This is actually a good thing. Think of it like Apple's email masking service - Merchants can only store a tokenized version of your credit card instead of the real card details. I say this is a good thing after having worked with many E-Commerce shops in India as a consultant. Most of them barely know a thing about security, let alone about PCI DSS compliance.
I have worked with shops that stored the entire credit card number in PLAIN TEXT!. Not just credit cards, even their users' passwords. This also explains why many of them got and still get hacked from time to time. Even credit card processors got hacked due to this. Lot of shitty ones in the Indian market actually.
The root cause of this, not to cause language flame wars here, but is most of the shops use script kiddos with just basic PHP knowledge. Bare minimum, they're recent fresh college grads who just know how to consume data from a form using PHP using GET and POST, that's it. Most of the code I've worked with just consumes this directly instead of stripping/processing it and end up introducing SQL injection attacks. Atleast, if they used a framework, this would be provided by default for free, but many of the developers hardly know about even MVC.
(As an aside) - As a personal mission, I started touring around the country teaching college kids for free about basics of web development, security, etc. But, still, I have a long way to go.
Well folks, that's it for today's note on why this was a good move. Have a nice day!
Edit: Some of the recent hacks that were not made public widescale like they should've been:
1. Domino's Pizza India (Yes, the international pizza chain)
RBI(Central bank) has been filling-up for a long time for the total lack of security practices by merchants & data-privacy laws.
e.g. One can control how much money can be withdrawn from the credit/debit card per-day according to domestic/International merchants/online/physical/ATM/ etc. through net-banking with the minimum in the multiples of INR 1000. So even if the card data gets stolen, Criminals can utmost withdraw only the minimum amount in the other part of the world.
But unfortunately due to the digital-divide, Not many have access or awareness of such facilities and hence control over card data is required.
IMO the single point of failure for India's financial security is its extraordinary dependence on mobile number for 2FA, Even security conscious customers can do little against SIM jacking attacks, But for those who are not security conscious; all it requires is a social engineered SMS with ngrok URL[1] or Phone call asking for that OTP.
Please write to RBI and demand your bank to support hardware tokens (or) at least TOTP.
> 3. PayTm (One of the largest, if not the largest digital payments app in India)
Did you mean that largest digital payments company which integrated the PoS facility on the merchant's app and the customers were asked to enter their credit/debit card details manually?[2]
Although charge back mechanisms exists for merchant transactions, I don't know of anyone who had got back their money lost through the theft of their card data. I wouldn't be surprised if VISA/MASTER/AMEX don't have such liabilities in India as they do in US/Europe.
I had a conversation with cyber-crime police reg the aforementioned SMS scam using ngrok, They mentioned that many in my city have lost huge sums of money through it and the scam is not just for stealing bank credentials, the attacker's application tries to exploit victim's system and had successfully installed RAT.
Successive Indian Govt. have been at loggerheads with VISA/MASTER duopoly and have successfully derailed it for domestic payments, Now Unified Payments Interface(UPI)[1] which works with payment apps has more transactions than debit/CC. So the domestic criminals have largely switched to UPI/Bank account based scams.
Occasionally some of these criminals get caught and some get their money back.
Chargeback rights and liability of fraud for creditcards are significantly different in different regions even for seemingly identical visa/mastercard cards.
I have spent a long time in eComm in the west, and you see that kind of stuff there as well. The most erroneous was the company that would take credit cards in plain text, print them onto an order sheet for reception staff to put through their POS at the front desk, and then the order sheets just went into the bin near the entrance. Thousands of credit card numbers were just sitting there for the taking, in plain text, in plain sight.
> The most erroneous was the company that would take credit cards in plain text, print them onto an order sheet for reception staff to put through their POS at the front desk, and then the order sheets just went into the bin near the entrance
Back in my younger days, I've implemented exactly such a system. Looking back, it seems like a "WTF where you thinking" but somehow it made sense back then. What is obvious practice now took 20+ years of internet evolution to reach.
I've also worked for companies that:
- Stored user passwords in plaintext so you can email the customer their password if they forgot
- Stored the CVV so "we could issue refunds"
- Accidentally created anonymous email relays using copy & paste code from some "how do I create a webform in PHP" site.
- Test data was simply a mirror of production
- Test servers would send real emails to real customers (because the test data was a prod mirror)
There are probably some other atrocities I've been exposed to but those are the highlights.
Oh yeah, forgot one:
- To "save money" on hard drives for "the server" we did a RAID0 array. Works great until one of the disks die and you loose everything. (This was my own dumb fault though).
Not just ecomm. I remember the days when customers would read their credit card numbers over the phone for small businesses (e.g. pizza joints). You'd write it down for processing later. The paper then gets disposed of at some point with the full credit card info and name written on them.
Not quite as egregious, but when I worked in QA for an internally accessible, hospital record keeping web app, most of the "test" data was real customer data, and OBVIOUSLY I had complete access to prod with no particular oversight (although I'm certain logging was enabled) for HIPPA. Still, glad it was available, as going through approval processes would've been a nightmare for our implementations.
The healthcare place I worked (mid 00's) kept all the prod passwords in a text file accessible to half the company. No auditing of logins into those servers either, so who knows what was leaked.
Indeed, astonishing retail-level security shenanigans will happen anywhere relying on simple credit card numbers. That said, the attack surface of a piece of paper is vastly smaller than a web-app-connected database.
That's a weird generalization. Yes there are terrible, insecure e-commerce sites in India, the same as there are in the USA and everywhere else on the planet. India is also the top 7-8 e-commerce market in the world. Large local apps in the space have valuations in the tens of billions of dollars, and all major global players like Amazon and Walmart are involved in the country as well. These $100B in annual sales aren't processed by script kiddies, it's a very large and mature industry.
> That's a weird generalization. Yes there are terrible, insecure e-commerce sites in India, the same as there are in the USA and everywhere else on the planet.
I don't have the experience to know if this is actually the case, but it seems completely plausible that different countries have different regulations (or enforcement thereof) such that US companies have to care about PCI more than Indian companies.
> These $100B in annual sales aren't processed by script kiddies, it's a very large and mature industry.
Those are less connected than you think; loads of companies run obscenely large monetary transactions and essential business processes with horrifying hacked-up systems (50k LoC files, 20-year-old Perl scripts that nobody understands, Solaris 2.x desktop in the maintenance closet...); utility and good code are less correlated than we wish.
> I don't have the experience to know if this is actually the case, but it seems completely plausible that different countries have different regulations (or enforcement thereof) such that US companies have to care about PCI more than Indian companies.
Or maybe even different companies forcing users to accept credit cards in different ways.
A handful providers I had to integrate with in my career (in LatAm and Germany) had this rule where you couldn't have the numbers going trough your system unless you got PCI certification. You had to use an iFrame, or redirecting to their website where the form was served.
Sometimes the APIs were there, in public, but even if you used a valid credit card number it would deny verification unless your merchant account was pre-authorised.
Yeah, seems plausible - after all, as I recently learned from another HN post, it is customary for trucks not to have side mirrors in India, whereas this is much rarer in the US and virtually unheard of in (western) Europe...
"such that US companies have to care about PCI more than Indian companies."
If you think about the social security number system, paper checks or credit cards with magnet strips I think you'll notice that other countries sometimes have stricter and more advanced security regulations.
Yes, of course. I would expect the US to be ahead of some countries in some places, and behind some countries in some places. My point is that it's perfectly plausible that in this very particular area India could be worse than the US just as, say, the EU is generally ahead of the US. And, in different areas India could be way better than the US; this isn't "good countries" and "bad countries", it's "different countries place differently on whatever metric you pick".
Yes, but large valuations don't correlate with better security practices.. Obviously the person above isn't talking about Amazon or Walmart when referring to "script kiddies".
Of the nearly 45-50 contract jobs I've seen, a lot of them use pirated WP or Magento plugins, and plain text storage of sensitive content.
Again, generalization.
What you're talking about mostly refers to small time sites with maybe not more than few dozen orders a day.
Typical ecommerce businesses (usually the kind with at least 100s or 1000s of orders a day) write their own code rather than using WP plugins.
As far as PCI DSS goes, there are multiple levels. Even at the tier 2 Indian ecom company I used to work at, we did not store any card info, it was just submitted in an iframe rendered by the payment gateway. And even then we were subjected to annual/semi-annual security audits (this was in addition to quarterly external security audits we ordered ourselves apart from typical OWASP top 10 checks performed by QAs in weekly sprints).
It doesn't seem like a generalization at all. It's someone relaying their actual experience:
"having worked with many E-Commerce shops in India as a consultant"
It very often happens on HN that if someone talks about something they had personal experience with, that people try to characterize it as a generalization, as if that somehow magically makes the statements a fantasy. It does not.
> (As an aside) - As a personal mission, I started touring around the country teaching college kids for free about basics of web development, security, etc. But, still, I have a long way to go.
Kudos for doing God's work! As someone who studied in India, I think youtube videos might have a better reach with Indian student audience. There is so many mediocre content out there on YouTube and high-SEO sites like GFG (they are kinda fine for algorithm / Leetcode stuff but I can't stand their student-contributed code for anything else). A higher quality de-facto tutorial series might make a better impact. But of course promoting is important.
Agree. There is really no way of knowing which website has my credit information now (I choose not to save credit details anyway). I wish all websites can ask permission every year to hold my information.
How do I get these firms to hire me instead? I know enough about the basics of security to not make these mistakes. Why would they choose college grads who know nothing about it instead?
1. The vendor is not aware that this is a problem
2. As a result of point 1, the vendor does not have budget planned for this.
3. The reward for the investment does not make sense for most of the vendors.
About point 3: For the vendor, there is no tangible improvement in sales (in fact, some security measures raise the barrier for their customers to place an order). So why should they do it? In their experience, the budget is better spent on improving the customer experience, marketing, increasing stock, lowering prices, etc.
Point 3 is really tricky, especially in some cultures and countries. If there is no legal consequence for leaking customer data, why should they be spending money on preventing something that may or may not happen in the future?
What is this Apple email masking service? I keep reading about it but every time I pick "Apple Pay" to pay some service it tells me it's going to give them my icloud address and it gives me no option to choose "mask my email" or anything remotely related or giving some alternate email
I agree as long as merchant banks let you transfer tokenized cards to a new provider. Otherwise businesses will get locked into one provider for recurring billing.
(No, this doesn’t make tokenized cards as dangerous as card numbers. Transferring a merchant account is a whole process. Not to mention that when a breach happens, you can cancel one merchant’s tokens without forcing every customer to get new cards)
I disagree with this premise, I have worked across many countries and I can tell you bad script kiddies and programmers exist universally, everywhere. It just so happens the population of India and China are quite large compared to the rest of the world, so they're more easily visible.
I have worked with some of the best talent from these nations as well, so I would be very hesitant to attach a particular country to it.
The real story is far less sensationalist than the title on HN, "Indian online merchants cannot store credit card information from 2022".
Reading through the actual notification titled "Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services", it is clear that the directive is a well deserved push away from Card on File (CoF) where the actual card details are stored by merchants, towards CoFT which is a lot less vulnerable. In fact this is exactly what Apple Pay, Google Pay, and several others are already doing worldwide.
Kudos to Indian govt, this should be the default for any e-commerce websites. I have to resort to PayPal to avoid my credit card being stored in the e-commerce merchant sites but some of sites do not support PayPal. It seems that Amazon somehow would not even allow me to delete my old and expired credit card from my account.
Be careful if you pay with PayPal in foreign currency, they have super-bad conversion rates that they try to trick you into accepting. You can turn this off if you can see through their dark patterns.
But as a rule of thumb, PayPal is a scammy company that I now try to avoid where I can.
I have been burned couple of times by them. I thought it's a genuine and useful feature.
First, they offered a poor conversion rate.
Second, they said they will charge in INR and hence no further markup by banks which was an outright lie as they charged in INR from PayPal Singapore which applied foreign markup anyway by the bank. So I paid double markup.
Indian merchants have to support UPI - another payment mechanism which is secure. I tend to use that in most places so that I dont have to store my card details.
Just to clear things up since some of the other comments seem unsure or have partial information, UPI requires a cell phone, a cell phone number and the bank account linked with the cell phone number. It cannot be used from a computer (IMPS, which is like UPI’s cousin with a slightly more cumbersome interface, can be used from a computer).
The primary form of UPI usage is from smartphone apps (provided by banks or by the operator of UPI, which is the NPCI BHIM app).
See the UPI overview page [1] by NPCI (a private consortium operating UPI, IMPS and a few other services).
GP here. No, you don’t necessarily have to share your cell phone number as the sender or as the receiver. But take note of the details below.
UPI assigns/allows one or more Virtual Payment Address (VPAs) for each account, which looks kinda like an email address.
The default VPA is usually phone-number@bankname, but you can (and should) disable that default VPA (mainly because UPI also has a payment request mode where anyone can request anyone else for money and there are plenty of scams with that and enumerable phone numbers). Instead, create the VPA as some-random-name@bankname (assuming nobody else has taken that). The sender and the receiver would know the VPA of the counter-party as well as the full name of the person (the name gets displayed before confirming a payment, and is helpful to know that it’s going to the right person).
Also note that while some banks allow only one VPA for an account, some banks allow several VPAs for the same account (think of them as similar to what email aliases are for the same email account). So you could have mybusiness@bankname for your clients to send business payments, mybigdinnerparty@bankname for your friends to send their share of the dinner party bill, and so on — all linked to your name and the same bank account.
I have created UPI ID directly with bank and there is no need of any third party app. It can be used to transfer money directly without sharing bank and card details.
What no?
My business, and my family business both run off the ability to make upi payments by just giving a UPI Id, amount and everything your pin.
Quite often, i settle accounts with my friends over UPI. One of them pays for coffee, and i just upi him his share.
And we work with our own personal savings accounts.
paypal is worse than credit card for me. For one the paypal always shares your paypal email address where as when I pay with credit card I always give a different email address to every merchant.
Why I needed to change the email address I use for paypal repeatedly. Now I have mostly stopped to use paypal. It's full of dark patterns like making authorization recurring without giving me an option. Need to cancel authorization for future payments manually afterwards. I guess in the wost case this could be racy, another payment before I cancel.
Does PayPal still share email addresses? I accept donations on PayPal for my open source projects, and starting from a few months ago I can no longer see people’s email addresses, which have been replaced by links to an internal chat system.
I agree. I had to do the PayPal thing with my Visible phone service because I couldn't delete an old card. Luckily PayPal doesn't require me to have anything linked just to have an account.
>It seems that Amazon somehow would not even allow me to delete my old and expired credit card from my account.
If you are in the EU, in my experience with the GDPR, this is not allowed. The e-commerce merchant must allow users to have the option to remove this information.
PS: I had to file a formal complaint against a telecom company to have this resolved.
Unless they have to store those details for N years because of local laws. Obviously they could hide old cards in the UI and/or implement a soft delete.
Is the RBI deliberately trying to handicap credit cards in India? The decision to make recurring payments impossible, followed by having to enter card information every time I do an online transaction is making for a very frustrating experience.
The justification for these decisions is always "consumer interest" but how is making consumers jump through hoops to do transact online in consumer interest? I wish the industry was more co-ordinated in lobbying against these crazy policies
Edit: A couple of replies below that say they don't mind authorizing subscriptions/recurring charges every time. I respect that view but I think people underestimate how much friction it adds if a business needs to ask your for permission every time to renew. Consumers are forgetful. They may not be available to authorize a payment when it's time to renew. Subscriptions reduce transaction costs, give businesses a predictable stream of income and allow consumers continued access to services without having to remember to renew it.
If you don't believe me, just look at the data and anecdotes posted by tech journalists and software devs on twitter - it's a shitshow.
If a businesses make cancellation hard, the right policy would have been to allow consumers to "stop" charge from the card issuer's website or app - not ask consumers to approve a charge everytime it happens.
So the order doesn’t prohibit tokenizing or saving cards, it specifies who can save them.
Earlier, merchants could save the details, and this ability leads to massive amounts of fraud and theft (see US right now).
Then only regulated payment aggregators could save them, and issue a token to the merchants. Stealing the token wasn’t too helpful because you couldn’t grab the money, the token was tied to the merchant. But this still means my card number is stored on a bunch of companies that can suddenly take whatever funds they want, and I can’t cancel these tokens.
Fast forward to 2022, where only the issuer I got my card from can give out tokens - so I can now see a list of every single merchant who has access to my card tokens, and I can cancel them whenever I want.
So the functionality is not going away, it’s moving to another part of the regulated system that’s more in the control of the consumer.
As a person I welcome the move (no more struggling to understand card charges or pleading with companies to cancel my subscriptions). As a developer it’s more work to implement the new system, but it’s not much more work than the old one. Projects using Stripe or Razorpay will get the new system with no changes.
Yep, this is how most of the companies I worked for handled recurring payments.
The only time the customer needs to input their credit card again is when the credit card number changes.
Some providers even had integration with banks, so when a credit card was auto-renewed and the expiration changed (the CC number was still the same), we didn't even have to ask the customer for an update. Only when the customer specifically asked for a new card.
So there's even the possibility of even more convenience to customers.
As a consumer in India I’m so happy at least some part of this government is doing what it’s supposed to do.
A century of unchecked lobbying is pretty much the reason why the US is at the state it is. The difference I’ve seen between how things run in india and the states is that in India what’s illegal and called corruption is called legal and lobbying here.
What exactly are you worried about ? Clicking authorize on nytimes subscription every month?
One of the first pieces of advice for anyone sorting out personal finances is "figure out what subscriptions you aren't using." Cancelling in many cases is an anti-pattern (looking at you, NYT)
Because for NYTimes e.g. they don't allow online cancelation and need to through the phone retention loop.
RBI mandate thing could have been implemented better but I absolutely support the idea that recurring payment control should be with the consumer and not the merchant.
As an entrepreneur, I empathise with fellow startups losing customers due to mandatory check for recurring payments. However as a customer, this has been a godsend as I had almost 15 subscriptions totalling $300 monthly, quite a large amount in India.
The constant reminder of how many of those subscriptions are useless has allowed me to cut my expenses. Case in point, was subscribed to linkedin premium for last 2 years, while I make use of it only once in 3-4 months. Now I simply dont recharge my credit card and only do so once its required.
Not sure if its the ideal solution but definitely am thankful to it!
I would love to be able to have to proactively authorize every single recurring purchase via a tap on my phone. If I have enough that I’m being overwhelmed there’s a good chance I’m not tracking my purchases very well and there could even be fraud I’m missing.
There’s some use-cases maybe where automatic billing is required but the vast majority would do better to need to prompt the user.
There’s a Danish company that provides a service which will integrate into online banking platforms, that will allow you to cancel recurring payments directly from your banking app. How they make it work I don’t know, but I hope that my own bank will signup shortly.
Yes this is stupid and it has caused me a lot of trouble since this all started. I am now seriously thinking of leaving this country and going to NZ or Canada (something which I did not want to do because of my parents).
Doing business in India is so frickin hard, especially after GST. I have to spend so much time on accounting nowadays and it's getting harder and harder every day (even though all the ads say otherwise).
I almost got my Digitalocean account suspended few months back because the credit cards won't bill anymore. Now i have to constantly monitor GCP, Porkbun, AWS, etc since nobody can bill me like before.
Also for some reason Indians aren't allowed to keep balance in Paypal but a lot of my customers prefer to pay via it, which means in the end I cannot process any refunds on time and makes customers angry (Paypal wants me to snail mail checks to them to add the USD balance since govt has banned adding the same from Bank account).
For recurring charges now you have to create an account with https://www.sihub.in which doesn't accept small businesses kinda making it an exclusive club for big companies. It's really a shit-show here.
If it were not for Stripe Atlas I would have been out of business a long time ago. So thank god for that.
Please understand the context behind the rules before ranting.
PayPal restrictions exist because india doesn't have free capital account convertibility and forex providers need to implement regulatory mechanisms to comply with forex regulations. The regulations on forex haven't changed in many years. It's paypal who isn't bothered to comply with mechanisms implemented and hence removed those features as they felt customers like you aren't worth it to them.
Most developing countries have capital controls like India for financial stability reasons and removing it for the sake of small segment of entrepreneurs feeling difficulty to process some payments or can't manage the accounting is not in the interest of the state or it's people.
Stripe thinks you are worth it to them and are providing that service. Find better service providers. Talk to a bank.
As far as GST is concerned, every country has tax accounting. Some other countries like in Europe have it way worse on the paperwork. Have you ever dealt with pre-GST service tax or VAT paperwork? Accounting is a universal thing and it's the reality of doing business.If you think just by jumping one country to the other you can avoid taxes or paperwork you need to rethink your approach to business. Most countries who don't have taxes or tax paperwork are just tax havens living off someone else's money. Will you go to NZ/Canada and not do their tax paperwork?
If it's getting harder, maybe your size is large enough to hire an accountant to do that work for you.
If you have so many customers overseas maybe you better incorporate a foreign subsidiary or an IFSC subsidiary to manage USD transactions.
These rules won't be changed for you - there are larger socio economic reasons for the rules.
> Doing business in India is so frickin hard, especially after GST.
How has GST made things worse? I had paid Service Tax for 10 years prior to GST, and that was a far worse experience.
a) Prior to GST these was an enormous amount of tax fraud. GST makes that way harder, on account of people being able to track and claim input credits. Many (not all) people who were complaining did so because they were suddenly unable to dodge taxes. This forced them to disclose all sales, which affected income tax as well.
b) Everything is now visible on the portal. Who you paid, what they deposited etc.
c) Initially, there were many more compliance requirements. Now it's simpler, with quarterly filing if you qualify.
> Doing business in India is so frickin hard, especially after GST. I have to spend so much time on accounting nowadays and it's getting harder and harder every day (even though all the ads say otherwise).
Why are you having to spend so much time? I mean all the popular accounting suites already support GST and automate most of the compliance. The rules haven't materially changed so, why is it getting progressively harder?
> I almost got my Digitalocean account suspended few months back because the credit cards won't bill anymore.
Why won't they bill anymore? After I enabled international transactions on my card, I haven't faced any problems with DO or AWS.
> If it were not for Stripe Atlas
If you have a Delaware C Corp, why are you even bothered by RBI rules? None of the limitations of the Credit cards or PayPal apply to you anymore.
This is primarily because those companies haven't updated their payments systems to be compliant.
The e-mandate system seems to be pretty good. Netflix is compliant and it worked seamlessly from day one of the switch. It could be because they have incorporated locally, which can be difficult for many other companies.
> This is primarily because those companies haven't updated their payments systems to be compliant.
For big companies with decades or more of legacy cruft, it's a hell of a lift to make their universe compliant. Especially if your large company tends to fall onto the "decentralized org structure" part of the spectrum where a billion teams run around doing their own thing with very little top-down oversight.
It's the same kind of story as it was for GDPR (and CCPA to some extent). Some companies can pull it off easy because their org structure is way more top down. Others that are bottoms up have a much harder time because you have to heard a million different teams towards something new that doesn't really deliver much immediate business value.
I assure you though, these companies are all no doubt hard at work making life better for their india customers... it is just a much harder lift for their organizations to handle. Which is not to say their org structure is a bad one. It just isn't optimized for top-down mandates like these.
This “authorize charge” change is really giving headache both to customers and companies. If person owning CC is not available, emails are misses, etc. so scheduled e-mail campaigns are not sent, backups are not done, scheduled data loads were not performed, etc.
Basically running business is getting harder and harder in India.
So this one thing why USA is still leader: not because it is “great” but because it is still “Wild West” (sure somebody will say “free country” - let’s be honest it is more of a “Wild West”)
If you'd bother to read the article (or heck the first two lines of the article) you'll see that this rule does not mean you'll have to re-enter your credit card info on every order.
> Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that."
Credit cards are from an era where magnetic stripes was a novelty. It is just a bunch of numbers and very lax in security.
Visa & Mastercard are just global duopolies, they have used their dominance to keep the cards easy to use but insecure. The cost of fraud is ultimately borne by the merchants, who try to pass on the hefty fee to the card holders.
India is trying to move to digital payments, a vast majority of the people are first time card holders or even account holders. Frauds do not make it easy, and we do not want to make digital payments more expensive than cash payments.
This is not a move against any card network. However, I personally think it is wrong for Visa/Mastercard to use their market dominance to charge 2-3% of every transaction. As we move more and more into a digital economy, this duopoly starts to sound like a New East India Company.
You should know that a small portion of the 2-3% transaction fees goes to the card networks. Most goes to the card issuing bank. Now in fairness, the banks also cover the cost of some fraud, and payout generous rewards to their best customers.
Something I learned in college - not all countries have the same laws as the US where it's easy to dispute a charge and the burden of proof is with the merchant.
If India is one of those places where the burden of proof is on the customer, and it's difficult to dispute charges, it makes sense to tokenize things.
The rules around chargebacks et al are dictated by the card scheme and remain the same regardless of country the merchant is operating in or car holder is transacting in. How this translates on the ground would be the primary point of difference to other countries.
I love it. The optimistic model forces me to be hyper aware of all my banking activities and know when fraud happens retroactively. All the Indian regulations mean I effectively don't have to worry as much unless something serious happens. CC stolen? I don't care they won't have the pin or the secure pin used for online transactions so it's useless and I can just close the card on the banking website. Mobile phone stolen? They won't have the pin to do UPI transactions so they can sell my phone but not have access to any of my banking activities. It's a total Erin. This new regulation helps prevent my card info from getting leaked by all these cheap sites with intern developers
yesterday saw a family member get an sms "your jio mobile e-kyc is pending. please call 6006xxxxxx number to get your e-kyc done so that there is no disruption to your service". this came after trai decided to https://telecom.economictimes.indiatimes.com/news/trai-pushe...
this means, anyone who read the news understood this was going to happen and scammers put their numbers and sent out sms. any unsuspecting user would just call them whereby they would ask their aadhar card, pan card, otp and you are fucked.
Great, I'd also like if the merchants were forced to not message via WhatsApp; From couriers to securities every business in India expects that you have WhatsApp and are willing to communicate with them through it.
I just tell all of them that I don’t have or use WhatsApp, and that’s true. They wouldn’t be able to send anything over WhatsApp since my number was never registered with that platform. Those who want my business will have to abide by my preferences.
I've had customer service personal change their tone towards me after I tell them that I don't use WhatsApp and requested them to send an email instead, They seem to take it as a personal insult (or) Couldn't believe that someone couldn't have WhatsApp.
So, in the early days of online retail, I built shopping carts that stored credit card numbers in the business's database and connected directly with a credit card gateway (not a provider like Stripe). By around 2006 it became clear that this was insanely dangerous to do. Every merchant could not be storing a database of their customers' credit card numbers. I don't know if it's actually illegal to do online card processing this way in the US now, but no card company would work with you if you did.
So my takeaway from this is that, the fact that card companies are still accepting "card not present" style transactions from online retailers in India means they have been willing up to this point to tolerate a large amount of fraud and hacking in order to tap the market. The logical next step for them is to limit the number of data sources storing the card numbers and customer data themselves. Whether this comes in the form of a government decree or the slow moving of the card companies away from accepting these kinds of transactions, the change is inevitable. Local hosting and locally managed databases are no place for credit card numbers to be stored.
The sooner we move everything to one-time tokens (apart from subscriptions) the better. It's absolutely a ridiculous security model we have in place at the moment. I pay absolutely everything I can with Apple Pay now. I also would like to be able to use one-time disposable cards (without an additional fee) in Europe (ala privacy.com) but I have yet to find such a service.
I'm interested to know what level of "cannot store" the info is implemented? Or is it mediated by a 3rd party company / algorithm that sanitizes the data but to a certain amount that some association can still be done?
For example, can the customer's credit card be anonymized but still tracked to know that the same credit card is used on 2 different transactions, for example?
E.g. if I wanted to give the customer only 1 special offer per credit card number, is that possible for the retailer to tell? Or is it even more sanitized such that every single transaction gets a different hashing?
How do refunds get issued if the number can't be stored and presumably you don't want the retailer to have the backwards decoding to be possible?
I always enter my card details (unless direct bank transfer is available, which is becoming pretty popular lyckily).
But I never found the idea that a saved credit card number (23 digits) would make a shopping experience so much convenient than having to enter it.
A typical checkout still has me entering my address, choosing between 5 different delivery options, agreeing to various terms and so on. The payment step is just a minor step along the way.
I wonder if this entering of payment info is feeling more inconvenient to people who have become used to not having to do it, for example because they have used Amazon (I still never ordered anything there because they don't have a functioning operation where I live).
You probably don't want to use bank transfers, depending on your jurisdiction. Using any sort of visa/masterdcard/amex gives you some protection via chargebacks. In the UK (and I think many other places), paying with a credit card over £100 gives you enormous additional protection (the credit card company is also liable for any problems). So if someone goes bankrupt, the credit card company has to make you whole. This is super helpful if eg you can't do a warranty claim on a product because the supplier went bankrupt. The credit card company has to resolve it (which generally means a full refund).
Paying with bank transfers completely negates all this protection. Merchants love it for this reason (and lower fees), but as a consumer it offers no benefits and a lot of drawbacks.
Disclosure: I work for a fintech in India, specialized in card payment.
It seems here people see this rule as "merchants can't store card numbers any more". This is actually a lot more than that, this is the new rule: you cannot store card numbers for recurring payment. Even if you are PCI-DSS compliant. Even if you are audited by the RBI. Even if you're sponsored by a bank. The only way to store a Visa number is to use the Visa tokenization service.
Now if you know a bit of the card payment industry, you will know that you need the card number just to process the payment, the refund, etc. So you still have to store the card number. And you can. You just can't use it for recurring payment any more.
My personal take: Giving full control to Visa and Mastercard over their card numbers for recurring payment seems to be a nice transfer of power to these two giants. But the time scale has been very short (a few months only). So practically, most recurring card payments will stop working or be illegal in two weeks. This is will more or less break existing subscriptions working with cards.
India (the RBI at least) has been in a campaign for independence in the payment infrastructure. American Express[0], Diners[1], Mastercard[2] have been banned in India. Diners' ban has been lifted now, but still. Rupay is a failure with a market share of 0.34%[3] (in comparison UPI is at 37.73%), in spite of having ZERO MDR on debit transactions[4].
This change is not for the sake of security. You can have the best firewalls, cutting-edge HSM, security team and pass 12 audits a year. You will be allowed to save these card numbers but you won't be able to authorized to use it for recurring payments. This is just a move against cards, and to promote UPI instead. By making recurring card payment a hindrance, more people will transition to UPI.
I don't agree with your interpretation on this being a stealth tactic but even if this was one it's just the state institutions acting in the interest of their mandate. This might not be beneficial to you employer or Visa or MasterCard or few high flying credit card users of the super rich class but it is in the interest of the people.
If they think it's time to move beyond cards due to the strategic overdependence on foreign service providers like Visa who can disrupt the Indian financial system at the behest of their US govt or other interests it's the right thing to discourage them directly or indirectly.
Think in the interest of the people. WTO commitments are not worth the paper they are written on. State should do the right thing to benefit the people as a whole not worry about inconvenience to a few people or few middle men or foreign companies.
Ah maybe my comment is not clear, I am not judging on whether this is a good/bad move for people. I wanted to explain that the card number will still be stored: it only applies to recurring payment (at least for now). So for anyone worried about entities storing the card number... this will continue.
I understand the confusion, but just to clarify I'm a big fan of UPI :).
Now, is it good move for the people? It's a complex topic, one could write a lot about it. This move will push people away from cards because card tokenization won't be supported for a while, making recurring payment harder. It's well known that very small amounts of friction can drastically reduce the conversion rate. Entering the card details every time is a hassle for sure.
So more UPI payments. But today there are no MDR for UPI transactions, meaning fintechs and banks are losing money when they process these transactions. For banks, it's supposed to be ok because a digital transaction is cheaper than a physical one. For fintechs, this is tough, you need to find money somewhere else. So less money = less incentives = less innovation. However there have been talks to put back some fees on UPI (banks are pushing a lot on this).
On the other hand, more card payments = higher MDRs. So merchants or customers, or both, will pay more to process the transactions. Banks and fintech get more money. But with a lack of competition, because of the current duopoly (Visa/Mastercard), and the difficulty to enter the market due to strict regulation, innovation is far from its peak. Just by looking at how long 3DS2 takes to roll out you can see that there is a lot inertia.
It's not black and white, as often. Personally I think UPI is a better direction. The only downside is that's it is only for domestic payment. I'd love to see an EU initiative as successful as UPI: instant payment could be the EU equivalent but the fees are crazily high in some countries.
MDR problem can be solved as you indicated. It also needs a solution pretty soon too.
EU and developed countries' banks live and finance their profits on fees as they don't make much or any money on loans and other traditional financial tools. Those fees aren't going to go away.
> If they think it's time to move beyond cards due to the strategic overdependence on foreign service providers like Visa who can disrupt the Indian financial system at the behest of their US govt
Is there any evidence that the RBI actually thinks this? You seemingly criticise GP on their inference of an ulterior motive but then posit your own ulterior motive.
Yes, some basis exists for such assumptions. RuPay and UPI were originally conceptualised by RBI and Govt of India to solve the overdependence problem. Otherwise RBI and GoI had no reason to introduce RuPay and they could have let the market develop organically.
Recent RBI moves of data localisation and enforcement actions against Diners, American Express and Mastercard also indicate strong intent.
It's a potential situation India is always worried about from a strategic aspect. India is neither strategically aligned to the US nor against it. Historically US strongly supported India's enemies and actively worked against India's interests all the way from 1945 to mid-2000's. US under various administration even threatened attack or sanctions when things don't go their way.
Current day:
Right now in 2021, US is threatening sanctions under a US law called CAATSA just because India bought a few missiles from Russia which is a long standing defence supplier to India. I know that CAATSA is forced on Biden and Trump by US Congress but it doesn't matter to India whether the US executive is doing it intentionally or not, the US state is threatening sanctions over CAATSA. In this era, when India is actively fighting/hindering Chinese agression on it's borders and taking actual casualties where acting against China is also in US interests, US threatens economic sanctions against Indian institutions and companies just because they bought a few surface to air missiles which they think are the most economical option to deter Chinese attack.
US Treasury calls India a currency manipulator and threatens to cutoff India from the USD financial system (as per US appropriation acts enacted to target China) although economists call such a designation as stupid when used against low per capita income developing countries with a current account deficit just because India tries to prevent an exchange rate blowout that could lead to many millions of Indians falling below the poverty line or losing line of income.
Historical:
In 1999, Clinton threatened to summarily sanction India on all fronts including financial when India threatened to go beyond the de-facto border to restrain Pakistan forces after they occupied Indian territory in Kargil. This threat repeated in 2002 after they supported the Pakistani position after Pakistan sponsored terrorists attacked the Indian parliament and India threatened to retaliate against Pakistan.
Every time Pakistan does something stupid against India, US intervenes and threatens to sanction India under the vacuous argument that they want to prevent a "nuclear armageddon". It's not in india's interests to succumb to such threats when they aren't the source of the problem.
In 1998, when India tested it's nukes for the 2nd time, Clinton placed a breadth of sanctions on India because US doesn't like nuclear proliferation although India had nukes sinces 1974 and everyone knew pak had since the mid-1980's and US turned a blind eye although it knew that China, Pak and North Korea are working together on them. US wants so called strategic balance between India and Pakistan and actively supports Pakistan on many issues. This prevents India from deterring China as it has spend resources countering Pakistan which itself is propped up by US Military and economic aid.
In 1971, Nixon threatened to nuke India if India doesn't withdraw from current day Bangladesh when India intervened to stop a Pakistan Army led genocide and the resulting refugee crisis. Nixon didn't follow through because India convinced USSR to provide a similar counter threat.
What happens to an economy if 100% of retail electronic transactions stop overnight?
It is not in India's sovereign interest to let foreign companies control any significant chunk of the financial sector and it's especially not acceptable if they are US companies because US frequently uses this leverage of threat of sanctions to get it's way against Indian ineterests.
I believe merchants are not allowed to charge extra for visa or mastercard, but there is a hefty commission payed to them.
They then use this to attracts customers and/or banks to sign up. Rupay customers end up paying part of the hefty commissions (albeit indirectly) that Visa charges the merchants and the Visa customers get discounts, cash backs and offers.
A payment network is just a payment network, they shouldn't be using their market dominance to run marketing schemes.
> I believe merchants are not allowed to charge extra for visa or mastercard, but there is a hefty commission payed to them.
This is not the case in India but is the case in other markets, yes. The IRCTC (national railway company) is for instance displaying it and the customer has to pay fees depending on the selected payment option. Some actors even hide this amount until you reach the page asking you for an OTP! I don't think it's necessarily done with malicious intent, but it exists.
Sometime you won't see Visa or Mastercard but instead "Debit Card" and "Credit Card" vs "Rupay" for instance.
What you are saying does not align with the text of the directive. It clearly says that card numbers cannot be stored for any purpose. Quoting from the directive:
With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.
How would recurring transactions or metered billing work? Does this only apply to merchants or providers that are not PCI-DSS compliant and cannot safely store cardholder data?
The headline is kinda misleading.
They can store credit card information, but they can only do that in tokenized format instead of the current way of storing.
Tokenized format hides the number and other information making it more secure.
You can read more about it here https://www.thequint.com/explainers/rbi-allows-card-on-file-...
To be clear, I am commenting on the difference between:
"Recurring payments work by storing credit card info in tokenized form, which is still allowed".
vs.
"Recurring payments work by storing a token instead of credit card information."
Those both answer the question, but they say different things on whether "credit card information" is stored. And they say different things about whether the headline is misleading.
To use card tokens for any kind of payment, you need to integrate with some kind of card data vault, which this rule seems to also prohibit. It seems to be instructing the card brands to issue unique tokens for ever cardholder + merchant pair. No idea how that would work…
That number needs to be mapped to the PAN, and somebody has to have stored that PAN somewhere in order for it to be used to process payment. This rule says nobody other than the issuer and the card brands are allowed to store the PAN.
Sure, that's why you get the token from the issuer or card brand. That way there's only one entity that stores the PAN, and no third parties are storing it.
To quote the article linked above, "The central bank said the facility of tokenisation shall be offered by TSPs only for the cards issued by/affiliated to them."
There is no exception for recurring payments. Also unfortunately this applies to all online merchants and Payment aggregators regardless of size and certifications. So as it stands a separate auth is needed for each transaction which is completely regressive and precludes a lot of convenience use cases. My guess is that they are doing this to make Upi more convenient in comparison. But I won't be surprised if its just another short sighted we know it all mentality decision from the regulator who has a history of u-turns.
Edit: Looks like they do allow card tokenization (not part of original proposal) which should address a lot of use cases
Here is the commentary about the original proposal:
This change just says that only the card issuer or card network can store the card number (PAN). Everyone else in the processing chain can only store card tokens.
This isn’t a surprising change and was always going to be the future of PCI compliance.
Any card details that are being stored in the merchant's database need to be tokenised. It applies to all entities who are retrieving card details from customers, irrespective of PCI/DSS compliance.
I have already lost my online book store: "perlego" subscription because of this. This is has 100% directly stopped my access to learning. There is no other way to put it.
I found the approach of disposable virtual card numbers (Visa and Mastercard) that Revolut is giving to each app owner for free is amazing.
This number (always different) can be autopopulated from a browser plugin during checkout from the PC and has a very smooth user experience. I don't need to take a card out of my wallet or open the smartphone app to do this. I am happy and regulator is happy too, in this case.
Pardon me if I’m incorrect, but isn’t this like one of the best use cases of Stripe? Stripe usually takes care of CC/ACH information and tokenizes it, only passing the tokens to the merchant instead of the merchant having to store the CC information. Maybe this would be a good way to start a payments company boom in India?
There are already several (razorpay, paytm, payu) that do exactly that. They do charge 2% flat fee which is still high by Indian standards (comparing to cash and upi). So merchants do try custom solutions with bank gateways to reduce the fee.
I have worked with shops that stored the entire credit card number in PLAIN TEXT!. Not just credit cards, even their users' passwords. This also explains why many of them got and still get hacked from time to time. Even credit card processors got hacked due to this. Lot of shitty ones in the Indian market actually.
The root cause of this, not to cause language flame wars here, but is most of the shops use script kiddos with just basic PHP knowledge. Bare minimum, they're recent fresh college grads who just know how to consume data from a form using PHP using GET and POST, that's it. Most of the code I've worked with just consumes this directly instead of stripping/processing it and end up introducing SQL injection attacks. Atleast, if they used a framework, this would be provided by default for free, but many of the developers hardly know about even MVC.
(As an aside) - As a personal mission, I started touring around the country teaching college kids for free about basics of web development, security, etc. But, still, I have a long way to go.
Well folks, that's it for today's note on why this was a good move. Have a nice day!
Edit: Some of the recent hacks that were not made public widescale like they should've been:
1. Domino's Pizza India (Yes, the international pizza chain)
2. BigBasket (Largest online grocery ordering App)
3. PayTm (One of the largest, if not the largest digital payments app in India)