Your credit card can be used for payment without PIN or OTP , A must read informative blog
Neeraj , 18 Jan 2019
If you own a credit card and believe that without asking PIN or OTP money cannot be paid or deducted from your credit card then it is an eye opener blog for you.
One incident happened with my friend which forced me to write this blog. He was out for lunch with his family and after having lunch, he offered his credit card for payment. The waiter took his credit card and just touched the card to the swipe machine and gave the card back to my friend. Since the credit card was secure with 4 digit PIN so he was waiting to enter the PIN but when the waiter gave the card back to him then he asked to the waiter “What happened? My card did not work?” the waiter replied “No Sir, it’s perfectly alright. Payment has been made, please keep the payment receipt”.
He was stunned and shocked. How is it possible that the money has been deducted from the credit card without asking the PIN?
As I am working in banking sector so it was not surprising for me but a majority of peoples thinks the same way as my friend did. Here, I will explain you the reality of the credit card payment process which is must to know to keep your money secure.
Is it true that payment can be made from credit card without PIN or OTP?
Yes. There is no need of PIN/OTP or any other type of password to make any payment from any credit card. To know the reason we need to understand the process of the payments through credit cards. Though I am not going in much technical detail but will explain and provide you the sufficient information which is must to know.
What happens when you handover your credit card to the seller for the payment of your purchase?
The seller swipe your credit card to the card reader device and then your card details goes to the payment gateway and payment gateway sends the details further to the card association or payment network (Visa or Master card or any other company depends on your card),further after verification of the card this information passed to the bank of the customer (bank which has issued the card) and then bank either approves or declines this transaction and then this approval or rejection goes back to the seller in the reverse direction through the same channel.
As you can understand, the below four parties are involved while processing your credit card for payment
- Seller (called merchant) who is swiping your card to the card reader device
- Payment Gateway
- Card association or payment network
- Customer bank or credit card issuing bank
Let’s understand about these four parties one by one.
Merchant or Seller
This is the owner of a product or service which product or service you are purchasing and then making payment. This can be a restaurant or an online shopping portal or any other website which accepts credit card for bill payment. The merchant decides which payment gateway to choose. Since the payment gateways services are not free so merchant or seller can take the services of any payment gateway which is suitable to their business needs. The seller has to register itself to the payment gateway so that gateway recognise the merchant and keep a reference of this merchant in the transactions made by a particular merchant. There is one more step which needs to complete to the seller or merchant before the payment gateway and that is to get a merchant id from an acquiring bank. An acquiring bank is the facility provider who releases the payments to the merchant when a successful transaction takes place. When a seller applies to open a merchant account in an acquiring bank, the bank verifies the seller application carefully to determine the associated risk with the seller. If everything found fine then bank opens the account and share the unique merchant id with the seller.
So after getting a merchant id from an acquiring bank and purchasing the service of a payment gateway, seller or merchant is ready to get the payment through credit cards.
Payment gateway is responsible to process and authenticate the credit card.When the merchant swipe the credit card to the card reader machine or device then the card details (16 digits credit card number, expiry date, CVV etc.) along with the merchant ID goes to the payment gateway. Payment gateway identifies the card network (Visa, master card etc.) by reading the credit card number and sends the card details to the card network. At this point, Payment gateway get to know which type of security applied to the credit card.
What is 2D and 3D Security?
2D secure credit card means only the information present on the credit card will be asked for authentication. 3D secure means other than the information present on the credit card, some more information required to authenticate which is not written in the credit card. Asking the PIN or OTP is the type of 3D secure authentication. So in 2D secure authentication, you will be asked for CVV or expiry date etc. to authenticate the credit card and in 3D case PIN or OTP is asked.
Now here is the main point. The card association or payment network (Brand of credit card Visa, Master card etc.) keeps the information of what type of security applied to the credit card and exchange this information with payment gateway but to implement this security is the responsibility of the payment gateway only. So when you receive an OTP on your mobile or PIN is asked then this work is done by the payment gateway. Since the Payment gateway has to verify that the payment is being made by the credit card owner so it is up to the payment gateway to verify or not to verify. Please note, customer or credit card issuer bank do not send the OTP or ask PIN or verify through any other type of authentication method. The credit card issuer bank approves the payment request when it gets the credit card number and expiry date. So your bank which has issued credit card to you and approving the payment requests, does not require anything other than credit card number and expiry date.
There are thousands of payment gateways running across the world and no common rules and guidelines are set which can assure that credit card real owner is using the card. RBI (Reserve bank of India) has forced to all the payment gateways which are working in India to follow the 3D secure guidelines so if you are making payment in India then OTP or PIN (or any other authentication method ) is required for the credit card payment. But in India too, there are many places where money can be deducted without the PIN or OTP. I will explain the reason in the upcoming section.
Card association or payment network
This is the network or association of all the credit or debit card brands active across the world and facilitates the transaction or payment between different banks and merchants. Card network keeps the complete information about the credit or debit card and this information exchanged with the payment gateway. For example, if you have a VISA credit card with 3D secure enabled then the VISA knows about it and exchange this information with payment gateway.
Once the payment gateway completes the authentication process (However payment gateway can skip the authentication but if not skipping), it sends the details to the card association for further action. Card association then performs its validation activity and sends this payment request to the issuing bank.
Customer bank or credit card issuing bank
Card association or payment network send the payment request to the customer bank. Customer or card issuing bank only need credit card number and expiry date and based on these two information they approves or decline the transaction. Issuing bank performs some basic checks likes credit limit is not exceeded or customer is paying the dues and if found okay, customer bank approves the transaction.
Once the customer bank approves or decline the payment, this information travels back to the merchant and acquiring bank in the reverse order. Here one point need to know, when the customer bank approves the transaction, it is not transferring the money. The merchant and its acquiring bank gets the approval message and based on this messages, it is assumed that they will get the money. The settlement of money takes place on next day. The acquiring bank collects the reference number of all the approved transaction and sends to the customer bank. The whole process takes 2-3 days.
Why payment gateways do not ask the PIN or OTP for credit card payment when the credit card is 3D secure?
Now we have the clarity that only the payment gateway is responsible to ask for PIN or OTP and payment gateway is chosen by the seller or merchant. We also know that the customer or card issuing bank need only credit card number and expiry date to approve the payment. Since in India, RBI has forced the 3D secure authentications so almost all payment gateways follow this rule strictly but still there are cases where payment can be made without PIN or OTP. In the below cases you may not be asked to enter PIN or OTP-
- If credit card is Wi-Fi enabled and amount is below a certain limit (in most cases Rs. 2000) then PIN or OTP is not required.
- If you had earlier entered your credit card details to any online shopping portal or any other websites and your payment is due or making the current payment then payment gateway can deduct the money without PIN or OTP.
- If you are making payment to non-Indian service provider then PIN or OTP authentication may not be asked.
The above are the known reasons for skipping the 3D secure authentication by the payment gateway but there may be other reasons or cases as well.
Do not panic! Your money will be refunded by the bank if unwanted payment was made or there was fraudulent transaction done.
In today’s world, there are possibilities of fraudulent or misuses of credit cards so government or reserve bank of India has set some guidelines for bank to safeguards the customers. If you file complaint within 24 hours of the misuse of your credit card then bank will refund you the full amount. If you come to know the misuse after 24 hours or by any reason could not able to file complaint within 24 hours then still you will get refund but chances are that partial amount will be refunded by bank.
Does it happens in India only or other countries follow the same rule of processing the credit card?
The credit card authentication process is almost same for all the countries but it differs in some ways. The payment gateways role is same and it’s mandatory to keep the payment gateway in between the transaction between seller and customer bank. In united Kingdome (England) , 3D secure system is running like India but in USA AVS is in use. AVS full name is address verification system and payment gateways use this method to verify the valid use of credit cards.
In Address verification system, a part of address mainly zip or postal code is asked to verify. If the address or zip code matched with the billing address then it is assumed a valid payment. However address verification system is not limited to verify the address only, there are other methods and a proper review system exists so that no fraudulent transaction takes place.
What to do to prevent the credit card from unwanted or unauthorised payments?
Take care the below activities to prevent unwanted or unauthorised payments.
- If you have a Wi-Fi enabled credit card then convert it to non-Wi-Fi credit card. You can call your bank to convert it to non-Wi-Fi card and within 1 week you will get a new card. It will resolve the problem of auto deduction of less than rupees 2000.
- Do not select the option "Save your credit card details for fast payments in future" while making any payment to any shopping website. Never do this mistake. Once you select this option, in future, if you make any purchase from that website then you will not get any PIN or OTP to enter. In first view, this seems to be very handy facility but it can cause a lot of problems.
- Be extremely careful while doing payment to foreign website or shopping portals. Since they are not bound to RBI guidelines so foreign payment gateway deduct money without any PIN or OTP.
- There are websites which claims to provide you the service free but ask you to enter your credit card details to check your seriousness. They claim that they will never charge any amount. Never submit your credit card details to these websites. This types of websites are found when you search for free contents like free movie download, free songs download or free software or eBook download.
- Never share to anyone or enter your credit card number to any website with a thinking that credit card number is useless without CVV or PIN or OTP.
Your 16 digit credit card number is itself sufficient to make any payment. Even CVV number has no value and not required for payment. Since credit card issuing bank gives approval of payment on the basis of credit card number and expiry date only and do not ask CVV, PIN, OTP or any other type of authentication so leave this thinking that whenever any payment will be made my bank will verify the same.
Let us share this information and spread awarness.