As RBI Directive Deadline Looms, E-Commerce Retailers Need to Step Up Card Security Standards

Following last year’s data breach affecting some 1.3 million credit and debit cards issued by Indian banks, the Reserve Bank of India (RBI) will soon officially launch a new bank directive intended to enhance the security of card transactions, largely due to the growth in transaction volume and value.

The breach illustrates the necessity for Indian banks to enhance card security, particularly as more consumers transact online.

As of March 16, 2020, banks must implement features that limit debit and credit card usage for customers traveling abroad. This will include deciding whether or not to disable existing credit cards for online-local and online-international purchases. RBI also has provided direction for all cards issued after this date that could have an impact on online transactions.

In order to be compliant with RBI security-enhancing measures for existing cards, banks will likely limit cross-border online transactions, as these are not 3DS protected. On the other hand, local transactions through credit cards are indeed protected through mandatory 3DS, so such transactions will likely remain enabled through this directive.

But the RBI showed less flexibility on its standards for newly-issued cards. Such cards will only be enabled for transactions through “contact-based points,” which translates to ATMs and point-of-sale devices within India. For card-not-present transactions, such as online purchases, issuers will need to provide cardholders a facility for enablement, such as switching on/off and setting/modifying transaction limits.

As this new directive could complicate the checkout process, many e-commerce merchants in India may wonder how they can keep their card-paying customers. The key is going local.

RBI’s security enhancements are mainly focused on non-protected payments. However, both local card and UPI (Unified Payments Interface) transactions already have stronger security mechanisms in place, making it an easier place to start. UPI is India’s real-time payments system. 

Here’s how you can adapt to RBI’s new directive:

• Switch to local processing: By routing payments through local acquirers, and considering that existing cards will probably remain enabled for local transactions, merchants will be able to keep selling their products or services to hundreds of millions cardholders in India.
• Start accepting UPI: Key payment methods such as UPI enable international merchants to claim their part of the 53% share of online spending that is not being completed with a credit card. In addition, UPI is the fastest-growing payment method in India, which makes it the safest bet for merchants looking to boost their sales in this important market.

The importance of accepting UPI cannot be overstated. Between November 2018 and November 2019, the number of transactions on UPI increased 132% percent during that period. The value of those transactions during that period increased 130%.

The momentum of e-commerce in India isn’t showing signs of slowing, likely due to the healthy spending of today’s consumer. Some 62% of consumers there are buying new products just to keep up with appearances, according to a recent analysis from the Boston Consulting Group. The majority of those consumers are buying electronics such as personal computers and tablets to stay trendy.

The increasing importantance of UPI in India, along with changing consumer behavior, are reasons enough to ensure you’re able to do business in India before the RBI’s card security directive goes into effect.