Open in app

Sign in

Write

Sign in

78. Cards — Update

Aditya Kulkarni
Auth-n-Capture
Published in
8 min readMay 7, 2023

--

Cards went through quite a few upgrades since 2021. Started with Standing Instruction on Cards, change to prepaid card loading, revision to credit card issuance guideline, card tokenization and linking credit cards to UPI. Amongst all this, migration from 3DS 1 to 3DS 2.0 is happening silently.

In this article, we will cover the recent developments related to cards

I. Card on File (COF) Tokenization

Since 1st Oct 2022, Card on File tokenization is effective (Read this article)

There are two flows:

  1. Token (Save Card) flow: Customer gives consent to tokenise the card and post 1st successful transaction, customer doesn’t need to enter card number and expiry date for subsequent transactions.
  2. Guest Checkout — customer opts not to tokenise the card and every time enters the card number and expiry date

On 21st April (2023), RBI issued guidelines for ‘guest checkout’

  • Merchant or Payment Aggregator (PA) involved in settlement of transaction can save COF data for T+2 days (revised from earlier T+4 days) or settlement date (whichever is earlier) and post that purge the data
  • Acquiring Banks can save COF (Card on File) data up to T+90 days (revised from earlier T+180 days). And for transactions that are done before 21st April, compliance with T+90 days timeline shall be ensured by 30th June
  • Entities to come up with alternative to handle guest checkout by 31st Oct 2023

Implications:

  • Refunds that are more than 90 days old need to be processed offline — when a merchant marks refunds then PA has to send a file to the acquiring bank instead of calling refund APIs. This could add some delay in refund processing
  • To process guest checkout — PAs/acquiring banks have to implement one time usage token to process the transaction before 31st Oct.

Curious Q: If PA is offering instant settlement of 1 hour then PA has to purge the card in one hour or same day?

II. CVV Less transactions:

CVV (Card Verification Value) is a 3 digit (Visa, MasterCard, RuPay) or 4 digit (Amex) number printed on the back of the card (some fancy cards may print it on front). OTP is validated during the Authentication stage and CVV (and expiry date) is validated during the authorisation leg.

That means, even if you enter the wrong CVV, you will get OTP and only when OTP is validated successfully, then CVV is validated (Read this article)

CVV is referred by various names — CVC (Card Verification/Validation Code), CSC (Card Security Code), CVN (Card Verification Number), CID (Card identification Number)

Last week, Visa announced that tokenised Visa debit and credit cards can be processed without CVV validation.

Nothing new… it was always the case.

Even before tokenization, few PGs (e.g. CyberSource) were supporting CVV-less transactions for ‘saved’ Visa cards.

Now, Apart from Visa, even other major card schemes (Amex, MasterCard etc.) are supporting CVV-less transactions.

Working: If CVV is passed in transaction then it is validated but if CVV is not passed then there is no validation.

Importance: You can easily conclude that (1) CVV less transactions will improve Success Rate by a few basis points (2) Users can complete the transaction faster (and save 3 seconds that are needed to type CVV — Time is money… isn’t it?)

There are two CVVs on a card — CVV1 is embedded in EMV Chip/magnetic stripe and CVV2 is what you see on card

CVV-less transaction is a simple but tricky feature.

For years users are used to flow where CVV is validated so any deviation will alarm them. And such ‘alarms’ will trigger confusion and confusions will lead to more confusions.. Thanks to social media and LOLs (Leaders of LinkedIn)

So merchants/PA who wish to implement this feature has to

  • Educate customers
  • Provide uniform experience (as all card schemes and banks may not support this)

This is a fascinating problem to solve — think about it.

III. Visa Safe Click (VSC)

Haven’t heard about it?

Do not bother — It is ‘officially’ stopped now.

Few words in the memory of VSC — It was a 1-click payment solution from Visa wherein credit card transactions up to Rs.2000 doesn’t require 2nd Factor Authentication.

It was a promising solution to provide frictionless payment experience but VSC didn’t ‘make the cut’…. That’s it!

Remember 2FA is mandatory for all types of transactions with few exceptions — UPI Lite (up to Rs.200), Subsequent payment on recurring payment solutions (SI on Cards, UPI AutoPay, NACH), NFC based card transactions (up to Rs.5000) and MOTO transactions.

IV. Credit Card Bill Payment:

16 digit credit card number is similar to a bank account number and each credit card issuing bank has single IFSC for credit cards (e.g. HDFC CC — HDFC000128, ICICI CC: ICIC0000103) (for more — refer to this list)

That means, a merchant (via remitter bank) could use IMPS, NEFT (and even UPI) rails to push money to a credit card. This mechanism was used for credit card bill payment and instant refunds to credit cards.

But card tokenization guidelines changed it!

Except card issuer and network, no other entity is allowed to access the card number (exception: guest checkout, that too only until end of Oct 2023). So pushing funds to tokenised cards was difficult. So merchants are using alternatives such as Visa Direct and MasterCard Money Send rails, or issuer tokenization (only a few banks are ready with this).

And now,

NPCI came up with an easier and efficient way of doing credit card bill payment using IMPS rails.

Let’s see the working:

Virtual Card Number: Simple and interesting concept — 16 digit virtual card number will be created that is inline with tokenization guidelines (actual card number will not be shown or used)

Card issuing bank has to do bunch of things:

  • Educate and inform customer about virtual card number
  • Mapping of virtual card number and credit card number
  • Do a bunch of validations during CC bill payment, credit to the card in real-time and communicating the status in real-time (as shown below)

Note: Nothing changes for remitter bank or NPCI (as it is standard IMPS P2A transfer)

Transfer:

Credit to the card is done in real-time and issuing bank will give the status in real-time;

Fund settlement between remitter bank and beneficiary/issuing bank will happen as per standard IMPS inter-bank fund settlement process i.e. in batches — 4 per day via RTGS)

Ideally the above solution should cover all issuing banks and card networks and as per guidelines, the issuing banks should be ready to support this flow by 31st May 2023.

Instant Refund: The solution can be used for instant refund to credit cards.

During the credit card transaction leg, if the PA/merchant can capture the customer’s mobile number (and figure out the issuing bank) then during the refund, create the virtual card number (basis the issuer bank, you will have IFSC) and then instant refund can be done to the credit card.

Remember: IMPS has commercials — flat fee that varies depending on the transfer amount. So the solution won’t be free.

V. 3DS 2.0

We all are familiar with the OTP that we receive during card transactions… It is called 2nd Factor Authentication or Additional Factor Authentication.

Visa and MasterCard implemented 2FA on 3DS protocol.

3DS stands for 3 Domains Secure:

In simple words, 3DS protocol establishes authentication among these three domains.

Little bit of history:

  • 3DS was invented in 1999 (The year when we thought Y2K was the worst that could happen but then 2020 happened!)
  • In 2001, Arcot System (later acquired by CA Technologies) implemented it for Visa (Verified by Visa and later renamed as Visa Secure). Then MasterCard rolled out Secure Code.
  • 3DS standard is managed by EMV Co (Euro Pay, MasterCard, Visa).
  • On 1st May 2012, 2FA became mandatory for online payments in India.

3DS 1.0 did its job as sufficiently as any protocol was supposed to do!

But things have evolved — we have moved from desktop browsers to mobile, tabs and other IoT devices. Fraudsters have become much smarter so the risks in payment systems are higher. Our focus is more on providing a seamless and yet, highly secure payment experience to users.

So naturally, in 2016, EMVCo, launched the next variant i.e. 3DS 2.0.

Isn’t that a bit old? Why are we talking about it now?

3DS 1 is already phased out globally, except in India and Nepal. It will be phased out in India by the last quarter of this calendar year.

In Dec ’22, international card transactions (customers outside India using their home country cards to buy things on Indian merchants) migrated to 3DS 2.0 and there is gradual movement in migration of domestic card transactions.

What is special about 3DS 2.0?

  • 3DS 2.0 captures more data pointers (link) and passes it on to the issuing banks which can make smarter decisions to reduce the risks.
  • Allows banks to implement various methods for 2FA such as biometric based (face Id, retina scan, voice based, thumb print etc.) (basically… James Bond style payments… hurray!)

Note: In many countries, 2FA is not mandatory. 2FA is used only as a step-up challenge for risky transactions. With 3DS 2.0, banks will be able to profile the risk better and impose step-up challenges more effectively.

Changes in card transaction flow: An additional leg is added

  • 3DS 1.0: Authentication and Authorisation
  • 3DS 2.0: Data Collection, Authentication and Authorisation

Impact on participants:

  • Acquiring banks and issuing banks have to implement 3DS 2.0
  • Merchant — Nothing much (but read the ‘note’)
  • Customers: No changes (You will continue to get the OTP that you are used to and we are still far away from enjoying silent authentication methods)

Note: Merchants who have Direct OTP (where OTP is entered on merchant’s or PA’s page) will be impacted a bit. Either merchant has to implement APIs or implement EMVCo certified SDK to enable direct OTP.

The onus of pushing banks to migrate to 3DS 2.0 is on Visa and MasterCard. They may talk about penalties if banks do not meet the deadline (but not sure if they can impose it).

RBI is not involved in this — RBI doesn’t care whether it is 3DS 2.0 or 3DS 3.142 as long as the transactions follow 2nd Factor Authentication.

I am skipping UPI + Credit card linking here as it is more about UPI and less about CC. So I will cover it in the UPI update…

So… that’s it for now!

Payment Instrument
3ds2
Tokenization
Rbi
Npci

--

--

Aditya Kulkarni
Auth-n-Capture

Written by Aditya Kulkarni

1.5K Followers
Editor for

Trying to follow Richard Feynman’s words “do what you can, learn what you can, improve the solutions, and pass them on”.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams