Convenience is important. However, many a times, we take it too far. Recently, I read you can use Rupay cards (debit/credit/prepaid) to make online payments without having to enter CVV. And if you have auto-read OTP feature enabled on your phone, the purchase becomes a breeze. So, you are on the Amazon/Flipkart app, you add to the card, select the RuPay card as the payment option and then 2 clicks to make the purchase. First click on Pay and second to confirm the OTP.
Where Can You Do CVV-less Transactions?
- Only on Rupay cards.
- Domestic e-commerce (online) transactions.
- Your Rupay credit card details must have been tokenized with the online merchant.
- The merchant must accept CVV-less payments.
What is Tokenization?
Tokenization is used to secure credit card transactions. With tokenization, the merchant does not store your credit card details for repeat transactions but only a token which is unique for a combination of credit card, merchant, and the card issuer/card network.
While you may think that the online retailer holds the credit card details, the website stores just the token which can only be resolved at the card issuer/card network’s end. Thus, with tokenization, you do not have to enter credit card details for each payment and at the same time your card details can’t be compromised even in case of data breach on a merchant’s website.
You do not have to do anything special to tokenize your credit card on a website or a merchant. If an app/website asks you to SAVE a credit card, it is essentially requesting you to tokenize your credit card. RBI regulations don’t permit merchants/app/websites to save credit card details in any other way. Saving (tokenizing) card details is a one-time activity per app/website and you will need to enter card number, CVV, expiry date, and OTP to tokenize your credit card.
While tokenization does not rule out the possibility of a fraud, it does provide protection if there is a data breach. The fraudster can only steal the token but can’t do much with the token. They can’t reverse engineer credit card details from the token.
The token can’t be used with any other merchant since a particular token can only be used with a specific merchant. The token can’t be used for payment on the same merchant because the perpetrator would need CVV and OTP as part of 2 factor authentication.
What Is the Convenience of CVV-less Transactions?
With this CVV-less payment flow, you don’t have to search for your credit card CVV while making the payment. A couple of clicks and it’s done.
All this sounds good but how difficult is it to remember CVV? Or how inconvenient is it to reach out for your wallet and quickly check the CVV there?
What Are the Issues I Foresee?
If someone has unauthorised access to your mobile phone or if your mobile phone is stolen, the trickster already has access to the OTP. It is just the CVV he/she does not have access to. You may argue that the CVV is not such a strong safety feature anyways. CVV does not change and can easily be seen and remembered by anyone who has physical access to your credit card. Any merchant/retailer where you have swiped your credit card.
You may also argue that CVV-less transactions are only possible for tokenized cards for online transactions. You don’t have to enter CVV for physical/offline transactions anyways. And for online transactions, the trickster can fleece you only on the app where you have tokenized your credit card and only from your app account. Plus, with online transactions, the fraudster leaves a trail which can be used to track him/her.
Valid points but always remember these fraudsters are always a step ahead and can/will figure out innovative ways to trick people. With CVV-less transactions, that’s one less headache to manage.
Another practical issue. Sometimes, children access your mobile phones and browse retailer apps. If the entire purchase process is so seamless (CVV-less and OTP auto-read), nothing stops them from ordering their favourite toy from Flipkart/Amazon or ordering their favourite ice cream from Zomato/Swiggy. Many times, these orders may not be cancellable/returnable. Don’t forget in-game purchases.
These days, most apps seek SMS access and from what I have observed, even those apps where you have denied SMS access somehow auto-read OTP SMS. This could be an Android feature. In that case, CVV is the only piece of information that prevents them from innocent yet costly transactions.
CVV-less online transactions are clearly convenient. RuPay credit cards have become very attractive these days because these can be used for UPI payments. However, it is not something I would sign up for. Sometimes, it is good to have checks.
What do you think? Good? Unnecessary?