In 2009, RBI had mandated additional security for online credit/debit card transactions in India.
This was achieved through the introduction of 3D Secure password that was required to be registered for every credit/debit card to enable its use for online payments on ecommerce websites.
This meant that in addition to the 16-digit card number, 4 digit expiry date and 3-digit CVV number, the card holders were required to enter the additional 3d Secure password to authorize their online transactions.
Users could easily register for this 3D Secure password on the website of their card issuing bank or on the websites of MasterCard and VISA.
While this additional password went a long way in ensuring safe & secure e-commerce transactions, mobile transactions continued to be susceptible to credit card frauds and identity thefts.
This is because, for authorizing any mobile transaction, all you required was to enter the 16-digit card number, the expiry date and the cvv number. Since all three details are printed on the card itself, any person who gets physical access to your card could note down these details and use it later to make a payment through IVR, WAP or On-Device application. Fortunately, all this is set to change from 1 January 2011.
In 2010, RBI gave the mandate to all banks to provide 3D Security for mobile transactions by 1 Jan 2011. This was a big challenge for multiple reasons:
*The additional password for mobile transactions had to be numeric because mobile channels like IVR do not support alpha-numeric inputs
*For online transactions, the users are redirected from the merchant’s website to a secure webpage of the card issuing bank for entering the 3D Secure password. This kind of redirection from the merchant’s IVR to a bank-managed IVR was not practical for mobile transactions. This meant that the merchant’s IVR will need to capture the complete card details of the customer, including the 3D Secure password.
*Since all mobile subscribers cannot be assumed to have ready access to internet, so the process of generating the 3D Secure password for mobile transactions would be independent of the internet.
All the above requirements led to the emergence of the One Time Password (OTP). Compiled below, are answers to some of the most frequently asked questions about the OTP.
What is OTP?
One Time Password (OTP) is a 6-digit numeric password that will be used to authenticate every credit/debit card transaction on mobile. An OTP can be used only once. So for every mobile transaction you will be required to generate and use a new OTP.
How to get the OTP?
You can get your OTP by sending an SMS from your registered mobile number to a short/long code number of your card issuing bank. The bank will then send an OTP to your mobile by SMS.
It usually takes only a few seconds to receive the OTP. If you are attempting a mobile transaction and if you have not requested for your OTP already, then you might also be able to receive the OTP automatically on your registered mobile number after you have entered your 16-digit credit card number.
However, it might not be very convenient to switch between your voice call and sms inbox and if accidentally any key gets pressed during this act then the IVR might construe it as an input for your OTP.
What short/long code number do I need to send the SMS to?
The number will vary from bank to bank. For example, if you have an HDFC Bank credit/debit card, then you can send the SMS ‘PWD XXXX’ to 9717465555, where XXXX stand for the last 4 digits of your credit/debit card. In case of Citibank, you can send the SMS ‘OTP XXXX’ to 52484 or 9880752484 to receive your OTP.
For how many transactions is the OTP valid?
An OTP is valid for only one transaction, irrespective of whether your transaction failed or succeeded. So, you will be required to generate a new OTP for every attempt that you make for your mobile transaction. Hence the name One-Time Password.
For how many hours will my OTP be valid?
The validity varies from bank to bank. For some banks like HDFC Bank, the OTP remains valid for 2 hours from the time of its generation, while for other banks like Citibank, the OTP is valid for only half an hour. If the OTP is not used within this period then it will automatically expire and a new OTP will be required to be generated.
I have multiple credit/debit cards linked to my mobile number. When I send an OTP request to the bank, how will I distinguish which OTP is for which card of mine?
When you send the SMS to the bank, you would also be mentioning the last 4 digits of your card. So the OTP that you may receive by SMS will be applicable for only that card whose last 4 digits you had submitted. If by chance you have more than one cards whose last 4 digits are common then upon sending the OTP request you might receive a message from the bank asking for submitting more details to help them distinguish between your cards.
So what’s the good thing about OTP?
* Mobile transactions will become extremely secure
* Unlike the web 3D Secure password, you will not be required to memorize the OTP as it is for single-use only.
* It will enable many banks to open up their Debit cards on IVR. This means that even Debit card holders which are far too many as compared to Credit card holders, will now be able to transact on IVR.
I feel that these additional security measures will not only help increase the confidence level of existing users who regularly perform mobile transactions, but also encourage new users to adopt mobile as a trustworthy channel for making instant payments. The enablement of Debit cards on IVR will further increase the reach of mobile payments to the masses and result in a high adoption rate.
All in all, the introduction of OTP is expected to provide a major boost to mobile commerce in this country of over 700 million mobile subscribers.
Keep checking www.paytm.com/enterprise for latest updates on OTP and secure mobile payments.
About the Author
Abhishek Rajan is a graduate from IIM Ahmedabad and heads the Mobile commerce business at One97 Communications – a leading provider of mobile payment solutions in India.
One97 has developed a secure mobile payment platform – PayTM (“Pay Through Mobile”) which enables enterprises & mobile operators to accept payments from their customers in a secure & convenient manner through multiple mobile channels including IVR, SMS, WAP and On-Device Applications.
