comscore RBI makes it compulsory for Uber to follow two-step authentication for payments in India | BGR India
News

RBI makes it compulsory for Uber to follow two-step authentication for payments in India

The Reserve Bank of India has made it mandatory for companies to follow the two-step authentication for payments when the credit card is not presented physically. While the mandate doesn’t mention a

Uber-iPhone

The Reserve Bank of India has made it mandatory for companies to follow the two-step authentication for payments when the credit card is not presented physically. While the mandate doesn’t mention any company per se, premium cab service Uber will be one of the affected companies.

Currently most of the credit card transactions online require a two-stage authentication — in the first step customers submit credit card details, and in the second step the customers give their pin number. However, this is applicable only to transactions happening in India where both the user and receiver are in India.

Uber, however, worked this around by maintaining an international payment gateway and being an international entity. The way they worked it is that the invoice is raised in the name of the driver but the payment is made to an international bank account. Uber then took its cut and remitted the balance to the driver in India.

This gave Uber an unfair advantage over local taxi services that have to strictly follow the two-stage authentication process. The Association of Radio Taxis in India as well as its local rivals have been quite vocal about this issue and have alleged that the company’s payment system is in violation of FEMA laws as well.

RBI’s new mandate is pretty clear about the fact that Uber is flouting Indian laws.

It was clarified that the mandate shall apply to all transactions using cards issued in India for payments on merchant sites where no outflow of foreign exchange is contemplated. It was further stated that the linkage to an overseas website/payment gateway cannot be the basis for permitting relaxations from implementing the mandate.

It has come to our notice that despite the above clarifications there are instances of card not present transactions being effected without the mandated additional authentication/validation even where the underlying transactions are essentially taking place between two residents in India (card issued in India being used for purchase of goods and service offered by a merchant/service provider in India). It is also observed that these entities are evading the mandate of additional authentication/validation by following business / payment models which are resulting in foreign exchange outflow. Such camouflaging and flouting of extant instructions on card security, which has been made possible by merchant transactions (for underlying sale of goods / services within India) being acquired by banks located overseas resulting in an outflow of foreign exchange in the settlement of these transactions, is not acceptable as this is in violation of the directives issued under the Payment and Settlement Systems Act 2007 besides the requirements under the Foreign Exchange Management Act, 1999.

Uber provided unparalleled convenience to users by them not having to do anything to make payments. The services stores the user’s credit card details on its system and debits the due amount as soon as the user gets out of the car. On the other hand, local cab players had to ensure that users had to go through the two-factor authentication process, which involves entering a second password after the CVV code for additional security, as mandated by the RBI.

The RBI has made it clear that the clarification is effective immediately, but has given existing services like Uber time up to October 31 to comply. “This directive shall come into effect immediately from the date of this circular. However, existing arrangements if any, will be accorded time up to October 31, 2014 to comply with our instructions, to avoid any business disruption, without prejudice to further action, if any, for violation of extant provisions under PSS Act/FEMA,” the federal bank mentioned in the circular.

BGR India has reached out to Uber for a statement but haven’t heard from the company at the time of filing the story. Uber has been hinting for a few months now that it was looking at alternative payment mechanisms, without giving any details about those alternatives.

The RBI mandate follows below.

The Chairman and Managing Director / Chief Executive Officers
All Scheduled Commercial Banks including RRBs /
Urban Co-operative Banks / State Co-operative Banks /
District Central Co-operative Banks/Authorised Card Payment Networks

Madam / Dear Sir

Security Issues and Risk mitigation measures related to Card Not Present (CNP) transactions

Please refer to our circulars RBI/DPSS No. 1501 / 02.14.003 / 2008-2009 dated February 18, 2009, RBI/DPSS No.1503 / 02.14.003 /2010-2011 dated December 31, 2010 and RBI/DPSS No.223/02.14.003/2011-2012 dated August 04, 2011 wherein directives were issued making it mandatory for banks to put in place additional authentication / validation based on information not visible on the cards for all on-line card not present (CNP) transactions (e-commerce / IVR / MOTO / recurring based on standing instructions).

2. A reference is also invited to our circular RBI / DPSS No.914/02.14.003/2010-2011 dated October 25, 2010 on the subject, clarifying the applicability of the above directives on the nature of card not present transactions. It was clarified that the mandate shall apply to all transactions using cards issued in India for payments on merchant sites where no outflow of foreign exchange is contemplated. It was further stated that the linkage to an overseas website/payment gateway cannot be the basis for permitting relaxations from implementing the mandate.

3. It has come to our notice that despite the above clarifications there are instances of card not present transactions being effected without the mandated additional authentication/validation even where the underlying transactions are essentially taking place between two residents in India (card issued in India being used for purchase of goods and service offered by a merchant/service provider in India). It is also observed that these entities are evading the mandate of additional authentication/validation by following business / payment models which are resulting in foreign exchange outflow. Such camouflaging and flouting of extant instructions on card security, which has been made possible by merchant transactions (for underlying sale of goods / services within India) being acquired by banks located overseas resulting in an outflow of foreign exchange in the settlement of these transactions, is not acceptable as this is in violation of the directives issued under the Payment and Settlement Systems Act 2007 besides the requirements under the Foreign Exchange Management Act, 1999.

4. In view of the above, it is advised that entities adopting such practices leading to willful non-adherence and violation of extant instructions should immediately put a stop to such arrangements.

5. It is further advised that where cards issued by banks in India are used for making card not present payments towards purchase of goods and services provided within the country, the acquisition of such transactions has to be through a bank in India and the transaction should necessarily settle only in Indian currency, in adherence to extant instructions on security of card payments.

6. The directive is issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007, (Act 51 of 2007).

7. This directive shall come into effect immediately from the date of this circular. However, existing arrangements if any, will be accorded time up to October 31, 2014 to comply with our instructions, to avoid any business disruption, without prejudice to further action, if any, for violation of extant provisions under PSS Act/FEMA.

8. Please acknowledge receipt.

Yours faithfully

(Vijay Chugh)
Principal Chief General Manager

  • Published Date: August 23, 2014 12:59 PM IST