While RBI’s regulations on cyber security have received a thumbs up from several companies, a few others say those could drive businesses away from India.
The issue at heart is the collection of ‘recurring payments’. This is music to a consumer’s ear, as RBI mandates that every time an online transaction happens, a One Time Password needs to be sent to a phone or to an email.
Protection from hackingThis, industry watchers believe, gives consumers better protection from cyber criminals hacking into their card-related information in the event of a website having weak security protection systems. On August 22, RBI issued a directive and made it mandatory for all banks to put in place additional authentication or validation on the cards for all online electronic commerce transactions and does not allow India-based companies to store credit card numbers on the website (unless RBI grants permissions).
However, for companies selling software online, this directive is turning out to be a nightmare.
“We have to send repeated emails and a lot of it goes unnoticed. Then we have to follow up with repeated phone calls and sometimes multiple visits to the client sites to collect payments,” said a senior executive from Practo, a Bangalore-based start-up, which schedules doctor's appointments for a fee. The executive, who declined to be named, added RBI's regulations of enforcing strict cyber security norms are at the heart of the problem.
The company declined to comment on the matter. The official, however, did not quantify the financial burden, but said the delays are somewhere in the region of two-three months depending on the size of payment. Practo is not alone in this. A founder of another start-up, which provides customer help-desk support for computer-related issues, says his firm faces problems constantly with regard to accounts having insufficient balance, leading to high payment failure rates. This problem acquires another dimension as start-ups are tied to a particular payment gateway. “Some payment gateways merely check the card number, but do not validate if the account is genuine or not,” he said. If the credit card account information was available, companies will not be tied to a particular payment gateway, he added.
However, payment gateways believe the directive from RBI is a good one. “The issue is being blown out of proportion and actually the directive creates a level playing field between foreign-based and India-based companies,” said Upasana Taku, founder of Zaakpay, an online payments company.
Agreed Jitendra Gupta, Founder of Citrus Pay: “The issue of jurisdiction was being advantageous to multinational firms and RBI's mandate is a step in the right direction.” The jurisdiction issue that Gupta and Taku talk about refers to companies not headquartered in India, which do not necessarily need to follow some of RBI's mandates.
They point to the increase in cyber frauds in developed markets as a result of facilities like auto debit, something that RBI has addressed to a large extent with its mandates.