Payments Explained: Card Transactions Part 3 (Protection)

Card payments ecosystem has been designed with safeguards at various stages to ensure protection of various parties involved in the value chain. I would like to dedicate this post to list down these safeguards to make users familiar with them. Every entity, system and process handling card information needs to adhere to Data Security Standards established by Payment Card Industry (in short PCI-DSS) which ensures all sensitive information is protected at any point in time.

Card Issuer Controls

Card Printing: At the time of card issuance card printing file is created and transported to print shop in encrypted format and is destroyed after the card printing is complete. I have been to one such print shop and experienced their security standards first hand. On top of data security they also have strict controls for physical security. Personals visiting there are taken through multiple locked doors and are not allowed to even wear cloths that has pockets in them.

Chip (EMV): Earlier card transactions used to be performed using magnetic stripe. The problem with magnetic stripe was that card information stored in the magnetic stripe is stored in clear form and can be stolen by fraudsters by swiping the card on a card reader. This process of stealing card information is referred as skimming. In order to protect users against this, RBI has now made it mandatory to use EMV cards. The benefit of EMV card is that all the card information is stored in the Chip is encrypted form.

PIN Printing: PIN of your card is not stored in any system anywhere. At the time of PIN issuance, a PIN block is generated using a complex logic and encryption and sent directed to the PIN printer. PIN is printed in sealed form and can be seen only by tearing the PIN mailer.

The level of caution at this stage is to the level that card plastic and PIN are both printed at different locations (in HDFC Bank cards are printed at Chennai, while PIN printing usually happens in Mumbai), this is done to ensure that your card and PIN are never together unless they are delivered to the customer. In addition to this cards are delivered with addressee specific delivery. The delivery guy usually asks for ID proof before handing over the card kit to you.

PIN Validation: At the time of transaction PIN is encrypted at the key pad itself and an encrypted PIN block is generated. PIN travels to issuer system for authentication in encrypted format. PIN block is generated in the issuer system using the information available at the back end. Both the PIN blocks are compared and if matched PIN authentication is successful.

CVV or CVC: This is a three digit code linked to your card and a variation of same CVV2/CVC2 is printed at the back of your card. This three digit code is available only on the card plastic and presence of CVV/CVC or CVV2/CVC2 (for CNP transactions) means that the person providing the detail is in possession of the card plastic.

It is very important that one does not share PIN and CVV details with any person except for on the card details capture page at the time of transaction.

2 Factor Authentication: According to RBI mandate all the card transactions in India are processed with 2 factors of authentication. Typically these two factors are combination of any two from below three:

  1. What you have? In case of card world it is usually your card plastic or if you are transacting through your registered mobile device, it can be your mobile device.
  2. What you know? Your PIN or Passwords fall in this category. It is a shared secret that only you and your issuer knows and can validate.
  3. Who you are? All biometric forms of authentication would fall under this category. Most common biometric is your finger print. In future we might even see iris, voice, behavior, face etc also being used for authentication.

In case of card present transaction these two factors are your card plastic and PIN, while in case of card not present transactions it is your card details (card number, expiry and cvv2/cvc2) and OTP or password.

Merchant Acquiring Controls

POS Terminal: PoS device consists of following components, a. card reader, b. key pad, c. network connectivity, d. memory storage and e. receipt printer. Card reader and key pad are programmed to encrypt the data at the time of entry itself. Memory stored this information in encrypted form and deletes as soon as the merchant processes the settlement. Communication on this network happens in encrypted format through a protected line. Receipt is programmed to mask sensitive information like your card number while printing the receipt.

The encryption logic used for card transaction is called TripleDES or 3DES; which is one of the most advanced data encryption standard in practice today and encryption is used for each terminal is unique and dynamically updated in order to ensure protection from any possible compromise at key level itself.

Void and Refund

Void and refund are transactions used to undo a transaction by the merchant himself. For example if merchant has swiped your card for a wrong amount or you have changed your mind about transaction immediately after making the payment, merchant and recall that transaction from terminals memory and cancel the transaction. This process is called void and in this case when merchant processes the settlement this transaction is omitted from the same and not claimed further. In lack of any claim against the transaction issuer automatically reverses the transaction in customer’s account after designated settlement time is over.

In case merchant has processed the settlement on the machine and transaction has already been deleted from the device, it cannot be canceled/voided. In this case merchant performs refund transaction, i.e. send instructions to credit the customer account by debiting merchant account. When merchant settles this transaction appropriate credit instruction is passed on to the issuer by acquirer via interchange. These days interchanges have come up with ways to process instant refunds.

Chargeback

As you are now aware that there are many controls in place to ensure safe transaction at the time of card issuance and transaction processing. Chargeback is a process to protect customer’s interests after the transaction. As part of chargeback process if there is any issue with with transaction like duplicate billing, services not rendered, goods not delivered etc, a customer can reach out to his/her issuer to raise a dispute with all the evidence supporting his/her claim. In such cases issuers approach the merchant through acquirer via interchange and asks the merchant to provide necessary evidence or accept the dispute and reverse the transaction. Merchant either provides the evidence either in the form or delivery confirmation, payment receipt etc. If the merchant is unable to prove that it was a genuine charge the case is closed in customer’s favour and transaction is reversed. If the merchant is able to prove is necessary evidence that the charge was genuine, dispute is closed in merchant’s favour.

Zero Liability

If you read all the study material sent along with your card, in many cases you will find a section labeled as zero liability. Zero Liability applies to your purchases made in the store, over the telephone, online, or via a mobile device and ATM transactions. As a cardholder, you will not be held responsible for unauthorized transactions if:

  1. You have used reasonable care in protecting your card from loss or theft; and
  2. You promptly reported loss or theft to your financial institution.

If you believe there has been unauthorized use of your account and you meet the conditions above, rest easy knowing you have the protection of Zero Liability promise. Please read this clause carefully in your card kit and ensure you understand the same.

Hotlisting

Please ensure contacting your bank with the fastest mode available to report the loss of your card or any suspicious activity on your card. Every card issuer ensures that there are methods to report this through telephone call (at a dedicated number, please keep this number handy with you), mobile banking, internet banking etc.

What can mean a suspicious activity? Some examples are as follows:

  1. You receiving an SMS/e-mail regarding an activity in your account that you are not aware of
  2. Receiving an SMS/e-mail informing you about an OTP generated for a transaction that you did not initiate
  3. Someone calling you and inquiring about sensitive information about your card like card number, cvv, PIN, OTP etc. No bank ever asks for this information to be shared over a phone call to any person.

Hope this information has been helpful and make you more confident about using your card for payment next time you go shopping. In next part I will be covering various types of frauds happening in the card world and how to protect yourself from them. Most of the banks actually send mailers/SMS regarding this kind of information, you might be aware of same if you have been paying attention to those mailers.

Payments Explained: Card Transactions Part 2 (Transaction Flow)

Continuing from my last post dedicated towards explaining the common terminology used in payments world in terms of the participants and instruments, in this post I will focus on how a card transaction works. Back in 2005, after completing my B.Tech. in Mechanical Engineering, during my job interview with HDFC Bank, my super boss (then head of BSG retail) asked me, if I know how an ATM transaction works. I answered in negative and yet attempted to guess how it might work using logical reasoning coupled with my experience of using my ICICI Bank card at Canara Bank ATM installed in IIT campus. My answer was somewhat close to the reality. I will try to use similar language in this post in order for it to make sense to wider audience with no background in payments business.

Fundamental Principle

In simple terms any payment involves debiting one account and crediting another. When you purchase any goods or services from a merchant and make a payment in lieu of same, it’s your account that needs to be debited and merchants account that needs to be credited. It can be a much simpler process when both the accounts are in the same bank, however when both the accounts happen to be in different banks, it becomes slightly more complex. In payments lingo, if the issuer and acquirer are same bank it is referred as OnUs transaction and is settled with-in the bank without involving the services of Interchanges. However when issuer and acquirer are different banks the transaction is referred as remote OnUs and OffUs by issuer and acquirer respectively. Such transaction are processed through Interchanges utilizing their connectivity with both banks and are settled via the same Interchange.

The primary function of the instruments both the parties hold, (in case of customer it’s the card plastic and in case of merchant it is typically the PoS device), is to identify the source and destination financial address i.e. account number and the bank. Most of you would be aware of something called IFSC code, well this code is nothing but a way to identify your bank-branch combination, when you are performing an NEFT or RTGS transaction (even IMPS Person to Account commonly referred as P2A, where you use account number instead of MMID as destination address uses the same). Similarly in card world there is something commonly called as BIN, short for Bank Identification Number. This BIN is a six digit number issued by Interchanges (Visa/MasterCard/RuPay) to participating issuing and acquiring banks. On your card it is the first 6 digits of your card number, while in case of merchants it is mapped to the PoS device. It is this BIN that helps interchanges identify source and destination banks in any payment transaction using cards.

Sample Transaction

When you present your card issued by Bank A at a merchant on-boarded by Bank B, the transaction follows following steps:

  1. PoS Machine reads the card information from the card
    • In case of chip card the information is read from the chip when it is dipped inside the machine
    • In case of magnetic stripe card the information is read from the magnetic stripe at the back of the card during swipe
    • In case of NFC information is exchanged over the air during tap
    • If you have heard of a company called Tone Tag, they use sound waves to communicate between your phone (which stores the card number) and PoS device.
  2. The information read by the PoS device typically contains Customer Name, Card Number, Expiry of the plastic, CVV (a three digit secure code) and PIN Block (wherever applicable)
  3. PoS device connects to the acquirer and sends the information to their central system
  4. Acquirer system identifies from the BIN, which interchange the card belongs to and sends it to respective interchange
  5. The interchange from the BIN identifies the issuing bank and send the transaction to the issuer
  6. The issuer authenticates the card using the information captured by the PoS device
  7. Upon successful authentication issuer authorizes the transaction based on the status and availability of balance in the account
    • At this stage issuer debits the customer’s account and parks the credit in a designated account marked for interchange settlement
  8. The result of authentication and authorization is communicated back to the interchange in the form of response code
  9. Interchange passes on the response to the acquirer
  10. Acquirer communicates the same forward to the PoS device
  11. PoS device displays the message on the machine display and merchant concludes the transaction accordingly
  12. Merchant uses the PoS device to claim the money from the acquirer
    • At this stage acquirer credits the merchant by debiting the designated account marked for interchange settlement
  13. Acquirer send the claim file to interchange with details of all the transactions across all issuers
  14. Interchange splits the file as per issuers and sends the files to respective issuers to receive the funds for transaction performed on interchange’s network by customers of the issuer
    • Each interchange has a designated settlement banker. Every issuer and acquirer has to open account in this bank, which is used to settle transactions between participating banks
  15. Issuer debits the designated settlement account, to fund the interchange account in the designated settlement bank
  16. Interchange debits the issuer account in settlement bank and credits acquirer account in that bank
  17. Acquirer uses the fund received in the account in settlement bank to round off the settlement account in their book

Step 1 to 12 are called authorization and 12 to 17 are called settlement. Authorization steps are performed online real time while settlement is completed through file exchange. When you hear someone say it’s DMS, short for dual message settlement, this is what they are referring to.

When you are using the card at a website or mobile app, there is one additional step you all perform that is 2nd Factor Authentication with most common form being used in India being a one time password (OTP) delivered to your registered mobile phone. This is done because in online world there is no encrypted key pad, as available on a PoS device. Since PIN needs to be protected with certain encryption standards, which are difficult to implement on a website, as an alternate when the transaction hits the Interchange, they refer to a mapper maintained at their end to find the authentication url of the issuing bank and make a call to that url. At this point the issuing bank takes control of the transaction and triggers an OTP to cardholder’s mobile number, which is then validated on the web-page of the issuing bank. On successful authentication like this other authorization steps are performed. Such transactions where card plastic is not used at the time of transaction are called CNP (card not present) transactions.

I hope this gives most of you a fair idea about how card transactions are performed and the role multiple entities play in the process along with the flow of money. In next part I will cover the various security and safe-guards that are in-built at various steps in entire process to protect the customers and merchants from various frauds.

Payments Explained: Card Transactions Part 1 (Terminology)

Payments is the most popular service used by the widest customer base. Everyone recognizes some of the key players operating in the space like Banks (Issuers and Acquirers), Visa, MasterCard, NPCI (Interchanges) by virtue of seeing there logos at every ATM and merchant outlets and also on the face of their cards (Credit, Debit, Prepaid). I have come across many situations where at times people fall prey to frauds or unfair treatment due to their lack of awareness about the way digital payment works and the roles played by various involved parties in order to make the best use of the infrastructure available without any fear. There are enough precautions taken while building the systems and designing the surrounding processes to ensure customer is protected from wrongful conduct by malicious parties. This series is an attempt on my part to explain the fundamentals of digital payments in simple English in order to make common users of payments instruments aware of what goes behind facilitating the entire journey. Today I will try to focus on one of the most popular and oldest digital payment method for retail consumers, Cards.

Terminology

Let’s first introduce all to the terminology commonly used in Card payments world to help you understand it slightly better and know which means what when you hear these terms in future in any conversation.

Debit Card: Your debit card is the plastic instrument issued to you by your bank that you issue to transact using the balance in your savings or current account with the bank. Because a debit card is always linked to a savings or current deposit, only banks (including Payment Banks and Small Finance Banks) can issue this card. The logo of the bank is printed on the face of the card.

Credit Card: A credit card is the plastic instrument that enables you pay through your credit account. While there are non-Bank institution as well that offer credit facility to customers through their lending products, currently RBI allows only banks to issue credit cards. If you come across a credit card issued by any non-Bank to you, it will be typically in partnership with some Bank. Like Bajaj Finserv Credit Card is offered in partnership with RBL Bank.

Prepaid Card: Prepaid cards are stored value cards where you need to load the money in the prepaid account where you can transact up to the amount loaded on the prepaid instrument and that is why are considered less risky since the exposure is limited to the amount stored. RBI issues PPI (Prepaid Payment Instrument Issuer) license to entities interested in issuing prepaid cards. Entities like EbixCash (formerly ItzCash), Amazon Pay, Mobikwik, Oxigen, Sodexo, PhonePe are some popular PPI issuers in the market.

Prepaid cards issued by banks are usually open loop cards and work on a wider merchant base depending on their ability to accept Visa, MasterCard or RuPay cards (will explain them later under section Interchange); while cards issued by PPI issuers are semi closed loop cards. Meaning for a card issued by a PPI issuer to work at any merchant the merchant needs to have a direct arrangement with the issuer of the card. You need to look for specific PPI issuer’s logo at a merchant outlet or website to know whether that merchant has an arrangement with the particular issuer to accept your prepaid card.

There are many variations of prepaid card instruments available in market with varying popular terms. I will explain some of them below:

  1. Mobile Wallet or Wallet: These are prepaid instruments issued digitally only and are typically accessed through a mobile app offered by the issuer entity. Some very popular wallets in the market are PayTM, PhonePe, AmazonPay.
  2. Meal Card or Food Card: These cards work only on grocery merchants or restaurants. Sodexo is the biggest issuer in this category.
  3. Travel Card or Forex Card: This is the card category typically issued by Banks or through FFMCs (Full Fledged Money Changers) where you can load money in foreign currency. When you are traveling to a foreign country any transaction done on your INR cards incurs surcharge to the tunes of 2-5% depending on your issuers called cross currency mark-up. In that situation it is advised to carry a travel prepaid card with money stored in that region’s local currency thus avoiding this mark-up every time you transact. There are even multi-currency variants available in this category where you can load the card in multiple currencies supported by the card issuer.
  4. FASTag: This is a new variant of prepaid card that has become very popular recently because of government’s push to digitize toll collection at toll booth across country. This is an instrument that works on near field communication technology where your card stuck on your windshield is read by the sensors installed at toll booths while your car is passing through. Since this is a standard amount to be deducted a rule based setting process the transaction without the need for an operator. Toll gate is triggered based on the transaction response. Open the gate if response successful, if not refer for manual intervention.

Other than above described variants there can be various other variants tied to the usage limitations on the card like general purpose with no restrictions, petro card working only at petrol pumps, student card with restrictions on the card usage set up by guardians or college etc.

Issuer: An issuer is the institution that has issued you the card you are holding and it has the logo of that institution on the face of card. Card issuers are typically banks or other entities licensed by RBI in case prepaid cards i.e. PPI issuers.

Acquirer: Acquirer is the institution that on-boards the merchant on payment platform. The logo on the Point of Sale (PoS) machine or on the transaction receipt generated is of the acquirer. In India only banks are allowed to become acquirers. Any other names you see or hear like Pine Labs, Innoviti, mSwipe etc all use one or multiple banks as acquirers to process their transactions.

Interchange: An interchange in the payments ecosystem is the entity that ensure interoperability between issuers and acquirers during the transaction. There are currently three interchanges active in India, Visa, MasterCard and RuPay (run by NPCI, National Payment Corporation of India). Logo of partnering interchange is always printed on the face of the card and displayed at merchant location/website. If the logo on the merchant location matches the logo printed on your card means this merchant will accept your card.

Example: When you use your HDFC Bank Visa card at a merchant of ICICI Bank, HDFC Bank is the issuer, ICICI Bank is the acquirer and Visa is the interchange facilitating settlement between two banks.

POS (Point of Sale) Machine: This is the small machine you find at a merchant outlet on which he/she dips, taps or swipes your card to process the transaction. The biggest manufacturers of these devices are Ingenio and Verifone. These are companies who manufacture these machines and sell to acquirers or payment facilitators, who then provides them to the merchants. These devices typically use traditional telephone line of GSM (mobile phone network) for connectivity.

mPoS: This is smaller version of the PoS devices that connects to a mobile phone for connectivity. The extension typically has a card reader and PIN pad for entering the PIN and a small display. They rely on the mobile phone for connectivity and do not print receipts as opposed to traditional devices. mSwipe and Ezetap are two key players in this space.

Payment Gateway: Payment Gateway (PG) is a piece of software doing the job of a PoS device in digital world. Any website of mobile app integrates with a payment gateway to accept payments from card instruments. Many banks have their own payment gateways with HDFC Bank being market leader in this space. However there are many non-bank players like PayU, CCAvenue, Billdesk, Techprocess, Razorpay, Payabbhi etc playing the role of aggregator to offer this service to merchants.

Blockchain: A sample case for how it can affect your life

Before there were banks, people used to trade by exchanging goods of value between themselves. This system was not scale-able due to the logistics involved. To solve this problem states came up with currency, which was issued by the state and value of the currency was guaranteed by the state. Primary form for these currencies used to be metal, usually gold or silver. When humanity developed modes of transportation and started trades between far off places, it became extremely challenging to rely of metal coins, so Kublai Khan introduced paper currencies, to make the trade easier for merchants trading between China and Europe. This was a great innovation for the time however when trades became larger and more widespread even managing paper currencies became challenging thus came banks. Banks were the entities who were trusted with safekeeping of money and facilitate trade by acting as trusted middle parties managing the transfer of money from buyer to seller as per their agreed contract. So all this innovation throughout the history over centuries had been to facilitate trades between two parties bound by a mutually agreed contract without relying on mutual trust. Well, blockchain provides the necessary technology to facilitate above mentioned trade without need for a trusted third party in the form of banks. However it is not easy to throw away hundreds of years of evolution just because technology has finally managed to solve the original problem, resulting into a lot of resistance from various quarters. Change in technology is easy, the more difficult part is change in behaviour and mindset, which will take time, couple of decades in my opinion.

Adoption of blockchain has to start in a manner that drives acceptance in common practice without expecting significant change in behavior. Keeping regulatory challenges in mind, the most logical point of origin could be introduction of crypto-currencies in closed loop environment. By the way I am aware that blockchain and crypto-currency are not the same thing, however I thing crypto-currency is one of the most suitable usage for blockchain and it is the most straightforward way to ensure common adoption. In today’s connected world there are enough use cases with person to person exchange with no need for a banking third party. While the history of Facebook makes me skeptical but social media is one very appropriate use case for implementation of crypto-currency.

Any social media platform relies on two types of users, contributors and consumers (with some overlap between the two categories). In an ideal world contributors should earn for their contribution, while consumers must pay for their consumption. Such a platform can very easily introduce an internal currency, values of which is linked to the value of the platform and same is distributed among the contributors in proportion of their contribution towards the platform. The consumers can earn the currency by either contributing towards the platform, buy from other contributors or buy from the platform itself. If the platform provides enough value to consumers their will be enough demand of the currency thus increasing the value of currency, while if the value erodes the currency will also lose its value.

This is just one such example of a perfect setting where a blockchain based crypto-currency will do much better than the existing banking dependent settlement method. There are many emerging platforms supporting shared economy like Amazon, Flipkart, Uber, Ola, AirBnB, Oyo, Swiggy, UrbanClap etc where real-time settlement clearly is the need and will enhance the platform multi-fold by unlocking the value for the smaller participants in the economy. In today’s set-up one day a Swiggy might start feeling like that restaurant’s business is dependent of them and can come up with practices not entirely in the favour of restaurants. We can already see this happening with restaurant bodies protesting against Zomato, drivers protesting against Ola, hotels protesting against MMT and Oyo etc. This is because platform has too much power over the entire ecosystem making the entire set-up unfair for the smaller participants. An alternate platform built using smart contracts between participants ensuring real time settlement would be a much better and fair option.

Another argument in favour of blockchain is the incompetence or unfairness of banks over the years. Banking system has been in operation for centuries, however with all the advancements in technology their cost of managing money is consistent at around four percent. On top of that their insistence on charging customers for everything, even essential services makes the need for an alternate imminent. I recently encountered one bank (one of the largest private sector bank in India) whose credit card hotlisting helpline is a premium number and customer has to pay extra for using the same. Most of the banks have fees/charges for every type of interaction with the bank. If it wasn’t for RBI customers were even charged for using ATMs (even today there are charges beyond a particular frequency). Banks charging customers for account access is similar to shopping malls charging for parking or carry bags, both are unfair but both happen without any check because people in general accept it and move on. There are better ways to manage the situation but its lack of intent or imagination that they end up choosing the easier (direct) path to revenue than coming up with more customer friendly way. To top it all recent cases of corruption and incompetence across many banks have brought the trust among common public at all time low.

Financial Inclusion: Past, Present and Future A Technology View

The biggest challenge to financial inclusion situation is that most of the people attempting a solution don’t even have a clear view of the problem. When you solve the problem with clarity of vision, you end up creating an institution like Bandhan Bank and in other cases you end up installing ATM machines in villages, only to realize very soon that cost of operating an ATM in a rural location can never be justified by the value it offers even at 100 percent capacity utilization. During my stint at HDFC Bank, I was leading the solutions for retail payments space, I was also responsible for financial inclusion initiatives. We did many things like Bank on Wheels, installing an entire bank branch including an ATM with biometric (finger print) capability in a bus specially modified for this purpose. Another version of Bank of Wheels was Ultra Small Branch, where we created solution for single man branches operated entirely through a handheld device. The manager would basically carry the entire branch on a bike and travel to dedicated service locations.

Once Wincor-Nixdorf senior management representatives were visiting India to showcase their new hardware to Indian prospects and during the evening meet and greet one of the Germans got into a conversation with me. During the conversation he mentioned that he is really interested in building something for financial inclusion specially for rural India. My answer to him, “Stop selling them ATMs.” The income and spending patterns are very different for rural and urban markets. ATMs are required for a customer base that receives bulk of its income in its bank account and then withdraws what it needs to spend, while when someone earns primarily in cash, they spend in case and then deposit whatever is left of it as savings in their accounts. By the way, this conversation was back in 2011 and a lot would have changed in last 8 years (QR code and UPI were non-existent then for example) still fundamental principal remains the same.

One more point I used to hear often about rural customers that biometric authentication (finger print) is a must have for building any solution for rural customers. Although most of the time their point of view prevailed and we ended up building solutions with biometric authentication however my counter argument to this always has been that a numeric PIN will work as fine. Even if the customer is illiterate he can identify his PIN as combination of symbols, besides if a customer can count money, he can manage his PIN. Who remembers her/his PIN as Five Thousand Three Hundred Ninety One? You always remember it as Five, Three, Nine, One. Introduction of biometric pre-aadhaar meant any solution built for rural was costlier and not viable. Has anyone in any bank ever verified their hypothesis, I doubt. Nobody ever shared any field research in this regard with me.

A lot has changed in last decade. APBS (Aadhaar Payments Bridge) is extensively being used to transfer subsidy directly into beneficiary’s account using Aadhaar mapper. Only credit in my father’s account is cooking gas subsidy. NREGA payments are being credited directly to the account. AePS (Aadhaar enabled Payments System) makes it easy to authenticate customer using Aadhaar. Jio has given mobile data connectivity to anyone who they can get their hands on. Internet in India is cheapest in the world and the connectivity has reach even small villages. PayTM has spend billions to teach people how to transact using mobile phones. G-Pay and PhonePe have used the UPI to create user friendly payment experience for anyone with a bank account (PMJDY gave everyone a bank account, even the ones who were never interested in having one). BharatPe and PayTM are reaching out to smallest of the merchants and on-boarding them on digital payments using QR codes. The people who were not even expected to handle a 4 digit PIN are now scanning QR codes through their mobile phones.

Next big game changer in financial inclusion space according to me will be from mass adoption of speech recognition and voice biometric. Together they have the power to make payments completely invisible thus removing any friction in the process. Imagine an illiterate person in some remote village calls up a designated number of her/his bank and speaks the instructions in her/his native language e.g. “humara phone recharge kar do do sau rupai ka (please recharge my mobile number for 200 rs).” and the bank “identifies” the customer through her/his “mobile number”, “authenticates” the customer through the combination of two factors “what he has?” i.e. his “mobile device” and “who he is?” i.e. his “voice biometric” and reads the instructions from his speech. This simple a transaction experience can really transform the way payment is happening today. Behavioral biometric is another area that can use customer’s way of interaction with the device as password and make authentication experience completely seamless and yet sticking to the two factor authentication process. There are companies working towards making this a reality and this experience is very much possible with the technology available today. There are start-ups like Uniphore and Gnani working on speech and voice biometric and start-up like NeoEyed on the area of behavioral biometric. (In my opinion OTP delivered on my mobile device for a transaction I am performing on the same device is not two factor authentication in true sense, it is “what I have?” i.e. my “mobile device” performed twice.)

BharatQR: Untapped Potential or Lost Opportunity

Officially launched on Feb,2017; BharatQR is world’s first interoperable and low cost acceptance solution, developed by National Payments Corporation of India (NPCI), Mastercard, and Visa.

BharatQR was devised based on the direction set by the Reserve Bank of India (RBI) in September 2016 and its Payments Vision 2018, which outlines innovation, interoperability, and security as the three pillars to facilitate India’s transition to a less–cash society.

BharatQR has two very important benefits. First, consumers will not need to scan different QR codes at the same merchant provided by the different payment networks. Second, merchants will only need to display one QR code at the storefront or through the acquiring bank’s mobile application via UPI, IMPS or Visa/MasterCard/RuPay Cards.

With this one would assume that by now BharatQR must have become the default for on-boarding small merchants specially considering unlike PoS terminals, the cost of acquiring is practically zero for QR case based payments since there is no device to be purchased and managed, no key management, no stationary, not even the cost of telephone line/SIM. With BHIM, PhonePe, Google Pay and PayTM being so popular among consumers for small payments it’s obvious that on paper BharatQR has everything going in its favour to become the leading payment mode. Still the ground reality says another story. Adoption of BharatQR is nowhere even close to BHIM QR (UPI).

To be honest I have so far not come across a single merchant, who is actively using BharatQR as a major payment acceptance method. When BharatPe decided to get into the business, why they chose BHIM QR over BharatQR, given than BharatQR clearly gives them access to much larger number of payment instruments on consumer side, while keeping the merchant side efforts the same?

In my opinion, the reason BHIM is everywhere, while BharatQR is nowhere to be seen is in the way different custodians (NPCI, Visa and MasterCard) have approached the problem. UPI is an open platform where the baseline is defined, improved and maintained by NPCI, while PSPs are free to innovate on top of that layer to create suitable user experience depending on their target consumer base. (By the way, this is where Banks fail miserably, because they don’t clearly know who their target persona is for their digital products. This is a discussion for another post.) NPCI is fine whether customer chooses to use UPI or his RuPay debit card for any payment, in the end an NPCI product is used and customer savings account is debited either way. On the other hand everything about Visa and MasterCard has to follow the card framework, even when it is not the best way in a particular situation.

Based on my many years of interactions with NPCI, Visa and MasterCard, I can clearly say one thing, NPCI is not too hung up on card world. They are ready to explore beyond cards and in fact now RuPay card would be a smaller component of their overall portfolio. In fact even when it comes to cards they are not treating traditional benchmarks and standards as cast in stone and are not afraid of colouring outside the lines. While Visa and MasterCard are always insisting on not touching the core, which restricts the innovators to a large extent because of the constraints of the core offering. BharatQR from Visa perspective is a variation of mVisa, which is built on Visa direct (formerly known as VMT or Visa Money Transfer) primarily built for Card to Card money transfer. Same goes for MasterCard leveraging MMS or MasterCard Money Send. Another handicap for Visa and MasterCard is that unlike UPI, they do not have someone called PSP (the role played by Google Pay, PhonePe, BharatPe etc) and are completely dependent on acquiring banks to push the product. As I have mentioned again and again banks are not the innovators.

How many of you know that your Visa, MasterCard and even American Express card would work at BharatQR? Have any of you received any communication from your banks regarding how to go about it? Two of the banks I have worked for in the past and am their customer HDFC Bank offers BharatQR scanning through their PayZapp app and Kotak Mahindra Bank offers it through their mobile banking app. Most of the banks participate in this program however none of them seem to have put in any significant effort to make sure it is adopted at a scale.

I tried to find BharatQR numbers through various sources however I couldn’t find any credible source reporting these numbers separately. While everyone talks about UPI success story in my opinion a large part of that story is because of BHIM QR. It wouldn’t be an exaggeration to say that entire P2M story of UPI is heavily dependent on BHIM QR. This also shows how much of a missed opportunity it is for the card schemes like Visa and MasterCard. NPCI is fine whether it’s UPI or RuPay card being used for payments. Visa and MasterCard are clearly missing out on this new wave of digital payments. During my research I found that NPCI and Visa websites at least have dedicated space to talk about BharatQR, however I could not find anything regarding same on MasterCard website. Looks like Visa is at least still trying, while MasterCard has already given up.

What needs to be done? From long term perspective, the answer is very clear. May be it is right time for Visa and MasterCard to reinvent the wheel. Think beyond traditional card framework and build something suitable for mobile first world from scratch. (I am hoping there are teams already working on this mandate internally in both these organizations). For short term, Visa and MasterCard need to put extra effort to handhold organizations like BharatPe, Khata Book and OK Credit etc to ensure they adopt to BharatQR standards for their merchant base. Visa and MasterCard both have their payment gateway business Cyber Source and MPGS respectively, integrate BharatQR there even if it is to create sample cases to showcase how easy it is to adopt BharatQR for payment providers. Lastly instead of telling merchants to get in touch with their acquirers if they want to adopt BharatQR, do it for them (at least in the beginning).

State of Fintech in India

Introduction

First thing first, “what is Fintech?” Well, my definition is very simple, “a financial services organization that runs their builds and manages their own technology stack. Specially the components that are mission critical for their business.”

Why is this an advantage? Almost all the incumbents rely on outsourcing or licensing technology from various technology companies who had built their flagship products 20–30 years back and their latest iterations of these products are modifications on those age old products thus not abreast with contemporary needs. Having control over the technology stack gives Fintechs the advantage to move at a much faster pace to the changing needs of the market.

One might come across many start-ups claiming to be Fintech without even having an in-house technology team. In my opinion they are not Fintech and in long run they will not be able to deliver to their promise in long run.

In simple words, “Only advantage an start-up has over any incumbents is speed.” Rest everything can be matched by bigger competitors by virtue of having access to more resources than you.

Having established above, let me spend some time on the biggest flaw with the current situation. Manufacturers of Financial services products create a product and then go out in the market hunting for customers who fit their product. No wonder except for savings account and payments, no other FS product touches more than 15% of Indian population. The credit for payments services being used by larger populace goes to the fact that it is essential, even then still 80% of transactions happen in Cash.

Payments

The most used and talked about financial service is Payments. Without getting into too much dissection of the market let me directly rush into my vision for the future of Payments. RBI is contemplating regulating payment processors, once such regulation is implemented it will pave way for opening up the payment market from the clutches of banks. Banks do not deserve to be at the center of Payments for they have done very little in last so many years and they still seem clueless in terms of how to approach this.

Considering how every new business puts so much emphasis on UX, it is inevitable when every big merchant will want to create and the payment experience in their ecosystem, and the signs of same are already visible in the form of Amazon Pay, Ola Money etc. With increasing adoption of APIs it is going to be easier to do so even for medium sized merchants as well. UPI has already made it clear, what happens when you democratize innovation by opening up core functions in the form of APIs.

In my opinion in coming years, most of the bigger merchants will replace their payment processors with in-house offering, leaving these players to work with small and medium merchant base, thus invariably forcing them to look for alternate sources of revenues. While most of the payment processors are already exploring lending as an option, they need to think beyond. So far none of the payment processors have explored exploiting the network effect, for example turning their platform into a B2B marketplace or a value discovery platform.

UPI has also made another thing very clear, while merchants have clear focus on UX, banks on the other hand do not care. Compare the UPI experiences built by any consumer tech company vs what is offered by banks and you will know the answer.

I recently was talking to a very senior person in one of the top private sector banks regarding the sub-standard UPI experience offered by their app and his reply was but we do not get too many UPI transaction through that app anyway. Well, you may have gotten more transactions had you cared even tiny bit about the user experience.

To be honest, I am certain that most of the banks do not have dedicated functions focused on UX and even if they realize its importance and decide to set up such functions they would be scratching their heads on where exactly in their overall hierarchy they should position this team.

Lending

India so far has been dominated by savings product with really small part of population having access to credit, due to strict qualification criteria of banks and large NBFCs. Entire credit card industry caters to same ~20 million customers. All the new pay later players like Zest Money, Lazy Pay, Ola Postpaid etc are working towards curating the future credit card customer base. I believe restricting only banks to issue credit cards is not right. While many NBFCs have started issuing credit cards (in partnership with Banks) or CC equivalent products to customers, I believe RBI should start allowing NBFCs also to issue credit cards. In short, I think credit card story is yet to play out in India and this is the right time for it to pick up pace.

Most of the users of postpaid/pay later I know use it because of the convenience it offers than anything else, meaning the moment same convenience is matched by other methods (risk based authentication, are you listening RBI?). Besides this can only be a good tool for customer acquisition while all these players have to come up with alternate business model.

The start-ups I will be keeping a close eye on are the likes of Khata Book and OK Credit. The only right way to lend is to have a first hand clear view of the finances of the borrowers and have a recovery strategy as per the income schedule rather than trying to standardize the same. Non-standard products with non-standard schedules are very much possible with technology available today. Just one suggestion, build your own LMS.

P2P lending is still at very nascent stage and has to find cost efficient ways to grow lender base and distribution at scale.

Insurance

Insurance is very low contact business. Customers hear from their insurers only once a year under normal circumstances, i.e. to collect payments from the customers when renewal is due. On the other occasions when a customer needs to get in touch with the insurer is when the customer is going through extreme, high stress situation. Under that situation even the smallest miss-up from the insurer’s side can prove to be fatal not only for that one specific relationship but also for the reputation of entire industry.

While most of the efforts in insurance sector is focused on solving the sales problem, the only way to address the above critical problem is to innovate on the service side and considering the nature of this business it cannot the manufactures in their current form. The only ways to address this service problem is to either change the entire DNA of manufacturers (Start-ups like Acko and Toffee are trying the same) or leave it to third parties, who have a higher engagement relationship with the customer. I have few thoughts around this, which I would keep for a more focused and detailed analysis maybe for a later post or discussion.

Just to give you an example of how much insurers care about their customers, my health insurer, whom I have been with for 3 years now, has a free annual health check up as part of the policy however so far in no ways they have communicated with me regarding the same. If only they cared to make the customer feel cared for, since that is the hook entire insurance industry uses to sell their products. I mean SMS code for a leading insurer used to be PAPA. There is a reason entire insurance industry relies on invoking extreme human emotions to sell their products.

Wealth Management

There are many start-ups that can be clubbed under this category. Personal Finance Managers, Expense Managers, Brokerages etc can all be filed under this category. However most of the start-ups in this category are focusing on selling direct mutual funds. PayTM entering in this business with PayTM money is a reason for worry for all the other start-ups. With PayTM’s deep pockets they can continue to offer this for free for a long period of time, while others doing the same have to soon find out a way to make money, with no commission income and customers skeptical to pay for the advice it’s very difficult to generate revenue. The one company in this space I am keenly observing is ET Money, they have all the necessary elements in place, if they connect the dots in the right way they can really become the breakout performers in this space. With this space I mean, a low cost automated personal financial adviser for Indian middle class.

One clear trend I see emerging in the sector is Banks, who by virtue of being custodians of customer’s money used to have significant control over other financial decisions thus sale of third party products contributing to a significant source of their revenue. Banks in last so many years have done such bad job in selling other financial products to customers by prioritizing their interests over customer’s that large customer base is now losing faith on their banks. The direct result of this will be a clear reduction in size of customer’s relationship with their respective banks. The funny part in all this is that with the kind of resources and customer data banks have access to they should have been the first to figure out a way to serve their customers better but they continue to fail miserably.

About Me

I was born in a very small village in Uttar Pradesh, the population of which is in four digits and I still cannot locate it in Google maps. After spending six years there, I moved on to a small town called Jahanabad and studied there till 5th standard and then moved to Kanpur to live in a hostel while my family still stayed in Jahanabad. Few years later my family also moved to Kanpur. During my 12th standard I appeared for JEE and got selected. With a desire to explore beyond Kanpur, I decided to pick IIT Bombay instead of IIT Kanpur and moved to Mumbai in 2001.

After graduating from IIT Bombay in 2005, I started my career from unlikely field of retail banking for a Mechanical Engineer. I got an opportunity to work with HDFC Bank as part of their Business Solutions Group, which was later called Business Process Re-engineering Group. I was part of the team taking care of retail payments and digital solutions for retail customers. It was a time when innovations in payments space were just picking up. HDFC Bank had just recently launched their prepaid card variants, Netsafe, their one time use virtual card was still in infancy, Bank was having big plans around credit card and merchant acquiring business, mobile payments was something people had started talking about. In short I was very fortunate to start my journey at such a stage when India was at the starting point of re-imagining payments and in an organization which was at the forefront of this all under the supervision of a boss, who allowed me to paint my own canvas, without throwing his authority around whenever we had our disagreements and sometimes very heated debates.

I spent almost 9 years in HDFC Bank and in those years I was instrumental in implementation of many features of Indian payments space. I was the one who implemented Verified by Visa (VbV), back bone of 2nd factor authentication for online transactions way before RBI decided to make it mandatory. Soon after we extended to MasterCard Secure Code. I was key part of EMV implementation across debit, credit and prepaid variants of cards for HDFC Bank. I got to be a part of one of the biggest banking mergers in Indian Banking with merger of HDFC Bank and Centurian Bank of Punjab. I was the man in-charge for migration of all Debit and Prepaid card related data from CBoP to HDFC Bank.

When our financial inclusion business team needed support from solutions team I was pushed in that direction by my boss and that gave me the opportunity to work on projects like Bank on Wheels, Ultra Small Branches. We experimented with biomertic authentication for our rural approach and that made me the obvious choice to work with UIDAI and NPCI during early days of AEPS and APBS.

When Diners wanted to partner with HDFC Bank after expiry of their engagement with Citi Bank in India, I got to be a part of that project and worked very closely with Diners team to ensure smooth launch of HDFC Bank Diners Club Credit Card.

HDFC Bank also gave me the chance to work on massive project of core-banking upgrade and gave me the understanding of the amount of planning that goes into executing project affecting practically all departments of the organization spanning over a period of many months. How to manage and monitor the impact at various stages to avoid any catastrophe is one of the key things I learned from that project.

During this period mobile was also sneaking in and we were all exploring how to exploit the growing influence of mobile phones to process payments and allowed me to work on projects like mChek and mPesa. For our mChek implementation I made sure we store card track data inside mChek application on the mobile phone/SIM card thus processing the transaction as Card Present instead of Card not Present. Effectively we were using mobile device as one factor of authentication in 2007.

I also got a feel of regulatory and compliance areas by getting exposed to projects like SOX and PCI-DSS.

Post my stint at HDFC Bank and I moved on to Kotak Mahindra Bank, again as part of their Business Solutions Group. Two key projects I managed to execute in Kotak were enabling Kotak ATMs to acquire Master Cards and another banking merger as part of merger of Kotak Mahindra Bank with ING Vysya Bank.

At this point I was approached by the team building Jio Payments Bank and I joined them as their 11th employee with the mandate to design solutions for all their customer facing services. This gave me a glimpse of how to build an organization from scratch with access to unlimited capital.

Aparajit was setting up an accelerator for early stage Fintech start-ups and he approached me to help him with the same and I jumped to the opportunity as it was clearly something very new for me and also exciting considering all the action happening in Fintech space. I got a chance to invest in few really good Fintech start-ups at very early stage. One of them Open Financial is doing really well in Open Banking/Neo Banking space. This stint gave me a closer look at venture investing and a balcony seat to all the action in early stage Fintech start-up space.

When things changed at the accelerator because of factors beyond our control, we all decided move on to our respective directions with me choosing to join early stage payments start-up Payabbhi as their Chief Product Officer.