकारी प्राप्त करने के लिए धोखाधड़ी का प्रयास है।”

यदि आपको अपने जारीकर्ता या किसी अन्य इकाई से कॉल, एसएमएस या ई-मेल प्राप्त होता है जिसमें आपसे कार्ड नंबर, पिन, सीवीवी, ओटीपी, नेट बैंकिंग आईडी और पासवर्ड आदि जैसी संवेदनशील जानकारी साझा करने का अनुरोध किया जाता है तो इस तरह की धोखाधड़ी से खुद को बचाने का एकमात्र तरीका यह है कि किसी भी माध्यम पर अपनी संवेदनशील जानकारी साझा न करें। आपका बैंक कॉल, एसएमएस या ई-मेल पर ये विवरण कभी नहीं पूछेगा।

वेबसाइट स्पूफिंग: इसमें धोखेबाज एक वेबसाइट बनाएंगे जो किसी अन्य विश्वसनीय इकाई की वेबसाइट की तरह दिखती हो; यहां तक कि यूआरएल भी समान दिखता हो (सामान्यतः इसमें किसी एक करैक्टर को बदल दिया गया रहता है)। इसका बचने का एक सरल तरीका है कि आप ई-मेल या एसएमएस पर प्राप्त लिंक पर क्लिक करने के बजाय यूआरएल को स्वयं टाइप करें।

स्पूफ़िंग का एक उदाहरण

वेबसाइटों द्वारा उपभोक्ताओं को सही पेज पर पहुँचाने के लिए कुछ चेक और नियंत्रण दिए जाते हैं। उदाहरण के लिए, कुछ वेबसाइटों में एक छवि या संदेश प्रदर्शित होता है जिसमें आपको संवेदनशील जानकारी इनपुट करनी होती है। एचडीएफसी बैंक नेटबैंकिंग एक तस्वीर और आपके द्वारा चयनित संदेश अपने लॉग-इन पृष्ठ पर प्रदर्शित करता है ताकि यह सुनिश्चित किया जा सके कि आप अपनी जानकारी प्रामाणिक बैंक के पेज पर डाल रहे हैं न कि किसी अन्य स्पूफ्ड वेबसाइट पर।

सोशल इंजीनियरिंग: धोखाधड़ी का यह तरीका किसी उद्देश्य के लिए उपयोग की जा सकने वाली गोपनीय या व्यक्तिगत जानकारी को प्राप्त करने के लिए जालसाज द्वारा प्रयोग में लाया जाता है। ऊपर बताई गई ‘फिशिंग’ एक प्रकार की सोशल इंजीनियरिंग है। इस संदर्भ में सोशल इंजीनियरिंग के कुछ अन्य तरीके हैं ‘विशिंग’ – जहां धोखेबाज किसी कंपनी के ग्राहकों से संवेदनशील जानकारी प्राप्त करने के लिए उसके आईवीआर (इंटरएक्टिव वॉयस रिस्पांस) की नकल करेंगे; या फिर ‘बेटिंग’ – जिसमे जालसाज आपको ई-मेल या एसएमएस पर एक लिंक भेजेगा जिससे आप कुछ इनाम या कुछ नुकसान के खतरे के वादे के कारण संक्रमित लिंक पर क्लिक कर बैठेंगे।

वास्तविक दुनिया में नाइजीरिया या सूडान का कोई राजकुमार आपके साथ अपनी संपत्ति साझा करने के लिए मरा नहीं जा रहा; न तो आपने किसी कोका-कोला या रीडर्स-डाइजेस्ट की लॉटरी जीती है। आरबीआई या आयकर विभाग भी आपके खाते में पैसे नहीं डाल रहे, और न ही पीएम नरेंद्र मोदी आपको स्विस बैंक से वापस लाये पंद्रह लाख रुपये देना चाहते हैं। इस लिए अपना बैंक अकाउंट या कोई अन्य व्यक्तिगत जानकारी किसी को न भेजें। रसोई गैस की सब्सिडी पाने के लिए भी आपको बस अपना आधार कार्ड अपने बैंक अकाउंट से लिंक करना होता है, और कुछ नहीं।

मनी-म्यूल: एक मनी-म्यूल जिसे कई बार ‘समर्फर’ भी कहा जाता है, वह व्यक्ति है जो धोखेबाजों को अवैध रूप से पैसे हस्तांतरण में मदद करता है। यदि आपको कोई ऐसी कहानी सुनाता है कि उसे बहुत सा धन ट्रांसफर करना है और आपके अकाउंट को कुछ दिनों के लिए पैसे “पार्क करने” और फिर आगे ट्रांसफर करने का जरिया बनाना चाहता है तो समझ जाएँ कि आपको एक बड़े फ्रॉड में फंसाने की तैयारी है।

जब पैसा डिजिटल रूप से ट्रांसफर होता है, तो यह एक “ट्रेल” यानि निशान छोड़ देता है और इसका उपयोग जालसाज की पहचान करने और गिरफ्तार करने के लिए किया जा सकता है। इससे बचने के लिए धोखेबाज बड़ी संख्या में विभिन्न खातों के माध्यम से पैसे भेजकर एक विस्तृत निशान बनाते हैं। यदि आप एक मनी-म्यूल के रूप में कार्य करते हैं तो आप धोखाधड़ी में एक सह षड्यंत्रकारी बन जाते है और किसी भी आपराधिक कार्यवाही होगी तो आप उत्तरदाई होंगे। तो थोड़े फायदे के लिए अपराधी बनने से बचें।

अपने मोबाइल फोन की रक्षा करें: इन दिनों डिजिटल लेनदेन के समय आपका मोबाइल फोन बहुत महत्वपूर्ण हो गया है। कई मामलों में आपके मोबाइल डिवाइस का उपयोग प्रमाणीकरण के एक मोड के रूप में प्रयोग किया जाता है। अधिकांश समय आपके मोबाइल फोन पर प्राप्त ओटीपी का उपयोग २-कारक प्रमाणीकरण के रूप में किया जाता है और कई बार वेबसाइटों और मोबाइल ऐप्स आपके कार्ड विवरण को स्टोर करते हैं।

अब आप कल्पना कीजिये कि आपने अपना फोन खो दिया और वह किसी जालसाज को मिल गया। आपका फोन अनलॉक है क्योंकि आपने फोन को पासवर्ड या फिंगरप्रिंट से प्रोटेक्ट नहीं किया है। जालसाज ने देखा कि अपने फोन में आपने अपने टेलीकॉम ऑपरेटर का एप्प रखा है जिसमे आपका कार्ड इन्फॉर्मेशन भी सेव किया हुआ है। अब वह जालसाज आपके कार्ड की जानकारी और आपके फोन पर आने वाले ओटीपी को प्रयोग करके कोई भी ऑनलाइन खरीददारी कर सकता है। इस घटना से आपको सिर्फ कार्ड के पीछे लिखा सीविवि नंबर बचा सकता है, पर यह जानकारी भी आपसे धोखे से ली जा सकती है।

इस मामले में मेरी एकमात्र सलाह है कि १. अपने मोबाइल नंबर को केवल उन ऐप्स/वेबसाइट पर स्टोर करें जिनका आप अक्सर उपयोग करते हैं; २. अपने स्मार्टफोन पर एक्सेस कंट्रोल सेट करें चाहे वह पिन, पैटर्न, फिंगरप्रिंट या फेस आईडी में से कोई भी सुरक्षा हो, ३. अपना फोन खोने न दें और खोने पर अपने कार्ड के साथ अपना फोन नंबर भी ब्लॉक करवा दें।

अंत में एक महत्वपूर्ण सलाह यह है कि अगर आप किसी भी प्रयोजन से अपनी आईडी प्रूफ या के.वाई.सी. की कॉपी दे रहे हों तो उसपर तारीख और प्रयोजन लिख कर हस्ताक्षर करें ताकि आपका वह प्रमाण किसी जालसाज द्वारा आपके बैंक में जमा करके बैंक को कोई निर्देश देने (उदाहरण के लिए पता बदलने, कार्ड के पुनः जारी करने, पिन का पुनः जारी करने, नई चेक बुक आदि) के लिए प्रयोग में नहीं लाया जा सके।

इस लेख का हिंदी अनुवाद मेरे ट्विटर मित्र राहुल तिवारी ने किया है। आप लोग उनको ट्विटर पे @In_Blogger फॉलो कर सकते हैं।

डिजिटल भुगतान: कार्ड पेमेंट (पार्ट-३): सुरक्षा

कार्ड भुगतान पारिस्थितिक तंत्र को उसके पूरे वैल्यू-चेन में शामिल विभिन्न पक्षों की सुरक्षा की दृष्टिकोण से डिज़ाइन किया गया है। मैं अपने “डिजिटल भुगतान” (पेमेंट) सीरीज में इस लेख को इन सुरक्षा उपायों के ऊपर केंद्रित करना चाहूंगा ताकि उपभोक्ता इसकी जानकारी रख सकें। कार्ड भुगतान से सम्बंधित हर इकाई, सिस्टम और प्रक्रिया को भुगतान कार्ड उद्योग (पीसीआई-डीएसएस) द्वारा स्थापित डेटा सुरक्षा मानकों का पालन करना होता है; ताकि सभी संवेदनशील जानकारियाँ किसी भी समय सुरक्षित रह सकें। 

~ कार्ड जारीकर्ता द्वारा नियंत्रण ~ 

कार्ड प्रिंटिंग: कार्ड जारी करने के समय ‘कार्ड प्रिंटिंग फ़ाइल’ बनाई जाती है, जिसे ‘एन्क्रिप्टेड’ प्रारूप में प्रिंटिंग इकाई में ले जाया जाता है। कार्ड प्रिंटिंग पूरी होने के बाद इसे नष्ट कर दिया जाता है। मैं इस तरह की एक प्रिंटिंग इकाई में गया और मैंने उसके सुरक्षा मानकों का स्वतः अनुभव किया है। डेटा सुरक्षा के साथ वे शारीरिक सुरक्षा पर भी सख्त नियंत्रण रखते हैं। वहां आगंतुकों को कई बंद दरवाजों के माध्यम से ले जाया जाता है और उन्हें जेब वाले कपड़े पहनने की भी अनुमति नहीं होती है।

चिप (.एम्.वी. कार्ड): पहले कार्ड द्वारा लेनदेन में चुंबकीय पट्टी का उपयोग किया जाता था। चुंबकीय पट्टी के साथ समस्या यह थी कि इसमें संग्रहीत जानकारी स्पष्ट रूप में संग्रहीत की जाती थी और कार्ड रीडर पर कार्ड स्वाइप करके धोखेबाजों द्वारा चोरी की जा सकती थी। कार्ड की जानकारी चुराने की इस प्रक्रिया को “स्कीमिंग” कहा जाता है। इससे उपभोक्ताओं की सुरक्षा हेतु भारतीय रिज़र्व बैंक ने अब ई.एम्.वी यानि चिप वाले कार्ड का प्रयोग अनिवार्य कर दिया है। ई.एम्.वी कार्ड का लाभ यह है कि इसके चिप में संग्रहीत सभी जानकारी एन्क्रिप्टेड रूप में होती है।

पिन प्रिंटिंग: आपके कार्ड का पिन कहीं भी किसी भी सिस्टम में संग्रहीत नहीं है। पिन जारी करने के समय पिन ब्लॉक एक जटिल तर्क और एन्क्रिप्शन का उपयोग करके उत्पन्न होता है और सीधे पिन-प्रिंटर को निर्देशित किया जाता है। पिन को सील रूप में ही मुद्रित किया जाता है, और केवल पिन मेलर को फाड़कर ही देखा जा सकता है। इससे पिन की सूचना उपभोक्ताओं को पूर्णतः सुरक्षित रूप से पहुँचाई जाती है। इस प्रक्रिया में सावधानी का स्तर यह है कि कार्ड और पिन दोनों अलग-अलग स्थानों पर मुद्रित किए जाते हैं (उदाहरण के लिए एच.डी.एफ.सी. बैंक के कार्ड चेन्नई में मुद्रित किए जाते हैं, जबकि पिन प्रिंटिंग आमतौर पर मुंबई में होती है)। ऐसा यह सुनिश्चित करने के लिए किया जाता है कि कार्ड और पिन उपभोक्ता के पास पहुंचने से पहले कभी भी एक साथ नहीं होते हैं। इसके अलावा, कार्ड सिर्फ उपभोक्ता के पते पर ही भेजे जाते हैं। डिलीवरी-मैन आमतौर पर आपको कार्ड किट सौंपने से पहले ‘आईडी प्रूफ’ भी मांगता है।

पिन सत्यापन: लेन-देन के समय पिन को कुंजी पैड (की-पैड) पर एन्क्रिप्ट किया जाता है और एक एन्क्रिप्टेड पिन ब्लॉक उत्पन्न होता है। पिन एन्क्रिप्टेड प्रारूप में प्रमाणीकरण के लिए जारीकर्ता के पास पहुँचता है। पिन ब्लॉक जारीकर्ता सिस्टम में बैक के पास उपलब्ध सूचना का उपयोग करके उत्पन्न होता है। दोनों पिन ब्लॉक की तुलना की जाती है और यदि मिलान हुआ तो पिन प्रमाणीकरण सफल होता है।

सीवीवी या सीवीसी: यह आपके कार्ड से जुड़ा तीन अंकों का कोड है और इसी सीवीवी2/सीवीसी2 कोड का एक प्रारूप आपके कार्ड के पीछे छपा रहता है । यह तीन अंकों का कोड केवल कार्ड प्लास्टिक पर उपलब्ध है और सीवीवी/सीवीसी या सीवीवी 2/सीवीसी2 (सीएनपी लेनदेन के लिए) की उपस्थिति का मतलब है कि विवरण प्रदान करने वाला व्यक्ति कार्ड प्लास्टिक का धारक है।

यह बहुत महत्वपूर्ण है कि लेनदेन के समय कार्ड-विवरण कैप्चर पेज को छोड़कर किसी भी व्यक्ति के साथ पिन और सीवीवी की जानकारी साझा नहीं करनी चाहिए। 

कारक प्रमाणीकरण (2 फैक्टर ऑथेंटिकेशन): आरबीआई के जनादेश के अनुसार भारत में सभी कार्ड ट्रांजैक्शन को ऑथेंटिकेशन के 2 कारकों के साथ प्रोसेस किया जाता है। आमतौर पर ये दो कारक नीचे दिए तीन कारकों में से किसी दो का संयोजन हैं: 

१.  आपके पास क्या है? कार्ड की दुनिया में यह आमतौर पर आपका कार्ड-प्लास्टिक होता है या यदि आप अपने पंजीकृत मोबाइल डिवाइस के माध्यम से लेनदेन कर रहे हैं, तो यह आपका मोबाइल डिवाइस हो सकता है।

२.  आप क्या जानते हैं? आपके पिन या पासवर्ड इस श्रेणी में आते हैं। यह एक गुप्त जानकारी है जिसे केवल आप और आपके कार्ड जारीकर्ता जानते हैं और मान्य कर सकते हैं।

३.  आप कौन हैं? प्रमाणीकरण के सभी बायोमेट्रिक रूप इस श्रेणी में आ जाएंगे। सबसे आम बॉयोमीट्रिक आपका फिंगर प्रिंट है। भविष्य में हम आँख की पुतली, आवाज, व्यवहार, चेहरा आदि को भी प्रमाणीकरण के लिए इस्तेमाल किया जाना देख सकते हैं ।

वर्तमान में कार्ड लेनदेन के मामले में ये दो कारक आपके कार्ड प्लास्टिक और पिन हैं, जबकि कार्ड के बगैर लेनदेन के मामले में यह आपके कार्ड विवरण (कार्ड संख्या, समाप्ति की तारीख और सीवीवी2/सीवीसी2) और ओटीपी या पासवर्ड हैं।

~ मर्चेंट द्वारा नियंत्रण

पीओएस टर्मिनल: पीओएस डिवाइस के निम्नलिखित घटक होते हैं: (१) कार्ड रीडर (२) कुंजी पैड (की-पैड), (३) नेटवर्क कनेक्टिविटी, (४ ) मेमोरी स्टोरेज और (५ ) रसीद प्रिंटर। कार्ड रीडर और की-पैड डेटा प्रवेश के समय ही उसे एन्क्रिप्ट कर देते हैं। मेमोरी में इस जानकारी को एन्क्रिप्टेड रूप में संग्रहीत किया जाता है और जैसे ही व्यापारी निपटान की प्रक्रिया करता है, डेटा मेमोरी से हटा दिया जाता है। इस नेटवर्क पर संचार एक संरक्षित लाइन के माध्यम से एन्क्रिप्टेड प्रारूप में होता है। रसीद प्रिंट करते समय आपके कार्ड नंबर जैसी संवेदनशील जानकारी को मास्क किया जाता है। 

कार्ड लेनदेन के लिए उपयोग किए जाने वाले एन्क्रिप्शन तर्क को ‘ट्रिपल-डीईएस’ या ‘3डीईएस’ कहा जाता है; जो अभी प्रयोग में आ रहे सबसे उन्नत डेटा एन्क्रिप्शन मानक में से एक है। प्रत्येक टर्मिनल के लिए यूनिक एन्क्रिप्शन का उपयोग किया जाता है, और डायनामिक अपडेट किया जाता है ताकि किसी भी संभावित खतरे से ‘की-लेवल’ पर ही निपटा जा सके। 

वॉइड और वापसी 

वॉइड और वापसी का उपयोग व्यापारी द्वारा किसी लेनदेन को पूर्ववत (‘अनडू’) करने के लिए किया जाता है। उदाहरण के लिए यदि व्यापारी ने आपके कार्ड को गलत राशि के लिए स्वाइप किया है या आपने भुगतान करने के तुरंत बाद लेनदेन के बारे में अपना मन बदल लिया है, व्यापारी टर्मिनल मेमोरी से उस लेनदेन को रिकॉल करके रद्द कर सकता है। इस प्रक्रिया को वॉइड कहा जाता है और इस मामले में जब व्यापारी निपटान प्रक्रिया करते हैं तो यह लेनदेन वहाँ से छोड़ दिया जाता है यानि आगे प्रोसेस नहीं किया जाता है। जारीकर्ता किसी भी दावे की अनुपस्थिति में तय निपटान समय सीमा समाप्त होने के बाद ग्राहक के खाते में लेनदेन को स्वचालित रूप से उलट देता है।

यदि व्यापारी ने मशीन पर निपटान प्रोसेस कर दिया है और डिवाइस से लेनदेन हटा दिया गया है, तो इसे रद्द/शून्य नहीं किया जा सकता है। इस मामले में व्यापारी रिफंड प्रोसेस करता है, यानी व्यापारी खाते को डेबिट करके ग्राहक खाते को क्रेडिट करने के लिए निर्देश भेजता है। जब व्यापारी इस लेनदेन को व्यवस्थित करता है तो इंटरचेंज के माध्यम से अधिग्रहण कर्ता द्वारा जारीकर्ता को उचित क्रेडिट निर्देश दिया जाता है। इन दिनों इंटरचेंज ‘इंस्टेंट’ रिफंड प्रोसेस करने के तरीके लेकर आए हैं । 


जैसा कि अब आप जानते हैं कि कार्ड जारी करने और लेनदेन प्रसंस्करण के समय सुरक्षित लेनदेन सुनिश्चित करने के लिए कई नियंत्रण हैं। ‘चार्जबैक’ लेनदेन के बाद ग्राहक के हितों की रक्षा करने की एक प्रक्रिया है। चार्जबैक प्रक्रिया के तहत यदि डुप्लीकेट बिलिंग, प्रदान नहीं की गई सेवाओं, वितरित नहीं किए गए सामान आदि जैसे लेन-देन के साथ कोई प्रॉब्लम है, तो उपभोक्ता अपने दावे का समर्थन करने वाले सभी साक्ष्यों के साथ अपने जारीकर्ता तक विवाद पहुँचा सकता है। ऐसे मामलों में जारीकर्ता इंटरचेंज के जरिए अधिग्रहणकर्ता के माध्यम से व्यापारी से संपर्क करते हैं और व्यापारी को आवश्यक सबूत प्रदान करने या विवाद को स्वीकार करने और लेनदेन को रिवर्स करने के लिए कहते हैं। व्यापारी डिलीवरी पुष्टि, भुगतान रसीद आदि के रूप में सबूत प्रदान कर सकता है। यदि व्यापारी यह साबित करने में असमर्थ है कि यह एक वास्तविक शुल्क था, तो मामला ग्राहक के पक्ष में बंद कर दिया जाता है और लेनदेन उलट जाता है। यदि व्यापारी यह साबित करने में सक्षम है कि शुल्क वास्तविक था, तो विवाद व्यापारी के पक्ष में बंद किया जाता है।

शून्य देयता

यदि आप अपने कार्ड के साथ भेजी गई सभी अध्ययन सामग्री को पढ़ते हैं, तो कई मामलों में आपको ‘शून्य देयता’ (जीरो लायबिलिटी) के रूप में लेबल किया गया अनुभाग मिलेगा। शून्य देयता स्टोर में की गई आपकी खरीद, या टेलीफोन, ऑनलाइन या मोबाइल और एटीएम लेनदेन के माध्यम की गई आपकी खरीद पर लागू होती है। कार्डधारक के रूप में, आपको अनधिकृत लेनदेन के लिए जिम्मेदार नहीं ठहराया जाएगा यदि:

१. आपने अपने कार्ड को चोरी या खोने से बचाने के लिए पर्याप्त सुरक्षा उपाय किये हैं 

२. आपने तुरंत अपने वित्तीय संस्थान को नुकसान या चोरी की सूचना दी है

यदि आपको लगता है कि आपके खाते का अनधिकृत उपयोग किया गया है और आप ऊपर की शर्तों को पूरा करते हैं, तो यह जानकर चिंतामुक्त रहें करें कि आपके पास शून्य देयता वादे की सुरक्षा है। कृपया इस खंड को अपने कार्ड किट में ध्यान से पढ़ें और सुनिश्चित करें कि आप इसे समझ लें।


कृपया अपने कार्ड के नुकसान या अपने कार्ड पर किसी भी संदिग्ध गतिविधि की रिपोर्ट करने के लिए उपलब्ध सबसे तेज़ माध्यम से अपने बैंक से संपर्क करें। हर कार्ड जारीकर्ता यह सुनिश्चित करता है कि टेलीफोन कॉल के माध्यम से इसकी रिपोर्ट करने के तरीके उपलब्ध रहें; जैसे एक समर्पित फोन नंबर (कृपया इस नंबर को अपने साथ रखें), मोबाइल बैंकिंग, इंटरनेट बैंकिंग आदि। 

एक संदिग्ध गतिविधि का क्या मतलब हो सकता है? इसके कुछ उदाहरण इस प्रकार हैं:

१. आपका अपने खाते में किसी ऐसी गतिविधि के बारे में एसएमएस/ई-मेल प्राप्त करना जिसके बारे में आपको जानकारी नहीं है

२. एक एसएमएस/ई-मेल प्राप्त करना जो आपको उस लेनदेन के लिए उत्पन्न ओटीपी के बारे में सूचित करता है जिसे आपने शुरू नहीं किया था

३. कोई व्यक्ति आपको फोन करके आपके कार्ड के बारे में संवेदनशील जानकारी जैसे कार्ड नंबर, सीवीवी, पिन, ओटीपी आदि के बारे में पूछताछ करता है। कोई भी बैंक कभी भी किसी व्यक्ति को फोन कॉल पर साझा करने के लिए यह जानकारी नहीं पूछता है। 

आशा है यह जानकारी आपके लिए उपयोगी रही है और आप अगली बार खरीदारी के समय भुगतान के लिए अपने कार्ड का उपयोग करने के बारे में अधिक आश्वस्त हैं। अगले भाग में कार्ड की दुनिया में हो रही धोखाधड़ी के विभिन्न प्रकारों और अपने आप को उनसे बचाने के तरीकों को कवर किया जाएगा।

इस लेख का हिंदी अनुवाद मेरे ट्विटर मित्र राहुल तिवारी ने किया है। आप लोग उनको ट्विटर पे @In_Blogger फॉलो कर सकते हैं।

Thoughts on RBI Draft Paper on NUE for Retail Payment Systems

On 10th Feb, 2020 Reserve Bank of India released a paper on ‘draft framework for authorisation of a pan-India New Umbrella Entity (NUE) for Retail Payment Systems’ for public comments. RBI has invited comments from all stakeholders by February 25th, 2020.

In 2005, when I had started my career from HDFC Bank, there were multiple ATM networks active in the country. Apart from Visa and MasterCard, there was one ATM network run by Euronet, where (I think) 16 banks were participating, and there was another operated by FSS (The entity was walled FSS Net), where (I don’t remember the number of banks) were participating. Apart from these some banks were having bilateral arrangements with other banks for sharing of ATM infrastructure. Around the same time another ATM network by the name of NFS was getting active, which was run by IDRBT. Most of the banks slowly started joining NFS network and with time it became the largest domestic ATM network in India. It was about this time, two things happened; control of NFS network was transferred from IDRBT to a newly formed entity called NPCI and RBI had put a stop to all the bilateral ATM sharing arrangements. From this point onward NPCI became the source of almost all the innovations in retail payments starting with RuPay, IMPS, AEPS, APBS to more recent UPI, BHIM, BBPS, eNACH, NCMC and NETC etc. I had been very fortunate to have balcony seat to many of these stories by virtue of being a part of HDFC Bank and then Kotak Bank and Jio Payments Bank.

The journey of NPCI from NFS ATM network to today controlling almost 60% of retail electronic payment transactions by volume (please note that RuPay Credit Card is a very recent phenomenon and numbers there are still dominated by Visa and MasterCard followed by American Express and Diners) has been really exciting and in many ways the best thing to happen to Indian digital payments ecosystem. Having said that the amount of influence NPCI today commands is really dangerous and while NPCI claims to be very open to suggestion and ideas, I have personally seen on many occasions that best idea didn’t win due to various factors.

With introduction of NUE there is a possibility of many more innovative payment solutions to be envisioned and implemented, which are more suitable for Indian audience. This will also make NPCI work even harder to continue doing the good work they have been doing and not become complacent. Few key areas I can clearly see new NUEs to focus on would be building specialized and low cost solutions for business correspondent network, which is the back bone of entire Financial Inclusion story in India and still does not command the attention that it deserves from various larger players in the ecosystem. Another very important area that has been demanding attention and has clearly been mentioned in RBIs paper is remittances. There are so many migrant workers, who earn in Cash and need to send money to their families in their native places. Cash is still the biggest mode of transaction today in India and there is clearly scope to do more.

I will be looking at organizations like Euronet, FSS, AGS, TATA PSL, NSDL on one hand and PineLabs, Innoviti, mSwipe etc to be eager to go for this. One organization that has been at the center of many innovations happening in India iSPIRT to play a key role in all this. My only advice to anyone considering becoming NUE would be to let go of the traditional card protocols (think beyond iso 8583) and go back to drawing board before designing their solutions. In the end payment is all about debiting one account and crediting another, sounds like simple stuff. The key to any solution would be how simple the final offering remains.

This could also be a move in the direction of having specialized entities enabling interoperability for different modes of payments or use cases. For example Billdesk can attempt to become the go to entity for all things bill-payment. Another NUE can appear specializing the interoperability of mobile wallets. As I have mentioned above, there is a clear scope of specialized offering the business correspondent and self help group area, which has been the key to Financial inclusion in India so far. Hell, why cannot even bank branches be interoperable? Can a Kotak customer walk into and SBI branch and get his passbook updated, earning additional revenue for SBI in the process? The possibilities are endless, if we decide to think outside the box.

Few questions, will NUE as private entities be allowed to user Aadhaar authentication? What will be the exact role of NPCI in all this? Will NUEs be allowed to perform other business activities, for example can NSDL continue to offer e-Sign services as part of same business or have to set-up a separate entity, if they decide to go for it? More clarity should emerge after RBI releases final framework after reviewing everyone’s feedback post 25th Feb, 2020.

WhatsApp Pay: A Prediction

Finally after wait of many months NPCI has given go ahead to Facebook to launch their UPI based WhatsApp Pay service. I had used their service when they had launched their pilot last year and found the user experience super efficient for P2P payments. On multiple occasions we used this method to pay to or claim from friends just after receiving or sending a message about the due amount.

One more thing unique about paying money through WhatsApp pay was no need to input a PIN to access the UPI payment option. In case of any other UPI app customer has to input a PIN for accessing the UPI app (some apps like Google Pay give you the option to use your phone’s access PIN itself as this PIN) and then once again he/she needs to input his/her UPI PIN just before processing the payment. In case of WhatsApp pay, only the second PIN was being asked. This had led to some controversy also due to few leading players objecting to NPCI allowing WhatsApp to bypass the access PIN, which I also believed was giving WhatsApp an unfair advantage against its peers.

In their final version, I doubt they will be allowed to continue with this exception and they may or may not come up with any other more convenient way to introduce the access level control. Still the biggest advantage they have is their almost monopoly on P2P messaging.

One of the biggest advantage UPI had brought in payments was making it easier to communicate source and destination account address by introducing VPA. What WhatsApp’s ownership of messaging channel means that now there will not be a need to even communicate the VPA.

Dominating methods used for P2P payments before introduction of UPI were IMPS/NEFT (completely controlled by banks) or mobile wallets (with PayTM leading the game there), since the launch of UPI I have observed many people use Google Pay. With mobile wallets on its decline and Banks not bothering much to improve their UX (irrespective of customer’s mode of choice, the money eventually will flow in the bank account), they may end up getting into partnership with WhatsApp by becoming PSP sponsor. The only real competition left to face for WhatsApp in P2P payments space will be Google Pay, where WhatsApp has a clear advantage due to them owning the messaging channel.

To summarize, I am of the belief that WhatsApp is going to be the clear winner in P2P payments space. I do not have clear visibility on how much WhatsApp for business has picked up, but they may even have a chance to process P2M from with-in their messaging platform.

Why do I think Zero MDR is a good move?

Imagine a scenario without banks, everyone earns and spends in cash. There are no charges to be paid to anyone. If you are supposed to earn 100 Rs for a service offered, you would earn 100 Rs and when you purchase an item or service worth 100 Rs, you would pay 100 Rs for the same. Merchant earns the exact amount paid by the customer without any deductions in the process. Now this merchant collects bundles of cash everyday so he needs to spend money in handling that much cash. Maybe he will have to buy a secure vault to store it or even hire a security guard to protect it all the time. When he is transporting all that cash, he needs to spend on secure transit. All that would cost merchant some money, which has been the justification for charging MDR. Acquirer told the merchants, by accepting payments digitally we will manage the cash worries for you hence saving you huge cost in the process thus you should compensate us by way of paying us in the form of MDR.

Image Source: ETTech

However the problem is, in India only banks are allowed to be the acquirers, who are the custodians of all the money. That means customers as well as merchants keep their money in the books of the banks, meaning cost of transferring the money digitally is much cheaper compared when compared to cash for banks. Since the banks are custodians of all the money and they have the option to reinvest that money primarily by way of lending it to borrowers and charge interest on that money. Typically banks charge anywhere between 8% (home loan) to 36% (credit card roll-over) on the money they lend and a small portion of that around 3% (Savings A/C) -7% (Term Deposits) is passed on to the customer. Rest of the money is supposed to be spend on various expenditures of running the bank. These expenditures should also include building, managing and maintaining the entire payment infrastructure. A fee for allowing customers to access their own funds (on these very funds the entire bank is existing) in any form is unfair.

Specially in case of UPI, cost of merchant acquiring is almost zero. Instead of a PoS machine, which costs somewhere between 1500 Rs (mPoS) to 20,000 Rs (fancy PoS devices with multiple other supporting features) a UPI merchant needs a QR code, which can be printed and attached to a fancy plastic display in less than 100 Rs. In case of PoS, transactions are settled in two steps, authorization and settlements thus requiring an operations team to manage the reconciliation and payments processing, while in case of UPI the transaction is settled real time directly in merchant’s account hence the need for large operations teams and systems is eliminated. I do not have any numbers to compare on disputes/chargebacks but the going by the fundamental design of UPI, the possibility of disputes in UPI are much lesser compared to card world hence requiring even lesser operational expenditure.

When a bank outsources their ATM management business to a third party partner, they pay that third party. The third party is not expected to make fee income from customers. Similarly CC Avenue, Razorpay, Pinelabs of the world should be treated as third parties whom banks have outsourced the job of setting up merchant infrastructure and banks should pay these players for the services rendered at fair price, like they would for any other technology or operations outsourcing partner. Banks are making enough money to pay for this service. Based on some figure being floated around in various media sources I have learned that this zero MDR for RuPay and UPI will put burden of around 1800 Cr on the industry. Can someone remind me the profit made by HDFC Bank in last quarter?

In fact I am saying why should it be applicable for selective merchant base, this should be the case across all merchants. Our banking system is capable enough for paying for their service in order to get the balances from these merchant in their current accounts so that they can make float income on that money.

Another logic given to merchants for demanding MDR is that a card in the hand of customer increases his/her purchasing capacity hence increase in sales for the merchant. That logic primarily applies for Credit Cards and the current mandate leaves them untouched. Maybe a better way to go for banks would be to push Credit Cards. India is still super under penetrated when it comes to credit product and the scope is enormous. The business Bajaj Finance has built on EMI product is proof enough that banks have been failing miserably in exploiting this opportunity. My suggestion would be that banks get their act together, get off their high horse and start optimizing their processes and utilizing their resources better to find efficient ways to increase their revenue by serving their customers better rather than trying to build a fee income. In fact I would rather worry about a bank that is earning a significant portion of their revenue from various fees.

Having stated above, the way most of the players in the market are approaching this entire thing is flowed in my opinion. Banks are refusing to compensate the third party payments processors creating a huge dent in their revenue thus leaving them no choice but to compromise on their core business by creating other parallel businesses in order to generate sustainable revenue streams, which in the long run will be disastrous for the overall payments business. Ideally since banks are the only parties making money from the circulation of money during transaction should own up to their responsibility and compensate the payment providers fairly for their contribution in creating the ecosystem for bank’s customers to use the funds he/she has parked in the bank seamlessly; the way they would compensate any other service provider of theirs.

Above proposed arrangement is a significant shift from common practice prevalent for years, hence expecting such shift overnight would be a folly. Keeping that in mind I propose as an interim arrangement government bears part of the burden with a clear roadmap and visibility towards banks owning the entire cost in due course. Banks are clearly at the seat of power here and instead of exploiting their position to gain more profits and fee income they should instead invest and work for overall growth of digital economy. This move, even if forced should force banks to become more efficient in their processes and start using customers’ data optimally in order to maximize their gains.

कार्ड पेमेंट की परिभाषा सरल हिंदी में

जब आप अपने डेबिट, क्रेडिट या फिर प्रीपेड कार्ड का इश्तेमाल करते हैं तो कई कंपनियां इस पूरे चक्र में मिलकर काम करती हैं। पहले तो आपको कार्ड देने वाली बैंक जिसे इस्सुअर बैंक, दुकानदार के यहाँ कार्ड चलाने का मशीन या QR कोड देने वाला बैंक जिसे एक्विरिंग बैंक और इन दोनों बैंकों के बीच लेन देन को करवाने वाली कंपनी जिसे इंटरचेंज कहते हैं। हमारे देश में ज्यादातर पेमेंट वीसा, मास्टरकार्ड या रुपे इंटरचेंज के द्वारा किये जाते हैं। इनका लोगो आपको दुकानों में, वेबसाइट के पे पेज पर और आपके कार्ड पर देखने को मिलेगा। जब आपके कार्ड का इंटरचेंज लोगो दुकान पे लगा हो इसका मतलब वहाँ आपका कार्ड चलेगा। अगर आपके कार्ड का इंटरचेंज लोगो दुकान या एटीएम पे नहीं है तो आपका कार्ड वहाँ नहीं चलेगा।

आज के इस निबंध से मेरा उद्देश्य है आप सबको कार्ड के इस्तेमाल से जुड़े हुए कुछ प्रचलित शब्दों से आप लोगों को अवगत कराना जिससे आपको सारी प्रक्रिया समझने में आसानी हो और आप इस सुविधा का सोच समझकर बिना किसी हिचकिचाहट के प्रयोग कर सकें और इससे जुड़े हुए कई लाभ उठा सकें।

डेबिट कार्ड: आपका डेबिट कार्ड आपके बैंक द्वारा आपको दिया गया प्लास्टिक है जिससे आपका बैंक एकाउंट जुड़ा होता है। एक डेबिट कार्ड हमेशा किसी बचत या चालू खाते से जुड़ा होता है और केवल आपका बैंक ही इसे आपको जारी कर सकता है। कार्ड के ऊपर आपका कार्ड नंबर, एक्सपायरी डेट और आपके नाम के अलावा आपके बैंक और इंटरचेंज के लोगो छापे जाते हैं। कार्ड के पीछे कुछ अत्यावश्यक जानकारी जैसे की बैंक का कस्टमर केअर नंबर के अलावा एक सफेद पट्टी होती है जिसपे आप को अपना हस्ताक्षर करना होता है और उसी पट्टी के पास एक तीन अंकों की संख्या होती है जिसे सीवीवी या सीवीसी नंबर भी कहते हैं।

क्रेडिट कार्ड: एक क्रेडिट कार्ड आपके बैंक द्वारा इशू किया गया वो प्लास्टिक है जो आपके उधार खाते से जुड़ा होता है। इस कार्ड पे किये गए सारे पेमेंट का हिसाब आपको आपके बैंक के साथ महीने में एक बार करना पड़ता है। हर महीने की एक निर्धारित तिथि को बैंक आपको पूरे महीने का हिसाब एक स्टेटमेंट के रूप में आपको भेजती है और आप बैंक को निर्धारित तिथि के पहले पूरा पैसा चुका देते हैं। पैसा निर्धारित तिथि तक नहीं चुकाने की सूरत में बैंक आप पर पेनल्टी और इंटरेस्ट लगा देता है। इसलिए मेरी सलाह यही है की हर महीने पूरा भुगतान करें। क्रेडिट कार्ड देखने में आपके डेबिट कार्ड के जैसा ही दिखता है और उस पर वही सारी जानकारी छपी होती है जो एक डेबिट कार्ड में। हमारे देश में एक बैंक ही क्रेडिट कार्ड जारी कर सकता है।

प्रीपेड कार्ड: यह प्लास्टिक भी देखने में आपके क्रेडिट और डेबिट कार्ड की तरह ही दिखता है। एक प्रीपेड कार्ड आपके बचत, चालू या उधार खाते से नहीं जुड़ा होता। इस कार्ड में आपको पहले पैसा लोड करना पड़ता है उसके बाद ही आप इसको कहीं इस्तेमाल कर सकते हैं। एक बैंक के अलावा दूसरे कंपनियों को भी आरबीआई प्रीपेड कार्ड जारी करने की अनुमति देता है। ऐसी कंपनियों को पीपीआई या प्रीपेड पेमेंट इंस्ट्रूमेंट इस्सुर भी कहते हैं। मोबाइल वॉलेट, Sodexo मील कार्ड, ट्रैवेल कार्ड, FASTag वगैरह प्रीपेड कार्ड के अलग अलग उदाहरण हैं।

इस्सुअर: जिस बैंक या पीपीआई ने आपको कार्ड जारी किया है उसे इस्सुअर कहते हैं। इस्सुअर का काम लेन-देन के समय कार्ड और कस्टमर की वैधता स्थापित करना जिसे ऑथेंटिकेशन और आपके खाते में पैसे की उपलब्धता बताना जिसे  ऑथोरिजशन कहते हैं।

एक्वायरर: जो बैंक दुकानदार के यहाँ लगी मशीन के लिए और उसके खाते में लेन देन के लिए जिम्मेदार होती है उसे एक्विरिंग बैंक कहते हैं। कार्ड मशीन या फिर QR कोड पर बने हुए लोगो को देख कर आप पता कर सकते हैं की किसी दुकानदार का एक्विरिंग बैंक कौन सा है। HDFC Bank, ICICI Bank, SBI, Axis Bank इत्यादी बड़े अस्क्विरिंग बैंक हैं।

इंटरचेंज: इंटरचेंज का काम इस्सुर और एक्वायरर बैंकों के बीच लेन-देन सुनिश्चित करने का होता है। कार्ड के इश्तेमाल के दौरान दोनों बैंकों के बीच में कनेक्टिविटी और बाद में पैसे का लेन-देन इंटरचेंज की जिम्मेदारी होती है। वीसा, मास्टरकार्ड और रूपे भारत में तीन इंटरचेंज हैं। एक इंटरचेंज के बिना आपके बैंक का कार्ड किसी और बैंक की मशीन में नहीं चलेगा।

पॉस मशीन (PoS): दुकानदार के पास जिस मशीन में आप अपना कार्ड डालते हैं उस मशीन को पॉस कहते हैं। दुकानदार को यह मशीन अस्क्विरिंग बैंक दिलाता है और इस मशीन से हुए सारे पेमेंट्स को दुकानदार के खाते से जोड़ता है। पॉस मशीन में एक डिसप्ले, की पैड, प्रिंटर और नेटवर्क से कनेक्ट करने के लिए सुविधा होती है।

Payments Explained: UPI Part 1 (Terminology)

UPI stands for Unified Payments Interface. It’s a system created by NPCI (National Payments Corporation of India) to enable various forms of payments like peer to peer (p2p), merchant payments (p2m) using bank accounts through mobile phone. With increasing adoption of mobile phone there was a need to enable a mobile native payments method that offers superiors user experience and interoperability between banks. While other interchanges were still trying to find a work-around through their traditional card protocols, NPCI decided to go back to basic and conceptualized UPI, which was a system built for mobile users using some inherent capabilities offered by smartphones, like using the mobile device as one factor of authentication (by doing device binding).

They also built it with the thought process of democratizing the innovation by offering open APIs to build up on. The idea behind offering these open APIs was to enable innovators to build their applications/payment experiences suitable for their environment and target customer base the way they deem fit. This thought process gave birth to start-ups like PhonePe, BharatPe and later even larger technology players like Google, Amazon, Truecaller, Whatsapp (they did a pilot but their progress was halted because they were not storing their data locally in India, as per my information they are still working on the same). Recently India’s biggest corporate Reliance also announced their entry in this space by enabling UPI through myJio family of applications. In this series I will try to explain the UPI transactions in detail starting with common terminology followed by transaction flow and various variations of payments built on top of UPI rail and then conclude it with some thoughts on common fraud trends and how to protect oneself from same. Let’s start with common terminology.


PSP (Payment Service Provider): A PSP is an entity authorized by NPCI to process UPI based payment transaction. PSPs take care of following functions in a UPI life cycle:

  • Front-end the transaction flow for the customer
  • Issue and manage the access credential to the customer to access the mobile app
  • Register customer on the UPI platform and issue them VPA (Virtual Payment Address)
  • Maintain the mapping of VPA and Mobile device at their end

VPA (Virtual Payment Address): A VPA is issued by your PSP, that is used to uniquely identify the payer and payee in any transaction. Usually your VPA is username@psp for example abc@okhdfcbank in case of Google Pay, username is abc, selected by user, okhdfcbank is the PSP id issued by NPCI to HDFC Bank, which HDFC Bank has extended to Google Pay as third party processor.

Third Party App: These are typically apps launched by non-bank technology companies like Google, Amazon, Uber etc in partnership with one or more banks as PSP. A list of these apps and their PSP and handle name can be found by visiting this link on NPCI website.

BHIM: BHIM, short for Bharat Interface for Money is an app created by NPCI that lets a user make payments using UPI.

BHIM QR: BHIM QR is a branding used by UPI merchant acquiring PSPs to demonstrate that the particular QR code can be scanned by any app supporting UPI payments i.e. is inter-operable among all PSPs.

BHIM QR Code is nothing but a way to store the VPA of the merchant that is read by your UPI app at the time of scanning. One can use other form factors like NFC or sound wave etc to communicate the merchant VPA to customer’s UPI app to offer differentiated experience, if it is more appropriate for that environment for example maybe a NFC based interaction will be more appropriate for transit use cases like bus, metro etc.

UPI PIN: UPI PIN is the PIN that you input on your UPI app to authenticate yourself with your issuing bank, i.e. the bank that holds your account. You set it up at the time of registration when you link your account with your VPA by verifying the combination of your mobile number and OTP or M-PIN with your issuing bank. This PIN is different that the PIN you use to access your UPI app.

Push Payment: When you scan the QR code of the merchant or use someone’s VPA to send money through your UPI app by debiting your account, such transactions are commonly referred as Push transaction.

Pull Payment: UPI also supports pull payment i.e. you can use someone’s VPA to request money from their account. In this case a request is sent to the concerned person’s UPI app through his PSP and once authorized their account is debited and your account is credited.

Payments Explained: Card Transactions Part 4 (Fraud Prevention)

This is the last part of my series on card payments and in this post I will try to cover some common frauds targeting card users and how one can best protect herself/himself against those.

Skimming: Skimming is the process of stealing your card information at the time of interaction and then misusing that information to fraudulently post transactions on your card. Whenever card is swiped at a PoS or ATM device a fraudster attaches an external card reader to steal the card information at the time of swipe.

Skimmers like these are easily available and can be attached to PoS devices.

One most effective measure taken to prevent this kind of fraud is implementation of CHIP (EMV) cards. RBI has made it mandatory to all the card issuers to ensure all the Debit and Credit Cards issued are CHIP cards. ATM machines are designing their card readers to make installation of any additional external component difficult. However few precautions one can take to safeguard oneself from this are as follows:

A card skimmer places on an ATM machine
  1. Ensure you have sight of your card all the time and the device where the card is being swiped is clearly visible to you and does not have any external component that does not belong is attached to the device.
  2. While using an ATM please ensure there is no external component attached to the card reader of the ATM (many ATMs that still use a magnetic stripe reader use jitter to interrupt the card entry into the card reader that ensures card data is not captured by external device). One way to identify if any external component is attached on the card reader is to look for the light blinking from the card reader. If you cannot clearly see the light at the card reader avoid using that ATM.

These types of frauds are specially prevalent in popular tourism destinations. The logic is that most of the time the card being skimmed is of a tourist and once you are back from your vacation and it becomes very difficult for your to follow through on the crimes committed on your cards in a place you are not native to specially if that place happens to be in a foreign country. Only thing you can do when you are traveling to be extra cautious using your card. I visited Australia recently and noticed that merchants encourage you to swipe/dip or tap your card yourself instead of taking it away from your hands. It is a very good practice.

Phishing: Phishing is exactly what it sounds like (Fishing) fraudster targets a bunch of people in the hopes of getting them to reveal their sensitive information. There is another more entertaining way to learn about Phishing, is watch the very entertaining web-series on Netflix Jamtara, which is based on a tele-calling Phishing racket run by a bunch of young kids from a remote town.

According to Wikipedia definition, “Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.”

If you receive a call, SMS or e-mail pretending to be from your issuer or any other entity requesting you to share sensitive information like card number, PIN, CVV, OTP, net banking ID and password etc. Only way to protect yourself from this kind of fraud is to never share sensitive details to anyone over any medium. Your bank will never ask for these details over call, sms or e-mail.

Website Spoofing: Fraudsters will create a website that looks like the website of another trusted entity and even have similar url (a very neat trick used by fraudster is to replace of of the characters in the url with another special similar looking special character). One simple way to avoid falling prey to this is avoid clicking on links received on e-mail or sms that asks for sensitive information to be shared, instead type the url yourself.

A typical example of spoofing

There are checks and controls implemented by websites to make sure customer recognizes the right page. For example, some websites have a shared image or message that is displayed on the page seeking you to input sensitive information. Like HDFC Bank Netbanking displays a picture and a message selected by you on its log-in page to ensure you are inputting your credentials on an authentic bank page and not some other spoofed website.

Social Engineering: The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Phishing explained above is a type of social engineering. Some other ways of social engineering relevant in this context are Vishing, where fraudsters will mimic the IVR (Interactive Voice Response) of the target organization to convince that organization’s customers into revealing sensitive information and Baiting, where fraudster will send you a link over e-mail or SMS prompting you to click on an infected link with promise of certain reward or threat of some loss.

Social engineering life cycle

There are no prince in Nigeria or warlords in Sudan dying to share their wealth with you, neither you have won any Coca-Cola or Reader’s Digest lottery. RBI or Income Tax departments are never going to call you to credit your account neither is Modi government giving you fifteen lac rupees in your account provided you share your account or net banking credentials with them. To receive LPG subsidy you just need to link your Aadhaar to your bank account and nothing else.

Money Mule: A money mule, sometimes also called as “smurfer” is a person who helps fraudsters transfer money acquired illegally. If someone approaches you with a story that he needs to transfer a fortune and want to use your account to park some funds and they will offer huge reward just for allowing the money to pass through your account or once the money is deposited in your account you need to withdraw cash and hand deliver it to someone in person, you are being recruited as a money mule in an elaborate fraud scheme.

When money is moved digitally, it leaves a trail and that can be used to identify and arrest the fraudster. To avoid this fraudsters create an elaborate trail of movement by passing the money through various money mule accounts and convincing these unsuspecting people into handing over the money in the form of cash at an unsupervised location. If you act as a money mule then you become a co-conspirator in the fraud and will be liable for any criminal proceedings that attracts. So avoid falling into becoming a criminal for some monetary reward.

Protect your Mobile Phone: These days your mobile phone has become very important when processing digital transactions. In many cases your mobile device is used as a mode of authentication, most of the time an OTP received on your mobile phone is used as 2nd factor authentication and many times websites and mobile apps store your card details (called card on file in payments world) in order to provide you a convenient user experience.

Now imagine a scenario where you have lost your smart phone and some fraudster has gotten hold of the device. Your phone is unlocked because you never set-up any access control like face, fingerprint, pattern or password to lock your phone when not in use. Fraudster notices that you have installed your telecom operator’s app on your phone and have your card credentials stored there. He sets up a shop offering cheap recharge to prepaid customers of that telco. He collects cash from the customers to recharge their prepaid mobile number and used your card stored in the app and OTP delivered on the device to make the payment. By the time you would report this and authorities catch up to him he would have shut the shop and run away. The only thing protecting you at this moment is your three digit cvv2/cvc2, if somehow he manages to find out that or guess that number you have no protection.

My only advice to you in this case is a. store your mobile number only at the apps/website you frequently use, b. set up an access control on your smartphone be it PIN, Pattern, Fingerprint or Face ID have some protection, c. don’t lose your phone and if you do immediately call your telco to block the number and also your bank to block your cards.

Physical Interaction: At last one very important thing, whenever you are providing photocopy of any KYC documents to anyone please make sure you sign it with date and purpose. The logic is to avoid misuse of your document from giving any instruction to your bank through their branch for example change of address, reissue of card, reissue of PIN, new cheque book etc. Bank branches typically ask for an identity proof to be attached with any written instructions to ensure the instruction has been received from authorized party.