New e-payment norms likely to block auto-subscriber route: Experts

Avoid exposing your data; use a virtual card instead

When doing an online transaction, we are often asked if we would like to store our card data with the seller. The purpose is to avoid the hassle of entering our card details each time, thus making shopping faster and more convenient. But beginning July this year, things won’t be as simple.

The Reserve Bank of India (RBI) has made it harder for online merchants, payment aggregators and e-commerce websites to store customers’ debit and credit card details.

Manoj Chopra, vice-president and head-products and innovation, Infrasoft Technologies, says, “The circular doesn’t specifically say that entities should not store card data. What it says is that to store data they need to meet the Payment Card Industry Data Security Standard (PCI DSS).”

The issue herein is that complying with these standards is costly, so many players may not be able to do so.

Enhancing security    

The new norms are aimed at making online transactions safer for customers. Every few months, we hear news of websites being hacked and data being stolen. There are also reports of card data of Indian customers being available for sale on the dark web.

An online transaction involves many players — online merchant, payment gateway, card-issuing bank, and card service provider.

Ritesh Bhatia, cybercrime investigator, cybersecurity and data privacy consultant, says, “Data could get leaked from any of the parties involved.”

The RBI raising the bar on security by not allowing players to store data unless they are PCI DSS-compliant will go a long way towards enhancing security.

This step could also reduce the propensity for impulse purchases.

M Barve, founder, MB Wealth Financial Services, says, “If you have to get the card out of your wallet and enter all the details again, it delays the process by a few minutes. In that period, you may rethink your decision to make that purchase.”

Customers will also be able to avoid becoming automatic subscribers to a service. On many websites, the ‘save my data’ permission box comes pre-ticked. If you use the site once, your data gets stored on it. Bhatia says, “They start charging your card unless you cancel.”  

Prioritise safety over convenience

Security experts say it is much safer, if less convenient, to not store card data on a site. Memorise your card data or pull the card out of your wallet and enter the figures each time you shop.

Bhatia says, “When it comes to choosing between security and convenience, give precedence to security.”

Payment information could be captured at any of these sites: the online retailer’s site, the payment gateway provider’s page, or the bank’s page.

Chopra says, “Wherever you are entering payment information, that entity should be PCI DSS-compliant. Check for the PCI DSS logo at the bottom of the page.”

Avoid shopping on smaller websites. Their safety protocols are weaker and they are more susceptible to hacking.  

You can also avoid exposing your card data while doing online transactions. Instead, use a virtual card. Alternatively, use a dedicated card with a lower credit limit, or a dedicated bank account for online transactions in which you keep a limited amount. 
 

Bhatia says, “You can also load the required amount on the site’s wallet, like Amazon Pay for Amazon.” 

Finally, use the switch on/off facility on your cards, set a limit for domestic online transitions, and activate international transactions only when required.