Additional Password for Online Credit Card Purchase

The Reserve Bank of India has mandated the need for an additional password over and above the CVV (the three digit number on the signature panel at the back of your credit card) for making purchases online using your credit card in India from 1 Aug 2009. All Banks, Payment Gateways and eCommerce providers are trying their best to comply with these requirements. The two major credit card brands in the Indian market, Visa (Verified by Visa) and MasterCard (SecureCode) have come up with their own solutions (or have tied up with technology providers) to address some of the security issues associated with online credit card usage.

Need for Online Password
Traditionally the problem has been that stolen cards or card information have been used to make purchases online. All the key pieces of data required for an online credit card purchase are printed on the credit card. So, a key piece of information only known to the card-holder has been the need to avoid such misuse. This password is similar in purpose/use to a Debit/ATM card PIN or Transaction Password for Internet Banking. For more information see ‘Identity Theft and its perils’.

Is this online password feature for credit cards a solution to all security issues? Well, the short answer is ‘No’. Listed below are some of the benefits and pitfalls of the proposed solution and some of the currently available implementations/manifestations of it.

Benefits
1. Without this additional password online credit card purchase cannot be completed. This could significantly reduce the misuse of stolen cards.
2. Sign-up process for the additional password is simple. Password is chosen by user and hence no need for password generation and mailing by the providers.
3. Additional security layer and hence safer.

Pitfalls
1. The regulation is India specific and hence does not apply to eCommerce sites hosted outside India. Websites in countries that don’t have similar regulations could allow purchasing without the online password.
2. Sign-up for online password isn’t mandatory. Bulk of the card holding population doesn’t make purchases online (either because of non-availability of internet or are averse to online payment) and hence would not bother to sign-up for this feature.
3. Sign-up is simple and can be misused. In the rush to meet the RBI deadline the service providers have made it simple to sign-up for the additional password feature. During an online purchase you can sign-up for the online password by providing the basic information on the card and may be your date of birth or something. Stolen card information could now be used to sign-up without the knowledge of the card-holder and subsequently make purchases.
4. Cards without card-holder photo are issued even today. Stolen cards could be used for making purchases at brick-and-mortar stores. While merchants may have to bear the cost of fraudulent transactions, most of them still do not verify the signature.
5. The additional online password and other card details are still susceptible to key loggers and similar malware. However, the card companies do not consider this to be their problem and do not bother to address it in anyway. The card holder isn't protected from such losses.

Had the RBI been serious about security they would have researched enough and come up with superior guidelines/suggestions. While it’s an elaborate process for all the parties involved to comply with the requirements, their effort in effect would more or less go waste. They will have to repeat their efforts in the near future with a superior solution. The technology providers and their employees are the only winners as they have got work to do in these difficult times.