Supporting Offline Transactions

In a recent communication RBI has pointed out the need for supporting digital transactions in offline mode in order to overcome the handicap of “lack of stable connectivity” as a hindrance to digital adoption. I thought it is a good time to talk about offline authorization, when it comes to processing payment transactions.

Some definitions first:

Authentication: Every payment transaction goes through two steps, authentication and authorization. Authentication is the step that validated the card user. Historically for transactions done using card plastic, this step was performed by taking signature of the customer on the merchant copy of the transaction slip. Then in order to ensure better security, RBI mandated the use of PIN inputted at the encrypted PIN-pad of the point of sale (POS) terminal.

For transactions performed without the plastic, i.e. used on a website, mobile app etc. this step is taken care of by asking the user to input a transaction password or OTP on the authentication page.

Authorization: Authorization is the step that validates the availability of funds. It is this step that is responsible for posting the transaction in your account.

Settlement: Settlement is the step that is responsible for movement of funds from Issuer Bank to Acquirer Bank. As part of this step the merchant claims the money from the acquirer bank and acquirer bank sends this claim to Visa/MasterCard/RuPay, which they then share with respective issuers for processing.

In online transaction scenario authentication and authorization are performed in real time, while the settlement is an offline step, that happens by exchanging the transaction data through the network and does not depend on connectivity at merchant location.

Offline Transaction: When a transaction is processed without connecting to issuer bank’s system in real time. This means the debit in your account will not appear immediately at the time of transaction.

There are two possible ways they will appear in your account, first is at the time of processing settlement, the issuer bank as part of their reconciliation process identify all the transactions where authorization was not performed online, but a settlement was received and post these transactions in customer’s account after reconciliation.

Second possibility is by syncing the offline transactions stored at the card/app next time the card interacts with another POS terminal that has connectivity or app finds the network connectivity. Don’t worry, will try to explain it in more details below.

This offline method of processing payment transactions has been in use in many countries but not in India. There are two primary reasons we did not see such transactions in India, (Transit cards and FasTag are two cases, where India does use offline method). First is low risk appetite. These transactions are riskier and there is possibility of more disputes and even possibility of loss to banks. Second is India is primarily a market driven by savings account and not credit cards. In savings accounts banks pay interest that means if a transaction is processed offline and is posted at a gap of few days to customer’s account (traditionally the gap between authorizations and settlement could be few days in many cases) the bank would in effect be paying interest to customer on money that she has already spent.

Floor Limit: Many countries have this concept called floor limit. What a floor limit means is at certain merchant categories payment transaction can be processed without online authorization provided transaction amount is below a certain amount. This amount in card terminology is referred as floor limit. So far floor limit in India has been Zero. Now from what I understand RBI is planning to make this floor limit as 200 Rs. That would mean any transaction below 200 Rs, processed at specific merchant categories will not require authorization from issuer bank. This transaction will be approved and stored at the terminal level and will be sent to acquirer at the time of settlement.

In this case no authentication or authorization is performed, just the details of the card are captured so that the claim can be prepared for settlement.

Now imagine if this was done few months back, would we have even needed FasTag. One of the very popular use case for this floor limit globally is toll payment.

EMV Cards: I am not sure how many of you know this but besides EMV being more secure, one of the reasons EMV was introduced was because of its capability to process transactions in offline mode, thus avoiding the need of sending every transaction through network and save on cost of communication. For countries where telecom cost is high, this could mean significant savings.

EMV protocol supports offline mode of transaction processing by provisioning for offline PIN, something that can be validated at card itself, thus taking care of the authentication step. There are various other parameters like last known balance (i.e. the balance at the time of last online transaction), cap on number of transaction (total number of transaction that can be approved at card chip level before it will force the transaction to go online. For example if this parameter is set up as 4, the chip will force every 5th transaction to be online. This 5th transaction will carry with it all the other past offline transactions thus syncing the issuer systems in the process.) and amount (cumulative amount up to which the chip on the card can process transaction in offline mode. Similar to the cap on number of transaction the moment this threshold is hit the chip forces the transaction to be processed online). From what I have read, it looks like RBI is proposing to set this amount limit at 2,000 Rs.

Most of the systems at banks these days are capable of the methods described above and should be able to implement without making much changes, thus can be rolled out fast.

Similar principles can be used in order to build the capability for other modes, which do not follow card protocol. In fact in case of modes like UPI, where a mobile device is involved this can be done in much better way considering unlike card a mobile device in capable of connecting to the issuer directly as soon as it finds network.

How FASTag Works?

FASTag is part of NETC (National Electronic Toll Collection) program by NPCI designed to provide an interoperable method of toll collection across the country irrespective of the acquirer, simple meaning that your FASTag device issued by any issuer will work on any toll plaza across the country irrespective of its acquirer. That is the benefit you get when working with NPCI.

Couple of days back a friend working in transit payments called me to understand how FASTag works. That call gave me impression to write this post. Here I will be explaining the transaction flow of a FASTag transaction in simple terms:

What is FASTag?

FASTag is a RFID tag that stores static information like TAG ID, which can be read by the receivers installed at toll plazas.

How it is issued?

FASTag can be issued by any NETC member banks and it is linked to either your Current or Savings account maintained with the bank or a prepaid account created by the bank for this specific purpose. My bank gave me a prepaid account with separate credentials for inquiry and other financial transactions. In my opinion it will be wise for fleet companies to link FASTag for their vehicles to current account maintained by the company.

At the time of issuance a TAG ID is created, which is then linked to a CASA Account or Prepaid Account, depending on the implementation at your bank and your vehicle details like vehicle type (car, truck etc.) and category (personal, commercial etc.). TAG ID along with Vehicle details and Bank ID are then added in NETC mapper maintained by NPCI. As soon as your details are updated in NETC mapper, your FASTag is ready to use.

How it works?

NETC Transaction Flow (Image Source: NPCI)

Step 1: As soon as RFID tag affixed to the windshield of your vehicle is in range of the acceptance terminal installed at toll gate, terminal read the TAG ID and Vehicle Details and send them to acquiring bank

Step 2: Acquiring bank sends the details received from the terminal to NETC mapper,

Step 3: NETC Mapper validates the details collected from the TAG and responds with TAG Status. If TAG Status is active, it proceeds to next step else driver needs to pay cash. Other possibilities could be TAG is not registered yet (new TAG), TAG is blacklisted etc.

Step 4: After successful validation of TAG details and status, Acquirer system calculates the toll amount to be collected and sends to NETC Mapper.

Step 5: NETC System sends the debit request to issuing bank, based on the issuer bank ID maintained in the Mapper.

Step 6: Issuer system processes the debit into customer’s account linked to FASTag and sends response back to NETC system. In case no response is received with-in the defined time-out period it is assumed to be approved automatically.

Step 7: NETC System sends a notification to the acquirer system

Step 8: Acquirer system sends notification to respective toll plaza system

This transaction is performed in offline mode with systems syncing every 10 minutes. This means that by the time Step 8 happens your car is already far away from the toll-plaza. Once the TAG ID is validated and its status is found to be active, it is assumed that there is enough balance maintained at the bank’s end to settle the transaction, which happens at every settlement cycle and facilitated by NPCI through a system called EGCS (ETC Global Clearing and Settlement).

Settlement flow for FASTag transactions. (Image Source: NPCI)

NPCI basically collects the money from issuer banks and distributes it among acquirer banks as per the transactions processed during the settlement cycle. Acquirer bank then settles the funds with respective toll plazas.

What happens if your account does not have money?

Since the value of toll is usually small and syncing cycle is ten minutes, the exposure due to lack of funds in account is very limited. Having said that banks have a provision of keeping a security deposit for safeguarding themselves in any such possibility. In case your account does not have necessary funds to pay for the toll, same is deducted from your security and your FASTag is blacklisted and updated in NETC mapper to stop further transactions on that TAG till balance is maintained again.

My bank has taken 500 Rs as security deposit. The assumption is that for a private vehicle to pass through so many toll plazas with-in 10 minutes is practically very remote. I am assuming for heavy/commercial vehicles this security deposit would be higher. In case of fleet companies having multiple tags linked to same current account there might be a special arrangement negotiated with the issuer bank.

How to reload a FASTag account?

In case it is linked to your savings or current account, there is no question of separately reloading the account. While my bank doesn’t offer me this option, I am assuming, whichever banks would be offering this option must be keeping some cap on the amount from safeguarding perspective.

In case of prepaid account set-up like my bank, I have been given multiple options to reload. Your bank may even offer an auto-reload option where, if your balance goes below a particular threshold bank can initiate a reload by debiting your linked account or card that you may have provided while setting up the FASTag account.

This is the simplest explanation I could come up with for FASTag transaction flow that is easy to understand by most and also explains how it can be achieved at the speed of traffic i.e. your car practically doesn’t need to stop at the plaza for deducting the toll. This is unlike the regular transit card solutions where balance is usually maintained at the chip inside the card and offline balance is updated at the time of transaction.

Even more thoughts on MDR debate

In my last post I had touched upon the entire authorization piece for card transactions and how it makes sense to have MDR for Credit Card transactions however it feels unreasonable when it come to Debit Card transactions. Today I will explain the settlement aspect of transaction and try to make sense of MDR charges based on settlement flow.

How settlement for a card transaction works?

After transaction is completed merchant claims money from the acquiring bank. Acquiring bank further sends a file to Interchange and Interchange gets the money from Issuer Bank. This entire cycle traditionally used to take days.

Acquiring bank is making a guarantee to the merchant and based on that guarantee, they process the transaction. Interchange is giving the guarantee to acquirers. Meaning in the event of an issuers inability to pay for a transaction done by its customer the interchange will ensure that the acquirer gets paid for the money they have paid to the merchant.

Above risk is high if you assume settlement cycle spread across many days. However in today’s fast paced world the settlement cycle is shrinking. We are practically settling the transaction with-in T+1 days. There are continuous attempts to shrink this cycle to make it even near real time. If that happens the risk by acquirers and interchange is going to be practically zero.

Many debit cards in the market even follow a single message settlement protocol similar to ATM transactions. In this case there is no need for merchant to process any batch settlement. The settlement is processed automatically by default.

This risk taken by acquirers and interchange on top of supporting the ecosystem with their technology and operations is additional justification for them getting a share of the transaction fee, however this still beats me, why the fee should be paid by the merchant and not by the issuer.

The merchant is the first one to go out of pocket (he has sold the goods without money in his/her account) hence contributes to zero risk in this entire ecosystem. Customer is using his debit card meaning he/she is using the money that he/she has parked in the his/her account already, hence not contributing to any risk. At the time of transaction the money is debited from customer’s account and parked in a payable account by the issuer bank. It is this account that is used to settle money with the interchange.

If a issuer bank has managed to get into a situation somehow (recent Yes Bank situation) that they are not able to settle with the interchange it is definitely not because of the customer and/or the merchant, hence in all fairness it is them who should fund the entire ecosystem from their income through deposits and not fleece the merchants.

If you want merchant to pay MDR, issue credit cards and give enough incentives to your customers to use them. If customer prefers to use his/her debit card instead, it is ideally his/her bank’s responsibility to offer necessary ecosystem to access his/her funds. Always remember the issuer banks are already making profits by investing this money parked by customers in their CASA.

Four years back RBI suggested some reforms in this consultation paper however no action has happened in that direction. What I am suggesting is not exactly the same but fundamentally both are using the base analogy that the benefits are currently unfairly tilted in favor of issuer banks and it is these issuer banks who should bear the most of the burden instead of expecting other players in the ecosystem to fund for the infrastructure needed for its customers to access funds parked in their accounts in these banks.

Recent growth in this ecosystem was fueled by VC/PE money, which may not be available in same proportion given the current global slowdown caused primarily by the Coronavirus pandemic. This means some key players will find it extremely difficult to survive and it will not be good for the overall digital payment ecosystem. It is in the interest of issuer banks to save this ecosystem by taking ownership of the costs involved. If that doesn’t happen, only players surviving will be the ones with deep pockets not the ones with better innovation. This will eventually kill the innovation in this space and steer entrepreneurs away from attempting new/innovative solutions in this space.

More Thoughts on MDR Debate

So much chatter going on in Indian market around MDR, short for Merchant Discount Rate, thanks to NPCI making MDR zero for RuPay debit card transaction based on instructions from Finance Ministry. I had touched upon this topic once before here. However now coronavirus pandemic putting extra pressure on most of the businesses including payment facilitators, this topic is again making rounds. I felt like I should put together one post explaining my views in other post where I have supported the move of zero MDR.

First thing let’s talk about what is MDR and why it has been there as a key source of revenue for payment providers. MDR is the money that is paid by the merchant to the payment ecosystem used in facilitating the transaction. All the parties involved in the value chain i.e. acquirer, interchange and issuer get their share from this MDR including the third party technology or operations service providers used by these parties. MDR is typically a small percentage of transaction value, somewhere between 0.8 percent to 3 percent. Essentially what it means is that when you pay a merchant 100 Rs using your American Express credit card, the merchant actually gets only 97 Rs, while the 3 Rs are used to pay everyone involved in facilitating this exchange.

Now why would a merchant agree to take a cut in his/her income to facilitate this after-all it’s the merchant who drives the mode of transaction and not other way round. How often have you refused to deal with a merchant because he did not accept your credit card? You find a way to pay that merchant accepts and move on with your purchase. Then what is the answer? In a credit card world card company is facilitating the purchase by offering an instant credit to the customer thus taking a risk on the transaction, this risk taken by the issuer enables the purchase to go through, which may not have happened in case the credit was not issued at the time of transaction. Now here is something for the merchant to gain, he is gaining a sale, which may not have happened otherwise. That is the reason merchant doesn’t mind paying that MDR. Now issuer alone cannot support this massive ecosystem, so parts of this MDR is distributed among other participants in the ecosystem.

If the MDR was for supporting the technology and operational cost for running the ecosystem, it would have been a flat fee and not a percentage of the transaction amount, because cost of processing a transaction remains more or less the same irrespective of the transaction amount. So primary reason a merchant agrees to pay an MDR is because issuer is taking a risk on the transaction by issuing an instant credit in order to facilitate the purchase. Bigger the amount, bigger the risk for the issuer.

Then industry launched debit cards in order for customers to access the funds parked in their savings and current accounts. Instead of reinventing the wheel, they decided to ride on the same infrastructure set-up for credit cards to facilitate debit card transactions as well but then they got too lazy and even copied the same MDR based business model. In case of debit cards customer has already parked funds in banks and banks are making more money from that money and it is responsibility of banks to facilitate access of funds in his/her bank account to its customer. Banks do not want customers to line up in the branches because that is the most expensive mode of transaction for banks, in order to save that cost banks have set up digital infrastructure to provide easy access to customers, this also includes POS/Payment Gateway infrastructure.

I am of the view that MDR model is fine for credit card universe however it does not make any logical sense for debit card transactions and issuer banks should bear the cost of these transactions instead of passing that cost to merchants or customers in anyway. Issuer banks should pay interchange and acquirers on fixed fees basis, then acquirers should compensate their technology and operations partners from their share. Interchanges as the bodies at the center of all this should facilitate working of a reasonable compensation mechanism for sustainable ecosystem growth.

Since the industry had been running on this illogical model for far too long everyone had gotten used to it; but zero MDR move by Government should work as a catalyst to drive this change and implement a more logical and sustainable business model, which is not designed to unreasonably favor the banks. Banks should not be allowed to only benefit from this entire ecosystem, while other partners share the entire burden of cost. I hope NPCI leads the way here with support from RBI and Finance Ministry to arrive at a agreeable solution that doesn’t ruin the payment facilitators and force them out of business. If that happens customer will be the biggest loser.

PS: This piece was originally published as my opinion piece on IBS Intelligence blog.

Google Debit Card

Recently I came across news stories covering Google’s plan to launch a Debit Card. It all started with this TechCrunch article comparing this move with Apple Card launch. First of all, to me that is not a fair comparison to begin with because Credit and Debit card are two fundamentally different products at their core. If you keenly analyse the brand positioning of Apple vs Android, you would realize that these offerings are very much in-sync with that. This also reflects the markets where each of them are dominant players. While Apple’s dominance is in markets where credit is primary mode of transaction, however Android is leader in markets with savings account as primary source of funds for day today expenses. All those jokes about one needing credit to buy an iPhone are based on some truth.

As the TechCrunch article also pointed out, it is not Google’s first attempt at launching a card, they tried it when they launched Google Wallet in 2012. (I keenly followed that project, because I was in process of building my own wallet before Google announced their pilot. This is story for another time though.) While there were many aspects of Google Wallet that I found fascinating, I was skeptical about the debit card bit because of the entire on-boarding experience. I had seen journey of multiple debit card variants physical, virtual, mobile launched by HDFC Bank to make that prediction.

Now however the times have changed. First of all, now Google has experienced massive success in India under UPI product, which inherently accesses the funds from CASA accounts only. This must have given massive confidence boost to Google Pay team to make another attempt at launching an instrument accessing funds from CASA accounts. Since UPI is as of now an India specific phenomenon, Google is trying to rely on Debit Card variant one more time, now riding on the newfound confidence. What will be the on-boarding experience is not yet known, but if they can use the learning from earlier experience, they might be able to do it better. We managed to issue a very efficient mobile variant of debit card in 2006-07, as part of m-Chek project I did for HDFC Bank in partnership with then m-Chek and Airtel. It was for not so smart phones popular back then, now the world has moved much ahead in technology adoption.

Why Google would want to do this? My answer to this question is still the same as it was in 2013. Google’s primary source of revenue is ads. Currently Google can very efficiently track the efficiency of their ads right up to the point of click, however it is not so efficient when it comes to tracking the last mile of purchase. Being able to know the effectiveness of their ads right up to the point of purchase is equivalent of digital gold for Google, a company that has built the biggest empire on user data.

This data will be the key to unlocking an effective way for selling Financial Products like Insurance, Investment Products etc, which are essentially push products and no digital company has so far been able to crack the code for selling such push products (I was planning to go on this journey but then fate had other plans for me). If Google can crack this piece of the puzzle with access to this additional data, it will completely revolutionize the way products are sold digitally and I am not talking about Financial products only here.

In addition to above it would be very easy for Google to push transactions happening with-in their ecosystem on these cards. This is what the partnering banks gain, an easy distribution channel and almost certain activation, with massive transaction value flowing through these cards.

In summary, if done right, I believe it is going to be a game-changing move completely different from Apple Pay’s journey. This not only has the potential to impact Fintech world in a big way but also how entire digital commerce is done today.

PS: This also has the potential to make Google first truly effective neo-bank for retail customers, however I am not sure if Google would have those aspirations.

Transit Payments

Coronavirus (COVID19) has made us all conscious about avoiding unnecessary human contact to protect oneself from getting infected. This made many people think about how cash can be one of the careers. I am not familiar with the biology of the virus and how exactly this transmission would work. However if people are worried about cash then exchanging cards during transaction or touching POS machine to input PIN can also be a problem. That means in the days of COVID-19 safest mode of payments (talking from health perspective here) would be contactless payments like QR codes, NFC, RFID, Tone etc. Transit payments is one of the most popular use case of contactless payments around, which has been even more mainstream since the push for Fastag for toll payments by Indian Government.

During my banking days, I got the chance to lead the solution for Jaipur Metro (JMRC), which was being managed by DMRC. So essentially I got to study how Delhi Metro payments work and also design the solution for JMRC using the learning from Delhi project. In this post I would like to explain some of the key factors to be kept in mind while designing such a solution.

Transit payments are a different category for a very simple reason because of its need to be exceptionally fast, much faster than any other payment method we use. If the transaction is not processed with-in a fraction of second end-to-end we can see endless queue of angry customers forming, be it payments at toll-booth or entry and exit points of metro stations or entry and exit points of your city bus. We do not have the luxury to take 10-15 seconds to process the transaction, when it comes to this particular use case. That takes online authentication out of the picture. Offline authentication is the method of authentication where transaction is authorized locally by the instrument itself without traveling to issuer host system over the network.

The technology commonly used for this type of transaction processing is RFID (Radio Frequency Identification). When you are issued a card or a sticker or any other form factor, it typically contains an RFID chip, which communicates with the receiver installed at the gates of transit system to read the balances and post transactions. The instrument used for this purpose is typically a prepaid card, where the balance is updated at the CHIP locally, hence eliminating the need to communicate with the server every time transaction needs to be processed.

There are combo version of these cards also popular, which are nothing but debit/credit cards with either an additional RFID Chip embedded inside the plastic dedicated for transit payments prepaid card or have a separate dedicated block in the EMV chip for this purpose. Essentially they are for all practical purpose two cards linked to a single plastic.

How a typical transaction works?

Transaction at single interaction point like toll-gate is very simple because there is a fixed amount to be deducted every time you pass through the gate. The receiver installed the gate access the balance on your Fastag and update the balance by deducting the fixed amount.

Transactions with two gates i.e. interactions at entry and exit points like metro gates or city bus are slightly more complex. In this case at the time of entry the receiver installed at the gate checks the balance and updates the entry point on the CHIP. At the point of exit when you flash your card the receiver at the exit gate calculates the fare based on the entry point and deducts the amount from the prepaid card updating the balance accordingly.

How the card is reloaded?

Reloading of these cards works very similar to any other prepaid wallet or prepaid SIM, where you go to partner bank’s point of interaction Branch, ATM, NetBanking, Mobile Banking etc (depends on the partner bank) provide your unique ID (ID tagged to the RFID Chip) and make the payment.

The bank then communicates this to the transit partner and this reload transaction is updated in their system. The moment your card comes in contact with the sensors at transit partner the balance is updated in the CHIP. You can alternatively access special devices installed by the transit partner for specific purpose of load/reload of transit card. This can even be done over the counter by transit partner.

In JMRC project we even had provision of stand-in instruction wherein every time sensors at transit partners read the balance in your transit card go below a pre-set threshold the bank will get a file from the transit partner with all such card IDs, banking partner will then debit their respective linked accounts by a predefined amount and send the file back to transit partner to update the balances in their systems.

NPCI has developed specifications under Rupay Contactless Product umbrella, which is now the basis for NCMC (National Common Mobility Card), which is expected to be the dominant mode for transit payments in near future.

Co-branded Cards: Can It Go Beyond Branding

I had come across multiple news items regarding various co-branded cards like RBL Bank launching co-branded card with Zomato and HDFC Bank launching co-branded cards with Indigo Airlines. These stories prompted me into writing down my thoughts on this very popular product category among payment cards.

During my days in Banks I had worked on a co-branded card program in partnership with Jet Privilege. Apart from printing the Jet Privilege logo and customer’s JP number on the card the partnership also brought a common/shared reward program. From customer’s perspective customers could earn their credit card reward points in the form of JP miles and also get other promotional benefits that Jet Privilege was offering to its members. It has been years since and so far the fundamentals of co-branding remains the same.

In today’s day and age when mobile phone is increasingly becoming the preferred payment instrument instead of card plastic, specially with brands like Zomato and Indigo Airlines, I would have expected co-branded cards to offer benefits beyond shared promotions and rewards. Call me a demanding customer but if the common goal of co-branding exercise for both the brands is customer acquisition and retention, wouldn’t offering superior transaction experience across shared brand will enhance the offering even further. While banks are still in denial about UX being a key part of customer acquisition and retention strategy, brands like Zomato must know this very well.

One of the examples of how co-branding can go beyond shared rewards and also offer superior transaction experience between shared brands (specially for mobile phone universe) is single click transaction with partner brand. As part of co-branding exercise both entities exchange the customer identities at their respective ends, why not shared authentication.

When I implemented 3 D Secure, which is the back bone of online 2 factor authentication process for Visa (branded as VbV – Verified by Visa), MasterCard (branded as MasterCard Secure Code) and Diners cards, there was a model called Issuer Trusted Party of ITP, which allowed issuers to enable trusted third parties to perform 2nd factor of authentication during online transactions.

If I take Zomato and RBL Bank as sample case here, RBL can register Zomato as trusted third party and allow Zomato’s customer authentication as 2nd Factor Authentication by-passing Bank’s OTP during the transaction. This would mean that RBL Bank’s Zomato co-branded card holders will not only get the shared rewards and promotions, they will also have better transaction experience than any other card holders, thus making the case even stronger for customers to go for this card.

I am not sure how strong Zomato’s customer authentication mechanism is to be used at 2nd factor authentication for payment transaction but in this digital age they should have a strong authentication, if not they must work on it then.

डिजिटल भुगतान: कार्ड पेमेंट (पार्ट-४): धोखाधड़ी की रोकथाम

यह कार्ड भुगतान पर मेरी श्रृंखला का अंतिम भाग है और इस पोस्ट में मैं कार्ड उपभोक्ताओं को लक्षित कुछ आम धोखाधड़ी के तरीकों को कवर करने की कोशिश करूँगा। हम यह भी देखेंगे कि आप इन सबसे अपनी रक्षा कैसे कर सकते हैं।

स्किमिंग: लेनदेन के समय आपके कार्ड की जानकारी चुराने और फिर उस जानकारी का दुरुपयोग करने की प्रक्रिया ‘स्किमिंग’ है। स्किमिंग के द्वारा आपके कार्ड पर धोखे से लेनदेन की जाती है। इसमें जब भी कार्ड को पीओएस या एटीएम डिवाइस पर स्वाइप किया जाता है तो जालसाज स्वाइप के समय कार्ड की जानकारी चुराने के लिए एक बाहरी कार्ड रीडर को अटैच करता है।

इस तरह की धोखाधड़ी को रोकने के लिए सबसे प्रभावी उपाय चिप (ईएमवी) कार्ड का प्रयोग है। आरबीआई ने सभी कार्ड जारीकर्ताओं को यह सुनिश्चित करना अनिवार्य कर दिया है कि जारी किए गए सभी डेबिट और क्रेडिट कार्ड चिप कार्ड हों। एटीएम मशीनें अपने कार्ड रीडर्स को ऐसे डिजाइन कर रही हैं ताकि किसी भी अतिरिक्त बाहरी घटक को अटैच करना मुश्किल हो सके। पर अपने-आप को इससे बचाने के लिए कुछ सावधानियाँ इस प्रकार हैं:

एक स्किम्मर का उदाहरण

१. सुनिश्चित करें कि कार्ड हर समय आपकी दृष्टि में रहे और जिस डिवाइस पर कार्ड स्वाइप किया जा रहा है वह आपको स्पष्ट रूप से दिखाई देता रहे। और इसमें कोई बाहरी घटक डिवाइस से जुड़ा हुआ नहीं रहे।

एटीएम स्किम्मर

२. एटीएम का उपयोग करते समय सुनिश्चित करें कि एटीएम के कार्ड रीडर से कोई बाहरी घटक जुड़ा हुआ नहीं है (कई एटीएम जो अभी भी चुंबकीय रीडर का उपयोग करते हैं, कार्ड रीडर में कार्ड प्रविष्टि को बाधित करने के लिए “जिटर ” का उपयोग करते हैं; जो यह सुनिश्चित करता है कि कार्ड डेटा बाहरी डिवाइस द्वारा कैप्चर नहीं किया जा रहा है)। कार्ड रीडर पर किसी बाहरी घटक संलग्न होने की पहचान करने का एक तरीका कार्ड रीडर से प्रकाश के “ब्लिंक” होने को सुनिश्चित करना भी है। यदि आप स्पष्ट रूप से कार्ड रीडर पर प्रकाश नहीं देख सकते है तो उस एटीएम का उपयोग करने से बचें।

इस प्रकार की धोखाधड़ी लोकप्रिय पर्यटन स्थलों में विशेष रूप से प्रचलित है। कारण यह है कि कार्ड एक पर्यटक का है जो अपनी अपने घर लौटकर बाहर में की गयी कार्ड गतिविधियोँ की समुचित जाँच और पूछताछ नहीं कर पाता। यात्रा के समय आपको कार्ड को लेकर ज्यादा सचेत रहना चाहिए। अपने हाल के ऑस्ट्रेलिया दौरे पर मैंने देखा कि वहाँ के दुकानदार आपको खुद से कार्ड स्वाइप करने के लिए प्रेरित करते हैं, जो एक सुरक्षित तरीका है।

फ़िशिंग: फ़िशिंग वही है जो इसका शाब्दिक अर्थ लगता है (मछली पकड़ना)। इसमें जालसाज, लोगों को अपनी संवेदनशील जानकारी प्रकट करने के लिए लक्षित करता है। फ़िशिंग के बारे में जानने का एक और मनोरंजक तरीका है, नेटफ्लिक्स “जामतारा” वेब-सीरीज जो एक दूरदराज शहर के युवाओं के एक दल द्वारा चलाए जा रहे टेली-कॉलिंग फिशिंग रैकेट पर आधारित है।

विकिपीडिया परिभाषा के अनुसार, “इलेक्ट्रॉनिक संचार में फ़िशिंग एक छुपे हुए जालसाज द्वारा उपभोक्ता का नाम, पासवर्ड और क्रेडिट कार्ड विवरण के रूप में संवेदनशील जानकारी प्राप्त करने के लिए धोखाधड़ी का प्रयास है।”

यदि आपको अपने जारीकर्ता या किसी अन्य इकाई से कॉल, एसएमएस या ई-मेल प्राप्त होता है जिसमें आपसे कार्ड नंबर, पिन, सीवीवी, ओटीपी, नेट बैंकिंग आईडी और पासवर्ड आदि जैसी संवेदनशील जानकारी साझा करने का अनुरोध किया जाता है तो इस तरह की धोखाधड़ी से खुद को बचाने का एकमात्र तरीका यह है कि किसी भी माध्यम पर अपनी संवेदनशील जानकारी साझा न करें। आपका बैंक कॉल, एसएमएस या ई-मेल पर ये विवरण कभी नहीं पूछेगा।

वेबसाइट स्पूफिंग: इसमें धोखेबाज एक वेबसाइट बनाएंगे जो किसी अन्य विश्वसनीय इकाई की वेबसाइट की तरह दिखती हो; यहां तक कि यूआरएल भी समान दिखता हो (सामान्यतः इसमें किसी एक करैक्टर को बदल दिया गया रहता है)। इसका बचने का एक सरल तरीका है कि आप ई-मेल या एसएमएस पर प्राप्त लिंक पर क्लिक करने के बजाय यूआरएल को स्वयं टाइप करें।

स्पूफ़िंग का एक उदाहरण

वेबसाइटों द्वारा उपभोक्ताओं को सही पेज पर पहुँचाने के लिए कुछ चेक और नियंत्रण दिए जाते हैं। उदाहरण के लिए, कुछ वेबसाइटों में एक छवि या संदेश प्रदर्शित होता है जिसमें आपको संवेदनशील जानकारी इनपुट करनी होती है। एचडीएफसी बैंक नेटबैंकिंग एक तस्वीर और आपके द्वारा चयनित संदेश अपने लॉग-इन पृष्ठ पर प्रदर्शित करता है ताकि यह सुनिश्चित किया जा सके कि आप अपनी जानकारी प्रामाणिक बैंक के पेज पर डाल रहे हैं न कि किसी अन्य स्पूफ्ड वेबसाइट पर।

सोशल इंजीनियरिंग: धोखाधड़ी का यह तरीका किसी उद्देश्य के लिए उपयोग की जा सकने वाली गोपनीय या व्यक्तिगत जानकारी को प्राप्त करने के लिए जालसाज द्वारा प्रयोग में लाया जाता है। ऊपर बताई गई ‘फिशिंग’ एक प्रकार की सोशल इंजीनियरिंग है। इस संदर्भ में सोशल इंजीनियरिंग के कुछ अन्य तरीके हैं ‘विशिंग’ – जहां धोखेबाज किसी कंपनी के ग्राहकों से संवेदनशील जानकारी प्राप्त करने के लिए उसके आईवीआर (इंटरएक्टिव वॉयस रिस्पांस) की नकल करेंगे; या फिर ‘बेटिंग’ – जिसमे जालसाज आपको ई-मेल या एसएमएस पर एक लिंक भेजेगा जिससे आप कुछ इनाम या कुछ नुकसान के खतरे के वादे के कारण संक्रमित लिंक पर क्लिक कर बैठेंगे।

वास्तविक दुनिया में नाइजीरिया या सूडान का कोई राजकुमार आपके साथ अपनी संपत्ति साझा करने के लिए मरा नहीं जा रहा; न तो आपने किसी कोका-कोला या रीडर्स-डाइजेस्ट की लॉटरी जीती है। आरबीआई या आयकर विभाग भी आपके खाते में पैसे नहीं डाल रहे, और न ही पीएम नरेंद्र मोदी आपको स्विस बैंक से वापस लाये पंद्रह लाख रुपये देना चाहते हैं। इस लिए अपना बैंक अकाउंट या कोई अन्य व्यक्तिगत जानकारी किसी को न भेजें। रसोई गैस की सब्सिडी पाने के लिए भी आपको बस अपना आधार कार्ड अपने बैंक अकाउंट से लिंक करना होता है, और कुछ नहीं।

मनी-म्यूल: एक मनी-म्यूल जिसे कई बार ‘समर्फर’ भी कहा जाता है, वह व्यक्ति है जो धोखेबाजों को अवैध रूप से पैसे हस्तांतरण में मदद करता है। यदि आपको कोई ऐसी कहानी सुनाता है कि उसे बहुत सा धन ट्रांसफर करना है और आपके अकाउंट को कुछ दिनों के लिए पैसे “पार्क करने” और फिर आगे ट्रांसफर करने का जरिया बनाना चाहता है तो समझ जाएँ कि आपको एक बड़े फ्रॉड में फंसाने की तैयारी है।

जब पैसा डिजिटल रूप से ट्रांसफर होता है, तो यह एक “ट्रेल” यानि निशान छोड़ देता है और इसका उपयोग जालसाज की पहचान करने और गिरफ्तार करने के लिए किया जा सकता है। इससे बचने के लिए धोखेबाज बड़ी संख्या में विभिन्न खातों के माध्यम से पैसे भेजकर एक विस्तृत निशान बनाते हैं। यदि आप एक मनी-म्यूल के रूप में कार्य करते हैं तो आप धोखाधड़ी में एक सह षड्यंत्रकारी बन जाते है और किसी भी आपराधिक कार्यवाही होगी तो आप उत्तरदाई होंगे। तो थोड़े फायदे के लिए अपराधी बनने से बचें।

अपने मोबाइल फोन की रक्षा करें: इन दिनों डिजिटल लेनदेन के समय आपका मोबाइल फोन बहुत महत्वपूर्ण हो गया है। कई मामलों में आपके मोबाइल डिवाइस का उपयोग प्रमाणीकरण के एक मोड के रूप में प्रयोग किया जाता है। अधिकांश समय आपके मोबाइल फोन पर प्राप्त ओटीपी का उपयोग २-कारक प्रमाणीकरण के रूप में किया जाता है और कई बार वेबसाइटों और मोबाइल ऐप्स आपके कार्ड विवरण को स्टोर करते हैं।

अब आप कल्पना कीजिये कि आपने अपना फोन खो दिया और वह किसी जालसाज को मिल गया। आपका फोन अनलॉक है क्योंकि आपने फोन को पासवर्ड या फिंगरप्रिंट से प्रोटेक्ट नहीं किया है। जालसाज ने देखा कि अपने फोन में आपने अपने टेलीकॉम ऑपरेटर का एप्प रखा है जिसमे आपका कार्ड इन्फॉर्मेशन भी सेव किया हुआ है। अब वह जालसाज आपके कार्ड की जानकारी और आपके फोन पर आने वाले ओटीपी को प्रयोग करके कोई भी ऑनलाइन खरीददारी कर सकता है। इस घटना से आपको सिर्फ कार्ड के पीछे लिखा सीविवि नंबर बचा सकता है, पर यह जानकारी भी आपसे धोखे से ली जा सकती है।

इस मामले में मेरी एकमात्र सलाह है कि १. अपने मोबाइल नंबर को केवल उन ऐप्स/वेबसाइट पर स्टोर करें जिनका आप अक्सर उपयोग करते हैं; २. अपने स्मार्टफोन पर एक्सेस कंट्रोल सेट करें चाहे वह पिन, पैटर्न, फिंगरप्रिंट या फेस आईडी में से कोई भी सुरक्षा हो, ३. अपना फोन खोने न दें और खोने पर अपने कार्ड के साथ अपना फोन नंबर भी ब्लॉक करवा दें।

अंत में एक महत्वपूर्ण सलाह यह है कि अगर आप किसी भी प्रयोजन से अपनी आईडी प्रूफ या के.वाई.सी. की कॉपी दे रहे हों तो उसपर तारीख और प्रयोजन लिख कर हस्ताक्षर करें ताकि आपका वह प्रमाण किसी जालसाज द्वारा आपके बैंक में जमा करके बैंक को कोई निर्देश देने (उदाहरण के लिए पता बदलने, कार्ड के पुनः जारी करने, पिन का पुनः जारी करने, नई चेक बुक आदि) के लिए प्रयोग में नहीं लाया जा सके।

इस लेख का हिंदी अनुवाद मेरे ट्विटर मित्र राहुल तिवारी ने किया है। आप लोग उनको ट्विटर पे @In_Blogger फॉलो कर सकते हैं।

डिजिटल भुगतान: कार्ड पेमेंट (पार्ट-३): सुरक्षा

कार्ड भुगतान पारिस्थितिक तंत्र को उसके पूरे वैल्यू-चेन में शामिल विभिन्न पक्षों की सुरक्षा की दृष्टिकोण से डिज़ाइन किया गया है। मैं अपने “डिजिटल भुगतान” (पेमेंट) सीरीज में इस लेख को इन सुरक्षा उपायों के ऊपर केंद्रित करना चाहूंगा ताकि उपभोक्ता इसकी जानकारी रख सकें। कार्ड भुगतान से सम्बंधित हर इकाई, सिस्टम और प्रक्रिया को भुगतान कार्ड उद्योग (पीसीआई-डीएसएस) द्वारा स्थापित डेटा सुरक्षा मानकों का पालन करना होता है; ताकि सभी संवेदनशील जानकारियाँ किसी भी समय सुरक्षित रह सकें। 

~ कार्ड जारीकर्ता द्वारा नियंत्रण ~ 

कार्ड प्रिंटिंग: कार्ड जारी करने के समय ‘कार्ड प्रिंटिंग फ़ाइल’ बनाई जाती है, जिसे ‘एन्क्रिप्टेड’ प्रारूप में प्रिंटिंग इकाई में ले जाया जाता है। कार्ड प्रिंटिंग पूरी होने के बाद इसे नष्ट कर दिया जाता है। मैं इस तरह की एक प्रिंटिंग इकाई में गया और मैंने उसके सुरक्षा मानकों का स्वतः अनुभव किया है। डेटा सुरक्षा के साथ वे शारीरिक सुरक्षा पर भी सख्त नियंत्रण रखते हैं। वहां आगंतुकों को कई बंद दरवाजों के माध्यम से ले जाया जाता है और उन्हें जेब वाले कपड़े पहनने की भी अनुमति नहीं होती है।

चिप (.एम्.वी. कार्ड): पहले कार्ड द्वारा लेनदेन में चुंबकीय पट्टी का उपयोग किया जाता था। चुंबकीय पट्टी के साथ समस्या यह थी कि इसमें संग्रहीत जानकारी स्पष्ट रूप में संग्रहीत की जाती थी और कार्ड रीडर पर कार्ड स्वाइप करके धोखेबाजों द्वारा चोरी की जा सकती थी। कार्ड की जानकारी चुराने की इस प्रक्रिया को “स्कीमिंग” कहा जाता है। इससे उपभोक्ताओं की सुरक्षा हेतु भारतीय रिज़र्व बैंक ने अब ई.एम्.वी यानि चिप वाले कार्ड का प्रयोग अनिवार्य कर दिया है। ई.एम्.वी कार्ड का लाभ यह है कि इसके चिप में संग्रहीत सभी जानकारी एन्क्रिप्टेड रूप में होती है।

पिन प्रिंटिंग: आपके कार्ड का पिन कहीं भी किसी भी सिस्टम में संग्रहीत नहीं है। पिन जारी करने के समय पिन ब्लॉक एक जटिल तर्क और एन्क्रिप्शन का उपयोग करके उत्पन्न होता है और सीधे पिन-प्रिंटर को निर्देशित किया जाता है। पिन को सील रूप में ही मुद्रित किया जाता है, और केवल पिन मेलर को फाड़कर ही देखा जा सकता है। इससे पिन की सूचना उपभोक्ताओं को पूर्णतः सुरक्षित रूप से पहुँचाई जाती है। इस प्रक्रिया में सावधानी का स्तर यह है कि कार्ड और पिन दोनों अलग-अलग स्थानों पर मुद्रित किए जाते हैं (उदाहरण के लिए एच.डी.एफ.सी. बैंक के कार्ड चेन्नई में मुद्रित किए जाते हैं, जबकि पिन प्रिंटिंग आमतौर पर मुंबई में होती है)। ऐसा यह सुनिश्चित करने के लिए किया जाता है कि कार्ड और पिन उपभोक्ता के पास पहुंचने से पहले कभी भी एक साथ नहीं होते हैं। इसके अलावा, कार्ड सिर्फ उपभोक्ता के पते पर ही भेजे जाते हैं। डिलीवरी-मैन आमतौर पर आपको कार्ड किट सौंपने से पहले ‘आईडी प्रूफ’ भी मांगता है।

पिन सत्यापन: लेन-देन के समय पिन को कुंजी पैड (की-पैड) पर एन्क्रिप्ट किया जाता है और एक एन्क्रिप्टेड पिन ब्लॉक उत्पन्न होता है। पिन एन्क्रिप्टेड प्रारूप में प्रमाणीकरण के लिए जारीकर्ता के पास पहुँचता है। पिन ब्लॉक जारीकर्ता सिस्टम में बैक के पास उपलब्ध सूचना का उपयोग करके उत्पन्न होता है। दोनों पिन ब्लॉक की तुलना की जाती है और यदि मिलान हुआ तो पिन प्रमाणीकरण सफल होता है।

सीवीवी या सीवीसी: यह आपके कार्ड से जुड़ा तीन अंकों का कोड है और इसी सीवीवी2/सीवीसी2 कोड का एक प्रारूप आपके कार्ड के पीछे छपा रहता है । यह तीन अंकों का कोड केवल कार्ड प्लास्टिक पर उपलब्ध है और सीवीवी/सीवीसी या सीवीवी 2/सीवीसी2 (सीएनपी लेनदेन के लिए) की उपस्थिति का मतलब है कि विवरण प्रदान करने वाला व्यक्ति कार्ड प्लास्टिक का धारक है।

यह बहुत महत्वपूर्ण है कि लेनदेन के समय कार्ड-विवरण कैप्चर पेज को छोड़कर किसी भी व्यक्ति के साथ पिन और सीवीवी की जानकारी साझा नहीं करनी चाहिए। 

कारक प्रमाणीकरण (2 फैक्टर ऑथेंटिकेशन): आरबीआई के जनादेश के अनुसार भारत में सभी कार्ड ट्रांजैक्शन को ऑथेंटिकेशन के 2 कारकों के साथ प्रोसेस किया जाता है। आमतौर पर ये दो कारक नीचे दिए तीन कारकों में से किसी दो का संयोजन हैं: 

१.  आपके पास क्या है? कार्ड की दुनिया में यह आमतौर पर आपका कार्ड-प्लास्टिक होता है या यदि आप अपने पंजीकृत मोबाइल डिवाइस के माध्यम से लेनदेन कर रहे हैं, तो यह आपका मोबाइल डिवाइस हो सकता है।

२.  आप क्या जानते हैं? आपके पिन या पासवर्ड इस श्रेणी में आते हैं। यह एक गुप्त जानकारी है जिसे केवल आप और आपके कार्ड जारीकर्ता जानते हैं और मान्य कर सकते हैं।

३.  आप कौन हैं? प्रमाणीकरण के सभी बायोमेट्रिक रूप इस श्रेणी में आ जाएंगे। सबसे आम बॉयोमीट्रिक आपका फिंगर प्रिंट है। भविष्य में हम आँख की पुतली, आवाज, व्यवहार, चेहरा आदि को भी प्रमाणीकरण के लिए इस्तेमाल किया जाना देख सकते हैं ।

वर्तमान में कार्ड लेनदेन के मामले में ये दो कारक आपके कार्ड प्लास्टिक और पिन हैं, जबकि कार्ड के बगैर लेनदेन के मामले में यह आपके कार्ड विवरण (कार्ड संख्या, समाप्ति की तारीख और सीवीवी2/सीवीसी2) और ओटीपी या पासवर्ड हैं।

~ मर्चेंट द्वारा नियंत्रण

पीओएस टर्मिनल: पीओएस डिवाइस के निम्नलिखित घटक होते हैं: (१) कार्ड रीडर (२) कुंजी पैड (की-पैड), (३) नेटवर्क कनेक्टिविटी, (४ ) मेमोरी स्टोरेज और (५ ) रसीद प्रिंटर। कार्ड रीडर और की-पैड डेटा प्रवेश के समय ही उसे एन्क्रिप्ट कर देते हैं। मेमोरी में इस जानकारी को एन्क्रिप्टेड रूप में संग्रहीत किया जाता है और जैसे ही व्यापारी निपटान की प्रक्रिया करता है, डेटा मेमोरी से हटा दिया जाता है। इस नेटवर्क पर संचार एक संरक्षित लाइन के माध्यम से एन्क्रिप्टेड प्रारूप में होता है। रसीद प्रिंट करते समय आपके कार्ड नंबर जैसी संवेदनशील जानकारी को मास्क किया जाता है। 

कार्ड लेनदेन के लिए उपयोग किए जाने वाले एन्क्रिप्शन तर्क को ‘ट्रिपल-डीईएस’ या ‘3डीईएस’ कहा जाता है; जो अभी प्रयोग में आ रहे सबसे उन्नत डेटा एन्क्रिप्शन मानक में से एक है। प्रत्येक टर्मिनल के लिए यूनिक एन्क्रिप्शन का उपयोग किया जाता है, और डायनामिक अपडेट किया जाता है ताकि किसी भी संभावित खतरे से ‘की-लेवल’ पर ही निपटा जा सके। 

वॉइड और वापसी 

वॉइड और वापसी का उपयोग व्यापारी द्वारा किसी लेनदेन को पूर्ववत (‘अनडू’) करने के लिए किया जाता है। उदाहरण के लिए यदि व्यापारी ने आपके कार्ड को गलत राशि के लिए स्वाइप किया है या आपने भुगतान करने के तुरंत बाद लेनदेन के बारे में अपना मन बदल लिया है, व्यापारी टर्मिनल मेमोरी से उस लेनदेन को रिकॉल करके रद्द कर सकता है। इस प्रक्रिया को वॉइड कहा जाता है और इस मामले में जब व्यापारी निपटान प्रक्रिया करते हैं तो यह लेनदेन वहाँ से छोड़ दिया जाता है यानि आगे प्रोसेस नहीं किया जाता है। जारीकर्ता किसी भी दावे की अनुपस्थिति में तय निपटान समय सीमा समाप्त होने के बाद ग्राहक के खाते में लेनदेन को स्वचालित रूप से उलट देता है।

यदि व्यापारी ने मशीन पर निपटान प्रोसेस कर दिया है और डिवाइस से लेनदेन हटा दिया गया है, तो इसे रद्द/शून्य नहीं किया जा सकता है। इस मामले में व्यापारी रिफंड प्रोसेस करता है, यानी व्यापारी खाते को डेबिट करके ग्राहक खाते को क्रेडिट करने के लिए निर्देश भेजता है। जब व्यापारी इस लेनदेन को व्यवस्थित करता है तो इंटरचेंज के माध्यम से अधिग्रहण कर्ता द्वारा जारीकर्ता को उचित क्रेडिट निर्देश दिया जाता है। इन दिनों इंटरचेंज ‘इंस्टेंट’ रिफंड प्रोसेस करने के तरीके लेकर आए हैं । 

चार्जबैक

जैसा कि अब आप जानते हैं कि कार्ड जारी करने और लेनदेन प्रसंस्करण के समय सुरक्षित लेनदेन सुनिश्चित करने के लिए कई नियंत्रण हैं। ‘चार्जबैक’ लेनदेन के बाद ग्राहक के हितों की रक्षा करने की एक प्रक्रिया है। चार्जबैक प्रक्रिया के तहत यदि डुप्लीकेट बिलिंग, प्रदान नहीं की गई सेवाओं, वितरित नहीं किए गए सामान आदि जैसे लेन-देन के साथ कोई प्रॉब्लम है, तो उपभोक्ता अपने दावे का समर्थन करने वाले सभी साक्ष्यों के साथ अपने जारीकर्ता तक विवाद पहुँचा सकता है। ऐसे मामलों में जारीकर्ता इंटरचेंज के जरिए अधिग्रहणकर्ता के माध्यम से व्यापारी से संपर्क करते हैं और व्यापारी को आवश्यक सबूत प्रदान करने या विवाद को स्वीकार करने और लेनदेन को रिवर्स करने के लिए कहते हैं। व्यापारी डिलीवरी पुष्टि, भुगतान रसीद आदि के रूप में सबूत प्रदान कर सकता है। यदि व्यापारी यह साबित करने में असमर्थ है कि यह एक वास्तविक शुल्क था, तो मामला ग्राहक के पक्ष में बंद कर दिया जाता है और लेनदेन उलट जाता है। यदि व्यापारी यह साबित करने में सक्षम है कि शुल्क वास्तविक था, तो विवाद व्यापारी के पक्ष में बंद किया जाता है।

शून्य देयता

यदि आप अपने कार्ड के साथ भेजी गई सभी अध्ययन सामग्री को पढ़ते हैं, तो कई मामलों में आपको ‘शून्य देयता’ (जीरो लायबिलिटी) के रूप में लेबल किया गया अनुभाग मिलेगा। शून्य देयता स्टोर में की गई आपकी खरीद, या टेलीफोन, ऑनलाइन या मोबाइल और एटीएम लेनदेन के माध्यम की गई आपकी खरीद पर लागू होती है। कार्डधारक के रूप में, आपको अनधिकृत लेनदेन के लिए जिम्मेदार नहीं ठहराया जाएगा यदि:

१. आपने अपने कार्ड को चोरी या खोने से बचाने के लिए पर्याप्त सुरक्षा उपाय किये हैं 

२. आपने तुरंत अपने वित्तीय संस्थान को नुकसान या चोरी की सूचना दी है

यदि आपको लगता है कि आपके खाते का अनधिकृत उपयोग किया गया है और आप ऊपर की शर्तों को पूरा करते हैं, तो यह जानकर चिंतामुक्त रहें करें कि आपके पास शून्य देयता वादे की सुरक्षा है। कृपया इस खंड को अपने कार्ड किट में ध्यान से पढ़ें और सुनिश्चित करें कि आप इसे समझ लें।

हॉटलिस्टिंग

कृपया अपने कार्ड के नुकसान या अपने कार्ड पर किसी भी संदिग्ध गतिविधि की रिपोर्ट करने के लिए उपलब्ध सबसे तेज़ माध्यम से अपने बैंक से संपर्क करें। हर कार्ड जारीकर्ता यह सुनिश्चित करता है कि टेलीफोन कॉल के माध्यम से इसकी रिपोर्ट करने के तरीके उपलब्ध रहें; जैसे एक समर्पित फोन नंबर (कृपया इस नंबर को अपने साथ रखें), मोबाइल बैंकिंग, इंटरनेट बैंकिंग आदि। 

एक संदिग्ध गतिविधि का क्या मतलब हो सकता है? इसके कुछ उदाहरण इस प्रकार हैं:

१. आपका अपने खाते में किसी ऐसी गतिविधि के बारे में एसएमएस/ई-मेल प्राप्त करना जिसके बारे में आपको जानकारी नहीं है

२. एक एसएमएस/ई-मेल प्राप्त करना जो आपको उस लेनदेन के लिए उत्पन्न ओटीपी के बारे में सूचित करता है जिसे आपने शुरू नहीं किया था

३. कोई व्यक्ति आपको फोन करके आपके कार्ड के बारे में संवेदनशील जानकारी जैसे कार्ड नंबर, सीवीवी, पिन, ओटीपी आदि के बारे में पूछताछ करता है। कोई भी बैंक कभी भी किसी व्यक्ति को फोन कॉल पर साझा करने के लिए यह जानकारी नहीं पूछता है। 

आशा है यह जानकारी आपके लिए उपयोगी रही है और आप अगली बार खरीदारी के समय भुगतान के लिए अपने कार्ड का उपयोग करने के बारे में अधिक आश्वस्त हैं। अगले भाग में कार्ड की दुनिया में हो रही धोखाधड़ी के विभिन्न प्रकारों और अपने आप को उनसे बचाने के तरीकों को कवर किया जाएगा।

इस लेख का हिंदी अनुवाद मेरे ट्विटर मित्र राहुल तिवारी ने किया है। आप लोग उनको ट्विटर पे @In_Blogger फॉलो कर सकते हैं।

Thoughts on RBI Draft Paper on NUE for Retail Payment Systems

On 10th Feb, 2020 Reserve Bank of India released a paper on ‘draft framework for authorisation of a pan-India New Umbrella Entity (NUE) for Retail Payment Systems’ for public comments. RBI has invited comments from all stakeholders by February 25th, 2020.

In 2005, when I had started my career from HDFC Bank, there were multiple ATM networks active in the country. Apart from Visa and MasterCard, there was one ATM network run by Euronet, where (I think) 16 banks were participating, and there was another operated by FSS (The entity was walled FSS Net), where (I don’t remember the number of banks) were participating. Apart from these some banks were having bilateral arrangements with other banks for sharing of ATM infrastructure. Around the same time another ATM network by the name of NFS was getting active, which was run by IDRBT. Most of the banks slowly started joining NFS network and with time it became the largest domestic ATM network in India. It was about this time, two things happened; control of NFS network was transferred from IDRBT to a newly formed entity called NPCI and RBI had put a stop to all the bilateral ATM sharing arrangements. From this point onward NPCI became the source of almost all the innovations in retail payments starting with RuPay, IMPS, AEPS, APBS to more recent UPI, BHIM, BBPS, eNACH, NCMC and NETC etc. I had been very fortunate to have balcony seat to many of these stories by virtue of being a part of HDFC Bank and then Kotak Bank and Jio Payments Bank.

The journey of NPCI from NFS ATM network to today controlling almost 60% of retail electronic payment transactions by volume (please note that RuPay Credit Card is a very recent phenomenon and numbers there are still dominated by Visa and MasterCard followed by American Express and Diners) has been really exciting and in many ways the best thing to happen to Indian digital payments ecosystem. Having said that the amount of influence NPCI today commands is really dangerous and while NPCI claims to be very open to suggestion and ideas, I have personally seen on many occasions that best idea didn’t win due to various factors.

With introduction of NUE there is a possibility of many more innovative payment solutions to be envisioned and implemented, which are more suitable for Indian audience. This will also make NPCI work even harder to continue doing the good work they have been doing and not become complacent. Few key areas I can clearly see new NUEs to focus on would be building specialized and low cost solutions for business correspondent network, which is the back bone of entire Financial Inclusion story in India and still does not command the attention that it deserves from various larger players in the ecosystem. Another very important area that has been demanding attention and has clearly been mentioned in RBIs paper is remittances. There are so many migrant workers, who earn in Cash and need to send money to their families in their native places. Cash is still the biggest mode of transaction today in India and there is clearly scope to do more.

I will be looking at organizations like Euronet, FSS, AGS, TATA PSL, NSDL on one hand and PineLabs, Innoviti, mSwipe etc to be eager to go for this. One organization that has been at the center of many innovations happening in India iSPIRT to play a key role in all this. My only advice to anyone considering becoming NUE would be to let go of the traditional card protocols (think beyond iso 8583) and go back to drawing board before designing their solutions. In the end payment is all about debiting one account and crediting another, sounds like simple stuff. The key to any solution would be how simple the final offering remains.

This could also be a move in the direction of having specialized entities enabling interoperability for different modes of payments or use cases. For example Billdesk can attempt to become the go to entity for all things bill-payment. Another NUE can appear specializing the interoperability of mobile wallets. As I have mentioned above, there is a clear scope of specialized offering the business correspondent and self help group area, which has been the key to Financial inclusion in India so far. Hell, why cannot even bank branches be interoperable? Can a Kotak customer walk into and SBI branch and get his passbook updated, earning additional revenue for SBI in the process? The possibilities are endless, if we decide to think outside the box.

Few questions, will NUE as private entities be allowed to user Aadhaar authentication? What will be the exact role of NPCI in all this? Will NUEs be allowed to perform other business activities, for example can NSDL continue to offer e-Sign services as part of same business or have to set-up a separate entity, if they decide to go for it? More clarity should emerge after RBI releases final framework after reviewing everyone’s feedback post 25th Feb, 2020.

Why do I think Zero MDR is a good move?

Imagine a scenario without banks, everyone earns and spends in cash. There are no charges to be paid to anyone. If you are supposed to earn 100 Rs for a service offered, you would earn 100 Rs and when you purchase an item or service worth 100 Rs, you would pay 100 Rs for the same. Merchant earns the exact amount paid by the customer without any deductions in the process. Now this merchant collects bundles of cash everyday so he needs to spend money in handling that much cash. Maybe he will have to buy a secure vault to store it or even hire a security guard to protect it all the time. When he is transporting all that cash, he needs to spend on secure transit. All that would cost merchant some money, which has been the justification for charging MDR. Acquirer told the merchants, by accepting payments digitally we will manage the cash worries for you hence saving you huge cost in the process thus you should compensate us by way of paying us in the form of MDR.

Image Source: ETTech

However the problem is, in India only banks are allowed to be the acquirers, who are the custodians of all the money. That means customers as well as merchants keep their money in the books of the banks, meaning cost of transferring the money digitally is much cheaper compared when compared to cash for banks. Since the banks are custodians of all the money and they have the option to reinvest that money primarily by way of lending it to borrowers and charge interest on that money. Typically banks charge anywhere between 8% (home loan) to 36% (credit card roll-over) on the money they lend and a small portion of that around 3% (Savings A/C) -7% (Term Deposits) is passed on to the customer. Rest of the money is supposed to be spend on various expenditures of running the bank. These expenditures should also include building, managing and maintaining the entire payment infrastructure. A fee for allowing customers to access their own funds (on these very funds the entire bank is existing) in any form is unfair.

Specially in case of UPI, cost of merchant acquiring is almost zero. Instead of a PoS machine, which costs somewhere between 1500 Rs (mPoS) to 20,000 Rs (fancy PoS devices with multiple other supporting features) a UPI merchant needs a QR code, which can be printed and attached to a fancy plastic display in less than 100 Rs. In case of PoS, transactions are settled in two steps, authorization and settlements thus requiring an operations team to manage the reconciliation and payments processing, while in case of UPI the transaction is settled real time directly in merchant’s account hence the need for large operations teams and systems is eliminated. I do not have any numbers to compare on disputes/chargebacks but the going by the fundamental design of UPI, the possibility of disputes in UPI are much lesser compared to card world hence requiring even lesser operational expenditure.

When a bank outsources their ATM management business to a third party partner, they pay that third party. The third party is not expected to make fee income from customers. Similarly CC Avenue, Razorpay, Pinelabs of the world should be treated as third parties whom banks have outsourced the job of setting up merchant infrastructure and banks should pay these players for the services rendered at fair price, like they would for any other technology or operations outsourcing partner. Banks are making enough money to pay for this service. Based on some figure being floated around in various media sources I have learned that this zero MDR for RuPay and UPI will put burden of around 1800 Cr on the industry. Can someone remind me the profit made by HDFC Bank in last quarter?

In fact I am saying why should it be applicable for selective merchant base, this should be the case across all merchants. Our banking system is capable enough for paying for their service in order to get the balances from these merchant in their current accounts so that they can make float income on that money.

Another logic given to merchants for demanding MDR is that a card in the hand of customer increases his/her purchasing capacity hence increase in sales for the merchant. That logic primarily applies for Credit Cards and the current mandate leaves them untouched. Maybe a better way to go for banks would be to push Credit Cards. India is still super under penetrated when it comes to credit product and the scope is enormous. The business Bajaj Finance has built on EMI product is proof enough that banks have been failing miserably in exploiting this opportunity. My suggestion would be that banks get their act together, get off their high horse and start optimizing their processes and utilizing their resources better to find efficient ways to increase their revenue by serving their customers better rather than trying to build a fee income. In fact I would rather worry about a bank that is earning a significant portion of their revenue from various fees.

Having stated above, the way most of the players in the market are approaching this entire thing is flowed in my opinion. Banks are refusing to compensate the third party payments processors creating a huge dent in their revenue thus leaving them no choice but to compromise on their core business by creating other parallel businesses in order to generate sustainable revenue streams, which in the long run will be disastrous for the overall payments business. Ideally since banks are the only parties making money from the circulation of money during transaction should own up to their responsibility and compensate the payment providers fairly for their contribution in creating the ecosystem for bank’s customers to use the funds he/she has parked in the bank seamlessly; the way they would compensate any other service provider of theirs.

Above proposed arrangement is a significant shift from common practice prevalent for years, hence expecting such shift overnight would be a folly. Keeping that in mind I propose as an interim arrangement government bears part of the burden with a clear roadmap and visibility towards banks owning the entire cost in due course. Banks are clearly at the seat of power here and instead of exploiting their position to gain more profits and fee income they should instead invest and work for overall growth of digital economy. This move, even if forced should force banks to become more efficient in their processes and start using customers’ data optimally in order to maximize their gains.

Payments Explained: UPI Part 1 (Terminology)

UPI stands for Unified Payments Interface. It’s a system created by NPCI (National Payments Corporation of India) to enable various forms of payments like peer to peer (p2p), merchant payments (p2m) using bank accounts through mobile phone. With increasing adoption of mobile phone there was a need to enable a mobile native payments method that offers superiors user experience and interoperability between banks. While other interchanges were still trying to find a work-around through their traditional card protocols, NPCI decided to go back to basic and conceptualized UPI, which was a system built for mobile users using some inherent capabilities offered by smartphones, like using the mobile device as one factor of authentication (by doing device binding).

They also built it with the thought process of democratizing the innovation by offering open APIs to build up on. The idea behind offering these open APIs was to enable innovators to build their applications/payment experiences suitable for their environment and target customer base the way they deem fit. This thought process gave birth to start-ups like PhonePe, BharatPe and later even larger technology players like Google, Amazon, Truecaller, Whatsapp (they did a pilot but their progress was halted because they were not storing their data locally in India, as per my information they are still working on the same). Recently India’s biggest corporate Reliance also announced their entry in this space by enabling UPI through myJio family of applications. In this series I will try to explain the UPI transactions in detail starting with common terminology followed by transaction flow and various variations of payments built on top of UPI rail and then conclude it with some thoughts on common fraud trends and how to protect oneself from same. Let’s start with common terminology.

Terminology

PSP (Payment Service Provider): A PSP is an entity authorized by NPCI to process UPI based payment transaction. PSPs take care of following functions in a UPI life cycle:

  • Front-end the transaction flow for the customer
  • Issue and manage the access credential to the customer to access the mobile app
  • Register customer on the UPI platform and issue them VPA (Virtual Payment Address)
  • Maintain the mapping of VPA and Mobile device at their end

VPA (Virtual Payment Address): A VPA is issued by your PSP, that is used to uniquely identify the payer and payee in any transaction. Usually your VPA is username@psp for example abc@okhdfcbank in case of Google Pay, username is abc, selected by user, okhdfcbank is the PSP id issued by NPCI to HDFC Bank, which HDFC Bank has extended to Google Pay as third party processor.

Third Party App: These are typically apps launched by non-bank technology companies like Google, Amazon, Uber etc in partnership with one or more banks as PSP. A list of these apps and their PSP and handle name can be found by visiting this link on NPCI website.

BHIM: BHIM, short for Bharat Interface for Money is an app created by NPCI that lets a user make payments using UPI.

BHIM QR: BHIM QR is a branding used by UPI merchant acquiring PSPs to demonstrate that the particular QR code can be scanned by any app supporting UPI payments i.e. is inter-operable among all PSPs.

BHIM QR Code is nothing but a way to store the VPA of the merchant that is read by your UPI app at the time of scanning. One can use other form factors like NFC or sound wave etc to communicate the merchant VPA to customer’s UPI app to offer differentiated experience, if it is more appropriate for that environment for example maybe a NFC based interaction will be more appropriate for transit use cases like bus, metro etc.

UPI PIN: UPI PIN is the PIN that you input on your UPI app to authenticate yourself with your issuing bank, i.e. the bank that holds your account. You set it up at the time of registration when you link your account with your VPA by verifying the combination of your mobile number and OTP or M-PIN with your issuing bank. This PIN is different that the PIN you use to access your UPI app.

Push Payment: When you scan the QR code of the merchant or use someone’s VPA to send money through your UPI app by debiting your account, such transactions are commonly referred as Push transaction.

Pull Payment: UPI also supports pull payment i.e. you can use someone’s VPA to request money from their account. In this case a request is sent to the concerned person’s UPI app through his PSP and once authorized their account is debited and your account is credited.

Payments Explained: Card Transactions Part 4 (Fraud Prevention)

This is the last part of my series on card payments and in this post I will try to cover some common frauds targeting card users and how one can best protect herself/himself against those.

Skimming: Skimming is the process of stealing your card information at the time of interaction and then misusing that information to fraudulently post transactions on your card. Whenever card is swiped at a PoS or ATM device a fraudster attaches an external card reader to steal the card information at the time of swipe.

Skimmers like these are easily available and can be attached to PoS devices.

One most effective measure taken to prevent this kind of fraud is implementation of CHIP (EMV) cards. RBI has made it mandatory to all the card issuers to ensure all the Debit and Credit Cards issued are CHIP cards. ATM machines are designing their card readers to make installation of any additional external component difficult. However few precautions one can take to safeguard oneself from this are as follows:

A card skimmer places on an ATM machine
  1. Ensure you have sight of your card all the time and the device where the card is being swiped is clearly visible to you and does not have any external component that does not belong is attached to the device.
  2. While using an ATM please ensure there is no external component attached to the card reader of the ATM (many ATMs that still use a magnetic stripe reader use jitter to interrupt the card entry into the card reader that ensures card data is not captured by external device). One way to identify if any external component is attached on the card reader is to look for the light blinking from the card reader. If you cannot clearly see the light at the card reader avoid using that ATM.

These types of frauds are specially prevalent in popular tourism destinations. The logic is that most of the time the card being skimmed is of a tourist and once you are back from your vacation and it becomes very difficult for your to follow through on the crimes committed on your cards in a place you are not native to specially if that place happens to be in a foreign country. Only thing you can do when you are traveling to be extra cautious using your card. I visited Australia recently and noticed that merchants encourage you to swipe/dip or tap your card yourself instead of taking it away from your hands. It is a very good practice.

Phishing: Phishing is exactly what it sounds like (Fishing) fraudster targets a bunch of people in the hopes of getting them to reveal their sensitive information. There is another more entertaining way to learn about Phishing, is watch the very entertaining web-series on Netflix Jamtara, which is based on a tele-calling Phishing racket run by a bunch of young kids from a remote town.

According to Wikipedia definition, “Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.”

If you receive a call, SMS or e-mail pretending to be from your issuer or any other entity requesting you to share sensitive information like card number, PIN, CVV, OTP, net banking ID and password etc. Only way to protect yourself from this kind of fraud is to never share sensitive details to anyone over any medium. Your bank will never ask for these details over call, sms or e-mail.

Website Spoofing: Fraudsters will create a website that looks like the website of another trusted entity and even have similar url (a very neat trick used by fraudster is to replace of of the characters in the url with another special similar looking special character). One simple way to avoid falling prey to this is avoid clicking on links received on e-mail or sms that asks for sensitive information to be shared, instead type the url yourself.

A typical example of spoofing

There are checks and controls implemented by websites to make sure customer recognizes the right page. For example, some websites have a shared image or message that is displayed on the page seeking you to input sensitive information. Like HDFC Bank Netbanking displays a picture and a message selected by you on its log-in page to ensure you are inputting your credentials on an authentic bank page and not some other spoofed website.

Social Engineering: The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Phishing explained above is a type of social engineering. Some other ways of social engineering relevant in this context are Vishing, where fraudsters will mimic the IVR (Interactive Voice Response) of the target organization to convince that organization’s customers into revealing sensitive information and Baiting, where fraudster will send you a link over e-mail or SMS prompting you to click on an infected link with promise of certain reward or threat of some loss.

Social engineering life cycle

There are no prince in Nigeria or warlords in Sudan dying to share their wealth with you, neither you have won any Coca-Cola or Reader’s Digest lottery. RBI or Income Tax departments are never going to call you to credit your account neither is Modi government giving you fifteen lac rupees in your account provided you share your account or net banking credentials with them. To receive LPG subsidy you just need to link your Aadhaar to your bank account and nothing else.

Money Mule: A money mule, sometimes also called as “smurfer” is a person who helps fraudsters transfer money acquired illegally. If someone approaches you with a story that he needs to transfer a fortune and want to use your account to park some funds and they will offer huge reward just for allowing the money to pass through your account or once the money is deposited in your account you need to withdraw cash and hand deliver it to someone in person, you are being recruited as a money mule in an elaborate fraud scheme.

When money is moved digitally, it leaves a trail and that can be used to identify and arrest the fraudster. To avoid this fraudsters create an elaborate trail of movement by passing the money through various money mule accounts and convincing these unsuspecting people into handing over the money in the form of cash at an unsupervised location. If you act as a money mule then you become a co-conspirator in the fraud and will be liable for any criminal proceedings that attracts. So avoid falling into becoming a criminal for some monetary reward.

Protect your Mobile Phone: These days your mobile phone has become very important when processing digital transactions. In many cases your mobile device is used as a mode of authentication, most of the time an OTP received on your mobile phone is used as 2nd factor authentication and many times websites and mobile apps store your card details (called card on file in payments world) in order to provide you a convenient user experience.

Now imagine a scenario where you have lost your smart phone and some fraudster has gotten hold of the device. Your phone is unlocked because you never set-up any access control like face, fingerprint, pattern or password to lock your phone when not in use. Fraudster notices that you have installed your telecom operator’s app on your phone and have your card credentials stored there. He sets up a shop offering cheap recharge to prepaid customers of that telco. He collects cash from the customers to recharge their prepaid mobile number and used your card stored in the app and OTP delivered on the device to make the payment. By the time you would report this and authorities catch up to him he would have shut the shop and run away. The only thing protecting you at this moment is your three digit cvv2/cvc2, if somehow he manages to find out that or guess that number you have no protection.

My only advice to you in this case is a. store your mobile number only at the apps/website you frequently use, b. set up an access control on your smartphone be it PIN, Pattern, Fingerprint or Face ID have some protection, c. don’t lose your phone and if you do immediately call your telco to block the number and also your bank to block your cards.

Physical Interaction: At last one very important thing, whenever you are providing photocopy of any KYC documents to anyone please make sure you sign it with date and purpose. The logic is to avoid misuse of your document from giving any instruction to your bank through their branch for example change of address, reissue of card, reissue of PIN, new cheque book etc. Bank branches typically ask for an identity proof to be attached with any written instructions to ensure the instruction has been received from authorized party.

Payments Explained: Card Transactions Part 3 (Protection)

Card payments ecosystem has been designed with safeguards at various stages to ensure protection of various parties involved in the value chain. I would like to dedicate this post to list down these safeguards to make users familiar with them. Every entity, system and process handling card information needs to adhere to Data Security Standards established by Payment Card Industry (in short PCI-DSS) which ensures all sensitive information is protected at any point in time.

Card Issuer Controls

Card Printing: At the time of card issuance card printing file is created and transported to print shop in encrypted format and is destroyed after the card printing is complete. I have been to one such print shop and experienced their security standards first hand. On top of data security they also have strict controls for physical security. Personals visiting there are taken through multiple locked doors and are not allowed to even wear cloths that has pockets in them.

Chip (EMV): Earlier card transactions used to be performed using magnetic stripe. The problem with magnetic stripe was that card information stored in the magnetic stripe is stored in clear form and can be stolen by fraudsters by swiping the card on a card reader. This process of stealing card information is referred as skimming. In order to protect users against this, RBI has now made it mandatory to use EMV cards. The benefit of EMV card is that all the card information is stored in the Chip is encrypted form.

PIN Printing: PIN of your card is not stored in any system anywhere. At the time of PIN issuance, a PIN block is generated using a complex logic and encryption and sent directed to the PIN printer. PIN is printed in sealed form and can be seen only by tearing the PIN mailer.

The level of caution at this stage is to the level that card plastic and PIN are both printed at different locations (in HDFC Bank cards are printed at Chennai, while PIN printing usually happens in Mumbai), this is done to ensure that your card and PIN are never together unless they are delivered to the customer. In addition to this cards are delivered with addressee specific delivery. The delivery guy usually asks for ID proof before handing over the card kit to you.

PIN Validation: At the time of transaction PIN is encrypted at the key pad itself and an encrypted PIN block is generated. PIN travels to issuer system for authentication in encrypted format. PIN block is generated in the issuer system using the information available at the back end. Both the PIN blocks are compared and if matched PIN authentication is successful.

CVV or CVC: This is a three digit code linked to your card and a variation of same CVV2/CVC2 is printed at the back of your card. This three digit code is available only on the card plastic and presence of CVV/CVC or CVV2/CVC2 (for CNP transactions) means that the person providing the detail is in possession of the card plastic.

It is very important that one does not share PIN and CVV details with any person except for on the card details capture page at the time of transaction.

2 Factor Authentication: According to RBI mandate all the card transactions in India are processed with 2 factors of authentication. Typically these two factors are combination of any two from below three:

  1. What you have? In case of card world it is usually your card plastic or if you are transacting through your registered mobile device, it can be your mobile device.
  2. What you know? Your PIN or Passwords fall in this category. It is a shared secret that only you and your issuer knows and can validate.
  3. Who you are? All biometric forms of authentication would fall under this category. Most common biometric is your finger print. In future we might even see iris, voice, behavior, face etc also being used for authentication.

In case of card present transaction these two factors are your card plastic and PIN, while in case of card not present transactions it is your card details (card number, expiry and cvv2/cvc2) and OTP or password.

Merchant Acquiring Controls

POS Terminal: PoS device consists of following components, a. card reader, b. key pad, c. network connectivity, d. memory storage and e. receipt printer. Card reader and key pad are programmed to encrypt the data at the time of entry itself. Memory stored this information in encrypted form and deletes as soon as the merchant processes the settlement. Communication on this network happens in encrypted format through a protected line. Receipt is programmed to mask sensitive information like your card number while printing the receipt.

The encryption logic used for card transaction is called TripleDES or 3DES; which is one of the most advanced data encryption standard in practice today and encryption is used for each terminal is unique and dynamically updated in order to ensure protection from any possible compromise at key level itself.

Void and Refund

Void and refund are transactions used to undo a transaction by the merchant himself. For example if merchant has swiped your card for a wrong amount or you have changed your mind about transaction immediately after making the payment, merchant and recall that transaction from terminals memory and cancel the transaction. This process is called void and in this case when merchant processes the settlement this transaction is omitted from the same and not claimed further. In lack of any claim against the transaction issuer automatically reverses the transaction in customer’s account after designated settlement time is over.

In case merchant has processed the settlement on the machine and transaction has already been deleted from the device, it cannot be canceled/voided. In this case merchant performs refund transaction, i.e. send instructions to credit the customer account by debiting merchant account. When merchant settles this transaction appropriate credit instruction is passed on to the issuer by acquirer via interchange. These days interchanges have come up with ways to process instant refunds.

Chargeback

As you are now aware that there are many controls in place to ensure safe transaction at the time of card issuance and transaction processing. Chargeback is a process to protect customer’s interests after the transaction. As part of chargeback process if there is any issue with with transaction like duplicate billing, services not rendered, goods not delivered etc, a customer can reach out to his/her issuer to raise a dispute with all the evidence supporting his/her claim. In such cases issuers approach the merchant through acquirer via interchange and asks the merchant to provide necessary evidence or accept the dispute and reverse the transaction. Merchant either provides the evidence either in the form or delivery confirmation, payment receipt etc. If the merchant is unable to prove that it was a genuine charge the case is closed in customer’s favour and transaction is reversed. If the merchant is able to prove is necessary evidence that the charge was genuine, dispute is closed in merchant’s favour.

Zero Liability

If you read all the study material sent along with your card, in many cases you will find a section labeled as zero liability. Zero Liability applies to your purchases made in the store, over the telephone, online, or via a mobile device and ATM transactions. As a cardholder, you will not be held responsible for unauthorized transactions if:

  1. You have used reasonable care in protecting your card from loss or theft; and
  2. You promptly reported loss or theft to your financial institution.

If you believe there has been unauthorized use of your account and you meet the conditions above, rest easy knowing you have the protection of Zero Liability promise. Please read this clause carefully in your card kit and ensure you understand the same.

Hotlisting

Please ensure contacting your bank with the fastest mode available to report the loss of your card or any suspicious activity on your card. Every card issuer ensures that there are methods to report this through telephone call (at a dedicated number, please keep this number handy with you), mobile banking, internet banking etc.

What can mean a suspicious activity? Some examples are as follows:

  1. You receiving an SMS/e-mail regarding an activity in your account that you are not aware of
  2. Receiving an SMS/e-mail informing you about an OTP generated for a transaction that you did not initiate
  3. Someone calling you and inquiring about sensitive information about your card like card number, cvv, PIN, OTP etc. No bank ever asks for this information to be shared over a phone call to any person.

Hope this information has been helpful and make you more confident about using your card for payment next time you go shopping. In next part I will be covering various types of frauds happening in the card world and how to protect yourself from them. Most of the banks actually send mailers/SMS regarding this kind of information, you might be aware of same if you have been paying attention to those mailers.

Payments Explained: Card Transactions Part 2 (Transaction Flow)

Continuing from my last post dedicated towards explaining the common terminology used in payments world in terms of the participants and instruments, in this post I will focus on how a card transaction works. Back in 2005, after completing my B.Tech. in Mechanical Engineering, during my job interview with HDFC Bank, my super boss (then head of BSG retail) asked me, if I know how an ATM transaction works. I answered in negative and yet attempted to guess how it might work using logical reasoning coupled with my experience of using my ICICI Bank card at Canara Bank ATM installed in IIT campus. My answer was somewhat close to the reality. I will try to use similar language in this post in order for it to make sense to wider audience with no background in payments business.

Fundamental Principle

In simple terms any payment involves debiting one account and crediting another. When you purchase any goods or services from a merchant and make a payment in lieu of same, it’s your account that needs to be debited and merchants account that needs to be credited. It can be a much simpler process when both the accounts are in the same bank, however when both the accounts happen to be in different banks, it becomes slightly more complex. In payments lingo, if the issuer and acquirer are same bank it is referred as OnUs transaction and is settled with-in the bank without involving the services of Interchanges. However when issuer and acquirer are different banks the transaction is referred as remote OnUs and OffUs by issuer and acquirer respectively. Such transaction are processed through Interchanges utilizing their connectivity with both banks and are settled via the same Interchange.

The primary function of the instruments both the parties hold, (in case of customer it’s the card plastic and in case of merchant it is typically the PoS device), is to identify the source and destination financial address i.e. account number and the bank. Most of you would be aware of something called IFSC code, well this code is nothing but a way to identify your bank-branch combination, when you are performing an NEFT or RTGS transaction (even IMPS Person to Account commonly referred as P2A, where you use account number instead of MMID as destination address uses the same). Similarly in card world there is something commonly called as BIN, short for Bank Identification Number. This BIN is a six digit number issued by Interchanges (Visa/MasterCard/RuPay) to participating issuing and acquiring banks. On your card it is the first 6 digits of your card number, while in case of merchants it is mapped to the PoS device. It is this BIN that helps interchanges identify source and destination banks in any payment transaction using cards.

Sample Transaction

When you present your card issued by Bank A at a merchant on-boarded by Bank B, the transaction follows following steps:

  1. PoS Machine reads the card information from the card
    • In case of chip card the information is read from the chip when it is dipped inside the machine
    • In case of magnetic stripe card the information is read from the magnetic stripe at the back of the card during swipe
    • In case of NFC information is exchanged over the air during tap
    • If you have heard of a company called Tone Tag, they use sound waves to communicate between your phone (which stores the card number) and PoS device.
  2. The information read by the PoS device typically contains Customer Name, Card Number, Expiry of the plastic, CVV (a three digit secure code) and PIN Block (wherever applicable)
  3. PoS device connects to the acquirer and sends the information to their central system
  4. Acquirer system identifies from the BIN, which interchange the card belongs to and sends it to respective interchange
  5. The interchange from the BIN identifies the issuing bank and send the transaction to the issuer
  6. The issuer authenticates the card using the information captured by the PoS device
  7. Upon successful authentication issuer authorizes the transaction based on the status and availability of balance in the account
    • At this stage issuer debits the customer’s account and parks the credit in a designated account marked for interchange settlement
  8. The result of authentication and authorization is communicated back to the interchange in the form of response code
  9. Interchange passes on the response to the acquirer
  10. Acquirer communicates the same forward to the PoS device
  11. PoS device displays the message on the machine display and merchant concludes the transaction accordingly
  12. Merchant uses the PoS device to claim the money from the acquirer
    • At this stage acquirer credits the merchant by debiting the designated account marked for interchange settlement
  13. Acquirer send the claim file to interchange with details of all the transactions across all issuers
  14. Interchange splits the file as per issuers and sends the files to respective issuers to receive the funds for transaction performed on interchange’s network by customers of the issuer
    • Each interchange has a designated settlement banker. Every issuer and acquirer has to open account in this bank, which is used to settle transactions between participating banks
  15. Issuer debits the designated settlement account, to fund the interchange account in the designated settlement bank
  16. Interchange debits the issuer account in settlement bank and credits acquirer account in that bank
  17. Acquirer uses the fund received in the account in settlement bank to round off the settlement account in their book

Step 1 to 12 are called authorization and 12 to 17 are called settlement. Authorization steps are performed online real time while settlement is completed through file exchange. When you hear someone say it’s DMS, short for dual message settlement, this is what they are referring to.

When you are using the card at a website or mobile app, there is one additional step you all perform that is 2nd Factor Authentication with most common form being used in India being a one time password (OTP) delivered to your registered mobile phone. This is done because in online world there is no encrypted key pad, as available on a PoS device. Since PIN needs to be protected with certain encryption standards, which are difficult to implement on a website, as an alternate when the transaction hits the Interchange, they refer to a mapper maintained at their end to find the authentication url of the issuing bank and make a call to that url. At this point the issuing bank takes control of the transaction and triggers an OTP to cardholder’s mobile number, which is then validated on the web-page of the issuing bank. On successful authentication like this other authorization steps are performed. Such transactions where card plastic is not used at the time of transaction are called CNP (card not present) transactions.

I hope this gives most of you a fair idea about how card transactions are performed and the role multiple entities play in the process along with the flow of money. In next part I will cover the various security and safe-guards that are in-built at various steps in entire process to protect the customers and merchants from various frauds.