Mobile OTP: Cyanide Or Caffeine For Online Payments?

I recently received an SMS from one of my credit card issuing banks informing me about the following change in procedure for using its credit cards online:

With immediate effect, for each online transaction on your BANK1 Credit Card, an OTP (One Time Password) will be sent via SMS to your registered mobile number. In order to complete the transaction, this OTP will have to be entered by you instead of the erstwhile Verified by Visa password.

As though making online payments isn’t terribly painful as it is, this bank – the Indian subsidiary of a British high street bank that has a global presence – has just raised the friction in the process to the next level.

Successful completion of a transaction is no longer just a function of quality of Internet connectivity and the uptime of merchant, acquirer, issuer and epayment gateway websites. It now also depends on the mobile network coverage, message delivery times and availability of the mobile phone at the point of transaction.

Even before this new step, the end-to-end payment chain had so many moving parts that almost one in 12 payments failed, as I’d highlighted in my earlier post Skating Away With Online Payments.

With the new measure, I expect a manifold increase in failed payments when customers don’t receive the Mobile OTP for several reasons:

  1. Network coverage is spotty while indoors and in roaming mode
  2. Messages could be delayed by several hours during holiday peak volumes
  3. Shopper may not be carrying his mobile phone with its primary SIM while traveling abroad in order to avoid the exorbitant international roaming charges charged by his primary Mobile Network Operator.

All these will only reinforce my recent shift to Cash on Delivery for online shopping and avoidance of online bill payments (which don’t offer COD).

Going back a couple of years, BANK1 introduced two-factor authentication for all types of “card-not-present” payments – payments made via web, mobile and phone. The second factor of authentication was a static password like Verified by Visa (VbV) or MasterCard Secure Code (MSC). It had also started sending SMS Alerts for all card transactions (more on that here). In all these cases, the bank had ascribed the new security measures to the Reserve Bank of India, which is India’s central bank cum banking regulator.

BANK1 hasn’t (yet!) chanted the “As per RBI mandate” mantra to backstop its latest move.

I fervently hope that the regulator doesn’t mandate mobile OTP and instead focuses its attention on solving the huge problem of failed payments. Ideally, it should issue a mandate to all card issuers to reverse debits in the event of all incomplete payments, no questions asked. But it’s not going to happen. Regulators normally don’t caught trying to solve tough but important problems. And do get caught in “regulatory capture”.

If it’s not to comply with regulation, I wonder why BANK1 has chosen to implement mobile OTP. After all, the move risk alienating experienced users away from online card payments, which would lead to a drop in its interchange revenues.

I’m wondering if it is to persuade 70% of online shoppers, who currently use cash-on-delivery, to switch to credit cards? It’s quite possible that, when they hear about mobile OTP, many novices and fencesitters might feel comfortable about exposing their card information online. Until they actually experience online friction and are hit with failed payments, they may be misled by the false sense of security provided by OTP, and start using their credit cards to make online payments. If that happens, there will be a boost in the bank’s interchange revenues.

Only time will tell whether Mobile OTP will stimulate online payments or sound its death knell.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply