RBI Closes Authentication Loophole for CNP Merchants Using Foreign Gateways

Aug. 25, 2014

RBI Closes Authentication Loophole for CNP Merchants Using Foreign Gateways The Reserve Bank of India (RBI) on Friday informed companies that accept card-not-present transactions in India using a foreign gateway, they must still abide by regulations requiring two-factor authentication. The note to its banks was the result of popular taxi app Uber’s launch in India. Rivals claimed they could not compete with Uber’s payment experience which enables customers to exit cabs without paying the driver. An Uber payment is charged automatically to the consumer’s credit card upon leaving the cab without requiring any further validation of the consumer’s identity. Not requiring a password at payment is illegal in CNP transaction between two entities in India. Because they used a foreign gateway and the funds were leaving the country, Uber and others contended the two-factor rule did not apply to them. The RBI felt otherwise.

“Such camouflaging and flouting of extant instructions on card security, which has been made possible by merchant transactions (for underlying sale of goods / services within India) being acquired by banks located overseas resulting in an outflow of foreign exchange in the settlement of transactions, is not acceptable as this is in violation of directives issued under the Payment & Settlement Systems Act 2007 besides the requirements under the Foreign Exchange Management Act, 1999,” the agency clarified in its note.