In a development that would affect services of companies like taxi service aggregator Uber, Reserve Bank of India (RBI) has on Friday clarified that all transactions using cards issued in India for payments on merchant sites (where no outflow of foreign exchange is contemplated) need a second authentication.
The bank stated, through an order issued by Vijay Chugh, Principal Chief General Manager, that the link to an overseas website/payment gateway cannot be the basis for permitting relaxations from implementing this mandate for second authentication.
RBI had through various directives over the last five years mandated an additional authentication or validation for all on-line card not present (CNP) transactions (e-commerce/IVR, etc) and for recurring payments based on standing instructions.
RBI said in the order: "...it has come to our notice that despite the above clarifications, there are instances of card not present transactions being effected without the mandated additional authentication/validation even where the underlying transactions are essentially taking place between two residents in India (card issued in India being used for purchase of goods and service offered by a merchant/service provider in India)."
This order will directly hit Uber, a San Francisco-based taxi booking service which has operations in six Indian cities Mumbai, Bangalore, Delhi, Pune, Chennai and Hyderabad, which has been enabling payment transactions between the taxi operator and the user without a second authentication using an overseas payment gateway. In fact, Uber's USP has been the hassle free payment mechanism where the user when registering for the service enters the credit card details and pre-authorises the company to charge the user. So once the ride is over the customer can walk out without any need for a second authentication or swiping of the card, while Uber charges the customer using the already stored card information.
Central bank has now acted against this model as in India card not present transactions have been mandated to have a second authentication.
The bank said, "It is also observed that these entities are evading the mandate of additional authentication/validation by following business/payment models which are resulting in foreign exchange outflow. Such camouflaging and flouting of extant instructions on card security, which has been made possible by merchant transactions (for underlying sale of goods/services within India) being acquired by banks located overseas resulting in an outflow of foreign exchange in the settlement of these transactions, is not acceptable as this is in violation of the directives issued under the Payment and Settlement Systems Act 2007 besides the requirements under the Foreign Exchange Management Act, 1999."
RBI said, "It is advised that entities adopting such practices leading to willful non-adherence and violation of extant instructions should immediately put a stop to such arrangements."
The central bank clarified that "where cards issued by banks in India are used for making card not present payments towards purchase of goods and services provided within the country, the acquisition of such transactions has to be through a bank in India and the transaction should necessarily settle only in Indian currency, in adherence to extant instructions on security of card payments.
The directive has come into effect immediately from the date of the circular. However, RBI has given time till October 31, 2014 to comply with its instructions, to avoid any business disruption.
After Uber service really caught on in India as it provided hassle free payment service for its users (payment via cards without second level authentication), many of its rivals including local taxi operators had complained to RBI that Uber's payment system had violated the central bank’s directives regarding additional authentication and also FEMA regulations.
RBI has acted quickly on the complaint.
(Edited by Joby Puthuparampil Johnson)