Airtel, ZoomCar leaking Credit Card Number during merchant refunds

How large merchants are making ‘UPI payment’ for credit card refunds, exposing credit card numbers — compromising customer security and privacy.

A few days back I tried loading money into my Airtel Payments Bank wallet using my credit card. The transaction failed though the card was debited. I was reasonably sure the transaction would reverse itself in the coming days. And it did, but with a surprise. I get a message from ICICI saying

Thanks for your payment of Rs.X into your card XXXX via UPI.

I was initially surprised because I never use UPI to pay my credit card and was wondering what the payment is about and it was then when I looked at the statement, I found something alarming. The refund of the failed transaction of Airtel Payments Bank wallet load, instead of showing up as a reversal was made as a UPI payment to the card.

In another case, a refund from ZoomCar, instead of coming as a partial amount reversal on the card — came as a UPI payment to the card. I have saved my credit card with both these merchants. Not only they didn’t tokenize the card on file, but they used it to make a payment on my card.

Some banks have auto-created rule-based Virtual Payment Address (VPA) / UPI IDs such as ccpay.<CardNumber>@icici to give an option to their customers to make credit card bill payment.

ICICI Poster advertising the ccpay via UPI feature.

Some payment apps use these to offer their customers a way to pay their credit card bills. While that still has a degree of user involvement where the consumer actively provided their credit card number to an app claiming to do bill payments, When I saved my card details with these merchants (Airtel and Zoomcar), it was solely for faster checkout experience and merchants were not supposed to use 16 digits of my card except for card transactions which I authorize on their platform during checkout. Instead what happened with Airtel and Zoomcar is they used my CC Number and made a payment to account linked to card using ccpay.<CardNumber>@icici scheme — exposing my card number to whole range of UPI intermediaries in the process.

Credit card number is defined as Sensitive Personal Data under the IT Rules 2011, and it actively prohibits disclosure of information without prior permission from the provider of such information.

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Airtel and Zoomcar never obtained my permission to use my card number and make a payment via UPI for reversing / refunding a transaction I made to them through the credit card saved on their website.

Why is this big deal?

1. When the payment via UPI was made the banking partners of merchants, NPCI gets the ccpay.<CardNumber> based VPA and is etched on their systems. UPI hasn’t classified Virtual Payment Address as sensitive personal data and by default a range of intermediaries store a copy of transaction data (for 5/7 long years!) in which they are involved. A compromise of anyone of these systems — now also leaks my credit card information — which was deposited through these merchants’ non-consented transactions and exposure of my credit card number increases drastically.
2. When I saved my card details with these sites, it was solely for faster checkout experience. I did not consent to these merchants about their ability to use my card number and create a UPI VPA, make a payment through it to me.
3. Making a payment to the card for the same amount as refund / reversal of a failed transaction are 2 different things. The former signifies to credit information companies that transaction has happened and payment was made while in reality it is a refund / reversal. This has implications on my personal credit score.

Is UPI VPA Sensitive Personal data :-

To make matters worse, In UPI world, Virtual Payment Address are a grey area when it comes classifying them as sensitive personal data.

Definition of SPDI from IT Act 2011

UPI VPAs are formed with mobile numbers (BHIM, PayTM, Phonepe, Whatsapp Pay), Email IDs (G-Pay) — all of which are ‘freely available / accessible in public domain’. Even credit card numbers can be sequentially enumerated and a list of VPAs can be programmatically generated. While credit card number is specifically defined as SPDI in IT Rules 2011, forming a VPA with it, stips off and any entity can share a credit card based VPA without violating IT Act 2011 in letter, though it violates in spirit.

What needs to be done?

• RBI must implement Guidelines on Regulation of Payment Aggregators and Payment Gateways without any further delay which takes away the right to store card data by merchants/aggregators in raw form and mandates them to use tokenisation. This will take away their ability to use credit card number and create the VPA since they will not be allowed to store in raw form in the first place.
• Do a thorough review of SPDI classification of UPI VPAs — which hitherto has no such classification explicitly specified and payment ecosystem players and merchants are not mandated to adhere to protect consumers’ sensitive private financial information and make amendments — particularly against auto-creation of rule-based VPAs by UPI issuer payment system providers using debit / credit numbers.
• Do a comprehensive audit of usage of card numbers outside of the card payment rails while providing PCI-DSS certification.
• As an aggrieved person who has lost his credit card details, I demand that entities that enabled this leak to be charged and I be issued a new credit card at no extra cost. Further NPCI must publish statistics on all card based VPAs used by merchants and all such cards must be replaced free of cost to the customer and violating entities must be penalized and charged for the same. Not doing this exercise — makes all these card numbers remain deposited at multiple places risking customers to cyber attacks/threats.

I have written about this to DPSS, RBI and PCI-SSC India hoping for fixing the problem.