Mint Explainer: How additional factor authentication will secure online international payments

The move aims to provide Indian consumers with an additional layer of security when dealing with foreign merchants, ensuring a safety net comparable to domestic transactions, where additional factor authentication is already mandatory.

The RBI will soon issue a draft circular to invite feedback from stakeholders.

What prompted the RBI move?

Instances of fraud in international card transactions typically involve unauthorized charges made on foreign websites where minimal authentication is required. This has exposed Indian cardholders to risks, particularly in scenarios where merchants do not verify key details such as CVV numbers or where recurring payments are set up without additional security checks. 

Experts believe that enabling AFA for such transactions will act as a critical safeguard for customers. “By introducing AFA for international card-not-present transactions, the RBI is adding an extra layer of security that can help prevent unauthorized transactions,” said Adhil Shetty, chief executive, BankBazaar.com. 

Currently, many banks disable international transactions by default for newly issued cards. Users must manually enable them if they wish to use their cards for cross-border payments. Despite this safeguard, fraudulent activities can still occur due to the lack of multi-factor authentication on foreign websites. Real-time transaction alerts and stringent security protocols help reduce the risk, but additional measures like AFA will significantly enhance protection.

Experts also highlight that the implementation of AFA will align international transactions with the robust security standards already in place for domestic payments. This will not only reduce the likelihood of fraud but also increase user confidence in engaging with foreign merchants.

What type of AFA will be used?

The exact nature of the AFA is yet to be finalized. It could be one-time password (OTP)-based authentication, similar to domestic transactions, or other methods such as biometric verification or app-based prompts. 

According to Shetty, the final form of AFA will be determined after consultations with stakeholders. “The RBI will release a draft circular soon, and the final shape of the AFA will be decided upon only after deliberations with stakeholders,” he said.

What are the current security measures for international CNP transactions?

At present, international transactions, including CNP transactions, are disabled by default for newly issued cards in India. Customers must explicitly enable international usage to transact on foreign websites. Banks are required to send real-time alerts for all transactions, allowing users to quickly detect and report any unauthorized activity. Regular security audits and compliance with standards such as PCI DSS (Payment Card Industry Data Security Standard) are also mandatory for banks and payment processors to identify and address vulnerabilities.

What could be implementation challenges?

One key challenge in implementing AFA for cross-border transactions is the lack of uniform support for such mechanisms on international websites. Some foreign merchants may not have the capability to prompt for AFA, potentially leading to failed or declined transactions. This could pose a problem for users transacting on these websites.

“Care should be taken that the AFA does not become a bottleneck leading to failed or declined transactions while transacting on international websites that lack the capability to prompt AFA,” Shetty said.

Furthermore, questions remain on how recurring payments and subscription-based services will be handled. These types of transactions often bypass CVV and other authentication steps after the initial transaction, raising concerns about the impact of AFA on user convenience.

“For most international CNP transactions, entering the CVV is mandatory. This is part of global and RBI-mandated security protocols to minimize fraud risk. However, there are certain exceptions, especially for subscription-based services where the CVV may not be required after the first transaction,” Shetty noted.

Some merchants may skip CVV verification for low-risk transactions, but these are exceptions.