[HN Gopher] Indian online merchants cannot store credit card inf...
___________________________________________________________________
Indian online merchants cannot store credit card information from
2022
Author : vivekv
Score : 255 points
Date : 2021-12-17 04:29 UTC (18 hours ago)
(HTM) web link (rbi.org.in)
(TXT) w3m dump (rbi.org.in)
| diebeforei485 wrote:
| Something I learned in college - not all countries have the same
| laws as the US where it's easy to dispute a charge and the burden
| of proof is with the merchant.
|
| If India is one of those places where the burden of proof is on
| the customer, and it's difficult to dispute charges, it makes
| sense to tokenize things.
| ratww wrote:
| Different banks/card issuers have different rules too.
| unmole wrote:
| Disputing transactions is very simple in India. The transaction
| notification email/sms itself usually contains a URL to dispute
| the transaction.
| mwnn wrote:
| Yes. On forums and online IM groups you'd find plenty of people
| suggesting "raise a chargeback" without realising it means
| nothing in India. It's just a gesture. Merchant can just deny
| the charge back and that's it, your credit card provider is
| done you are charged.
| vivekv wrote:
| The burden of proof in India is with the merchant. Proof of
| transaction has to be provided (invoice etc.,)
| flak48 wrote:
| I've filed a chargeback before in India, the burden of proof
| was on the merchant at that time. Maybe I got lucky with my
| card issuer.
| blueblisters wrote:
| Is the RBI deliberately trying to handicap credit cards in India?
| The decision to make recurring payments impossible, followed by
| having to enter card information every time I do an online
| transaction is making for a very frustrating experience.
|
| The justification for these decisions is always "consumer
| interest" but how is making consumers jump through hoops to do
| transact online in consumer interest? I wish the industry was
| more co-ordinated in lobbying against these crazy policies
|
| Edit: A couple of replies below that say they don't mind
| authorizing subscriptions/recurring charges every time. I respect
| that view but I think people underestimate how much friction it
| adds if a business needs to ask your for permission every time to
| renew. Consumers are forgetful. They may not be available to
| authorize a payment when it's time to renew. Subscriptions reduce
| transaction costs, give businesses a predictable stream of income
| and allow consumers continued access to services without having
| to remember to renew it.
|
| If you don't believe me, just look at the data and anecdotes
| posted by tech journalists and software devs on twitter - it's a
| shitshow.
|
| If a businesses make cancellation hard, the right policy would
| have been to allow consumers to "stop" charge from the card
| issuer's website or app - not ask consumers to approve a charge
| everytime it happens.
| manojlds wrote:
| It just adds onus on the vendor. Google have implemented it
| very well and I love this a lot more as the end user gets more
| visibility and control.
|
| It's going to be a short-term pain but I think it's going to be
| great in long term.
| paxys wrote:
| If you'd bother to read the article (or heck the first two
| lines of the article) you'll see that this rule does not mean
| you'll have to re-enter your credit card info on every order.
| kranner wrote:
| From the HN guidelines:
|
| > Please don't comment on whether someone read an article.
| "Did you even read the article? It mentions that" can be
| shortened to "The article mentions that."
| naruvimama wrote:
| Credit cards are from an era where magnetic stripes was a
| novelty. It is just a bunch of numbers and very lax in
| security.
|
| Visa & Mastercard are just global duopolies, they have used
| their dominance to keep the cards easy to use but insecure. The
| cost of fraud is ultimately borne by the merchants, who try to
| pass on the hefty fee to the card holders.
|
| India is trying to move to digital payments, a vast majority of
| the people are first time card holders or even account holders.
| Frauds do not make it easy, and we do not want to make digital
| payments more expensive than cash payments.
|
| This is not a move against any card network. However, I
| personally think it is wrong for Visa/Mastercard to use their
| market dominance to charge 2-3% of every transaction. As we
| move more and more into a digital economy, this duopoly starts
| to sound like a New East India Company.
| rowls66 wrote:
| You should know that a small portion of the 2-3% transaction
| fees goes to the card networks. Most goes to the card issuing
| bank. Now in fairness, the banks also cover the cost of some
| fraud, and payout generous rewards to their best customers.
| tlogan wrote:
| This "authorize charge" change is really giving headache both
| to customers and companies. If person owning CC is not
| available, emails are misses, etc. so scheduled e-mail
| campaigns are not sent, backups are not done, scheduled data
| loads were not performed, etc.
|
| Basically running business is getting harder and harder in
| India.
|
| So this one thing why USA is still leader: not because it is
| "great" but because it is still "Wild West" (sure somebody will
| say "free country" - let's be honest it is more of a "Wild
| West")
| [deleted]
| naruvimama wrote:
| A lot of business around the world are built around this silent
| charges and people being forgetful or not active in checking
| their expenses.
| vlovich123 wrote:
| I would love to be able to have to proactively authorize every
| single recurring purchase via a tap on my phone. If I have
| enough that I'm being overwhelmed there's a good chance I'm not
| tracking my purchases very well and there could even be fraud
| I'm missing.
|
| There's some use-cases maybe where automatic billing is
| required but the vast majority would do better to need to
| prompt the user.
| mrweasel wrote:
| There's a Danish company that provides a service which will
| integrate into online banking platforms, that will allow you
| to cancel recurring payments directly from your banking app.
| How they make it work I don't know, but I hope that my own
| bank will signup shortly.
| ghoomketu wrote:
| Yes this is stupid and it has caused me a lot of trouble since
| this all started. I am now seriously thinking of leaving this
| country and going to NZ or Canada (something which I did not
| want to do because of my parents).
|
| Doing business in India is so frickin hard, especially after
| GST. I have to spend so much time on accounting nowadays and
| it's getting harder and harder every day (even though all the
| ads say otherwise).
|
| I almost got my Digitalocean account suspended few months back
| because the credit cards won't bill anymore. Now i have to
| constantly monitor GCP, Porkbun, AWS, etc since nobody can bill
| me like before.
|
| Also for some reason Indians aren't allowed to keep balance in
| Paypal but a lot of my customers prefer to pay via it, which
| means in the end I cannot process any refunds on time and makes
| customers angry (Paypal wants me to snail mail checks to them
| to add the USD balance since govt has banned adding the same
| from Bank account).
|
| For recurring charges now you have to create an account with
| https://www.sihub.in which doesn't accept small businesses
| kinda making it an exclusive club for big companies. It's
| really a shit-show here.
|
| If it were not for Stripe Atlas I would have been out of
| business a long time ago. So thank god for that.
| spikengineer wrote:
| Please understand the context behind the rules before
| ranting.
|
| PayPal restrictions exist because india doesn't have free
| capital account convertibility and forex providers need to
| implement regulatory mechanisms to comply with forex
| regulations. The regulations on forex haven't changed in many
| years. It's paypal who isn't bothered to comply with
| mechanisms implemented and hence removed those features as
| they felt customers like you aren't worth it to them.
|
| Most developing countries have capital controls like India
| for financial stability reasons and removing it for the sake
| of small segment of entrepreneurs feeling difficulty to
| process some payments or can't manage the accounting is not
| in the interest of the state or it's people.
|
| Stripe thinks you are worth it to them and are providing that
| service. Find better service providers. Talk to a bank.
|
| As far as GST is concerned, every country has tax accounting.
| Some other countries like in Europe have it way worse on the
| paperwork. Have you ever dealt with pre-GST service tax or
| VAT paperwork? Accounting is a universal thing and it's the
| reality of doing business.If you think just by jumping one
| country to the other you can avoid taxes or paperwork you
| need to rethink your approach to business. Most countries who
| don't have taxes or tax paperwork are just tax havens living
| off someone else's money. Will you go to NZ/Canada and not do
| their tax paperwork?
|
| If it's getting harder, maybe your size is large enough to
| hire an accountant to do that work for you.
|
| If you have so many customers overseas maybe you better
| incorporate a foreign subsidiary or an IFSC subsidiary to
| manage USD transactions.
|
| These rules won't be changed for you - there are larger socio
| economic reasons for the rules.
| fareesh wrote:
| This is primarily because those companies haven't updated
| their payments systems to be compliant.
|
| The e-mandate system seems to be pretty good. Netflix is
| compliant and it worked seamlessly from day one of the
| switch. It could be because they have incorporated locally,
| which can be difficult for many other companies.
| spookthesunset wrote:
| > This is primarily because those companies haven't updated
| their payments systems to be compliant.
|
| For big companies with decades or more of legacy cruft,
| it's a hell of a lift to make their universe compliant.
| Especially if your large company tends to fall onto the
| "decentralized org structure" part of the spectrum where a
| billion teams run around doing their own thing with very
| little top-down oversight.
|
| It's the same kind of story as it was for GDPR (and CCPA to
| some extent). Some companies can pull it off easy because
| their org structure is way more top down. Others that are
| bottoms up have a much harder time because you have to
| heard a million different teams towards something new that
| doesn't really deliver much immediate business value.
|
| I assure you though, these companies are all no doubt hard
| at work making life better for their india customers... it
| is just a much harder lift for their organizations to
| handle. Which is not to say their org structure is a bad
| one. It just isn't optimized for top-down mandates like
| these.
| jeswin wrote:
| > Doing business in India is so frickin hard, especially
| after GST.
|
| How has GST made things worse? I had paid Service Tax for 10
| years prior to GST, and that was a far worse experience.
|
| a) Prior to GST these was an enormous amount of tax fraud.
| GST makes that way harder, on account of people being able to
| track and claim input credits. Many (not all) people who were
| complaining did so because they were suddenly unable to dodge
| taxes. This forced them to disclose all sales, which affected
| income tax as well.
|
| b) Everything is now visible on the portal. Who you paid,
| what they deposited etc.
|
| c) Initially, there were many more compliance requirements.
| Now it's simpler, with quarterly filing if you qualify.
| unmole wrote:
| > Doing business in India is so frickin hard, especially
| after GST. I have to spend so much time on accounting
| nowadays and it's getting harder and harder every day (even
| though all the ads say otherwise).
|
| Why are you having to spend so much time? I mean all the
| popular accounting suites already support GST and automate
| most of the compliance. The rules haven't materially changed
| so, why is it getting progressively harder?
|
| > I almost got my Digitalocean account suspended few months
| back because the credit cards won't bill anymore.
|
| Why won't they _bill_ anymore? After I enabled international
| transactions on my card, I haven 't faced any problems with
| DO or AWS.
|
| > If it were not for Stripe Atlas
|
| If you have a Delaware C Corp, why are you even bothered by
| RBI rules? None of the limitations of the Credit cards or
| PayPal apply to you anymore.
| 2Gkashmiri wrote:
| i help businesses in setting up their gst, accounting
| integration and returns filing. if you need help, lets talk
| sudhirj wrote:
| So the order doesn't prohibit tokenizing or saving cards, it
| specifies who can save them.
|
| Earlier, merchants could save the details, and this ability
| leads to massive amounts of fraud and theft (see US right now).
|
| Then only regulated payment aggregators could save them, and
| issue a token to the merchants. Stealing the token wasn't too
| helpful because you couldn't grab the money, the token was tied
| to the merchant. But this still means my card number is stored
| on a bunch of companies that can suddenly take whatever funds
| they want, and I can't cancel these tokens.
|
| Fast forward to 2022, where only the issuer I got my card from
| can give out tokens - so I can now see a list of every single
| merchant who has access to my card tokens, and I can cancel
| them whenever I want.
|
| So the functionality is not going away, it's moving to another
| part of the regulated system that's more in the control of the
| consumer.
|
| As a person I welcome the move (no more struggling to
| understand card charges or pleading with companies to cancel my
| subscriptions). As a developer it's more work to implement the
| new system, but it's not much more work than the old one.
| Projects using Stripe or Razorpay will get the new system with
| no changes.
| vishnugupta wrote:
| Thanks for clear and jargon-free response. I wish this were
| top-level and top comment.
| sidm83 wrote:
| This is a great response throwing light on the actual new
| protocol which does seem to make sense.
| ratww wrote:
| Yep, this is how most of the companies I worked for handled
| recurring payments. The only time the customer needs to input
| their credit card again is when the credit card number
| changes.
|
| Some providers even had integration with banks, so when a
| credit card was auto-renewed and the expiration changed (the
| CC number was still the same), we didn't even have to ask the
| customer for an update. Only when the customer specifically
| asked for a new card.
|
| So there's even the possibility of even more convenience to
| customers.
| ramraj07 wrote:
| As a consumer in India I'm so happy at least some part of this
| government is doing what it's supposed to do.
|
| A century of unchecked lobbying is pretty much the reason why
| the US is at the state it is. The difference I've seen between
| how things run in india and the states is that in India what's
| illegal and called corruption is called legal and lobbying
| here.
|
| What exactly are you worried about ? Clicking authorize on
| nytimes subscription every month?
| sumedh wrote:
| > Clicking authorize on nytimes subscription every month?
|
| Why is that a good thing?
| bobthepanda wrote:
| Why is it bad?
|
| One of the first pieces of advice for anyone sorting out
| personal finances is "figure out what subscriptions you
| aren't using." Cancelling in many cases is an anti-pattern
| (looking at you, NYT)
| adi2907 wrote:
| As an entrepreneur, I empathise with fellow startups losing
| customers due to mandatory check for recurring payments.
| However as a customer, this has been a godsend as I had almost
| 15 subscriptions totalling $300 monthly, quite a large amount
| in India.
|
| The constant reminder of how many of those subscriptions are
| useless has allowed me to cut my expenses. Case in point, was
| subscribed to linkedin premium for last 2 years, while I make
| use of it only once in 3-4 months. Now I simply dont recharge
| my credit card and only do so once its required.
|
| Not sure if its the ideal solution but definitely am thankful
| to it!
| _hyn3 wrote:
| How would recurring transactions or metered billing work? Does
| this only apply to merchants or providers that are not PCI-DSS
| compliant and cannot safely store cardholder data?
| jetsetgo wrote:
| It won't. Like it should be. No one should be able to take your
| money without your consent.
| freakynit wrote:
| I have already lost my online book store: "perlego"
| subscription because of this. This is has 100% directly stopped
| my access to learning. There is no other way to put it.
| [deleted]
| LammyL wrote:
| This change just says that only the card issuer or card network
| can store the card number (PAN). Everyone else in the
| processing chain can only store card tokens.
|
| This isn't a surprising change and was always going to be the
| future of PCI compliance.
| option_greek wrote:
| There is no exception for recurring payments. Also
| unfortunately this applies to all online merchants and Payment
| aggregators regardless of size and certifications. So as it
| stands a separate auth is needed for each transaction which is
| completely regressive and precludes a lot of convenience use
| cases. My guess is that they are doing this to make Upi more
| convenient in comparison. But I won't be surprised if its just
| another short sighted we know it all mentality decision from
| the regulator who has a history of u-turns.
|
| Edit: Looks like they do allow card tokenization (not part of
| original proposal) which should address a lot of use cases
|
| Here is the commentary about the original proposal:
|
| https://www.businessinsider.in/finance/banks/news/rbi-wants-...
|
| Here is the one after push back from industry (Which allows
| tokenization):
|
| https://timesofindia.indiatimes.com/business/india-business/...
| mittalsuraj18 wrote:
| Recurring payment for less than 5000Rs do not require a
| separate auth. The bank has to notify the user by sending a
| message.
|
| Recurring payment greater than 5000Rs requires a separate
| auth. (EMI's are not impacted by this)
| mittalsuraj18 wrote:
| The headline is kinda misleading. They can store credit card
| information, but they can only do that in tokenized format
| instead of the current way of storing. Tokenized format hides
| the number and other information making it more secure. You can
| read more about it here
| https://www.thequint.com/explainers/rbi-allows-card-on-file-...
| Dylan16807 wrote:
| The token is a random number, so depending on context it's
| fair to say that the token is not credit card information.
| planet_1649c wrote:
| Yes. But the reply above was regarding how recurring
| payments would work
| Dylan16807 wrote:
| I'm not sure how that affects my reply.
|
| To be clear, I am commenting on the difference between:
|
| "Recurring payments work by storing credit card info in
| tokenized form, which is still allowed".
|
| vs.
|
| "Recurring payments work by storing a token instead of
| credit card information."
|
| Those both answer the question, but they say different
| things on whether "credit card information" is stored.
| And they say different things about whether the headline
| is misleading.
| AmericanChopper wrote:
| To use card tokens for any kind of payment, you need to
| integrate with some kind of card data vault, which this
| rule seems to also prohibit. It seems to be instructing
| the card brands to issue unique tokens for ever
| cardholder + merchant pair. No idea how that would
| work...
| Dylan16807 wrote:
| > To use card tokens for any kind of payment, you need to
| integrate with some kind of card data vault, which this
| rule seems to also prohibit.
|
| Why would you need that?
|
| The rule says nobody can store "actual card data".
|
| If you're using the token for a new payment, you don't
| retrieve the card number, you use the token directly.
|
| > It seems to be instructing the card brands to issue
| unique tokens for ever cardholder + merchant pair. No
| idea how that would work...
|
| Pick a random number and store it in a database with
| those two other fields...?
| AmericanChopper wrote:
| That number needs to be mapped to the PAN, and somebody
| has to have stored that PAN somewhere in order for it to
| be used to process payment. This rule says nobody other
| than the issuer and the card brands are allowed to store
| the PAN.
| Dylan16807 wrote:
| Sure, that's why you get the token from the issuer or
| card brand. That way there's only one entity that stores
| the PAN, and no third parties are storing it.
|
| To quote the article linked above, "The central bank said
| the facility of tokenisation shall be offered by TSPs
| only for the cards issued by/affiliated to them."
| rohithkp wrote:
| Any card details that are being stored in the merchant's
| database need to be tokenised. It applies to all entities who
| are retrieving card details from customers, irrespective of
| PCI/DSS compliance.
| charcircuit wrote:
| couldn't credit card companies expose an API to let you do
| this?
| _chompsky wrote:
| Pardon me if I'm incorrect, but isn't this like one of the best
| use cases of Stripe? Stripe usually takes care of CC/ACH
| information and tokenizes it, only passing the tokens to the
| merchant instead of the merchant having to store the CC
| information. Maybe this would be a good way to start a payments
| company boom in India?
| option_greek wrote:
| There are already several (razorpay, paytm, payu) that do
| exactly that. They do charge 2% flat fee which is still high by
| Indian standards (comparing to cash and upi). So merchants do
| try custom solutions with bank gateways to reduce the fee.
| korginator wrote:
| The real story is far less sensationalist than the title on HN,
| "Indian online merchants cannot store credit card information
| from 2022".
|
| Reading through the actual notification titled "Tokenisation -
| Card Transactions: Permitting Card-on-File Tokenisation (CoFT)
| Services", it is clear that the directive is a well deserved push
| away from Card on File (CoF) where the actual card details are
| stored by merchants, towards CoFT which is a lot less vulnerable.
| In fact this is exactly what Apple Pay, Google Pay, and several
| others are already doing worldwide.
| neya wrote:
| This is actually a good thing. Think of it like Apple's email
| masking service - Merchants can only store a tokenized version of
| your credit card instead of the real card details. I say this is
| a good thing after having worked with many E-Commerce shops in
| India as a consultant. Most of them barely know a thing about
| security, let alone about PCI DSS compliance.
|
| I have worked with shops that stored the entire credit card
| number in PLAIN TEXT!. Not just credit cards, even their users'
| passwords. This also explains why many of them got and still get
| hacked from time to time. Even credit card processors got hacked
| due to this. Lot of shitty ones in the Indian market actually.
|
| The root cause of this, not to cause language flame wars here,
| but is most of the shops use script kiddos with just basic PHP
| knowledge. Bare minimum, they're recent fresh college grads who
| just know how to consume data from a form using PHP using GET and
| POST, that's it. Most of the code I've worked with just consumes
| this directly instead of stripping/processing it and end up
| introducing SQL injection attacks. Atleast, if they used a
| framework, this would be provided by default for free, but many
| of the developers hardly know about even MVC.
|
| (As an aside) - As a personal mission, I started touring around
| the country teaching college kids for free about basics of web
| development, security, etc. But, still, I have a long way to go.
|
| Well folks, that's it for today's note on why this was a good
| move. Have a nice day!
|
| Edit: Some of the recent hacks that were not made public
| widescale like they should've been:
|
| 1. Domino's Pizza India (Yes, the international pizza chain)
|
| 2. BigBasket (Largest online grocery ordering App)
|
| 3. PayTm (One of the largest, if not the largest digital payments
| app in India)
| paxys wrote:
| That's a weird generalization. Yes there are terrible, insecure
| e-commerce sites in India, the same as there are in the USA and
| everywhere else on the planet. India is also the top 7-8
| e-commerce market in the world. Large local apps in the space
| have valuations in the tens of billions of dollars, and all
| major global players like Amazon and Walmart are involved in
| the country as well. These $100B in annual sales aren't
| processed by script kiddies, it's a very large and mature
| industry.
| deathtrader666 wrote:
| Yes, but large valuations don't correlate with better
| security practices.. Obviously the person above isn't talking
| about Amazon or Walmart when referring to "script kiddies".
|
| Of the nearly 45-50 contract jobs I've seen, a lot of them
| use pirated WP or Magento plugins, and plain text storage of
| sensitive content.
| sidm83 wrote:
| Again, generalization. What you're talking about mostly
| refers to small time sites with maybe not more than few
| dozen orders a day. Typical ecommerce businesses (usually
| the kind with at least 100s or 1000s of orders a day) write
| their own code rather than using WP plugins.
|
| As far as PCI DSS goes, there are multiple levels. Even at
| the tier 2 Indian ecom company I used to work at, we did
| not store any card info, it was just submitted in an iframe
| rendered by the payment gateway. And even then we were
| subjected to annual/semi-annual security audits (this was
| in addition to quarterly external security audits we
| ordered ourselves apart from typical OWASP top 10 checks
| performed by QAs in weekly sprints).
| yjftsjthsd-h wrote:
| > That's a weird generalization. Yes there are terrible,
| insecure e-commerce sites in India, the same as there are in
| the USA and everywhere else on the planet.
|
| I don't have the experience to know if this is actually the
| case, but it seems completely plausible that different
| countries have different regulations (or enforcement thereof)
| such that US companies have to care about PCI more than
| Indian companies.
|
| > These $100B in annual sales aren't processed by script
| kiddies, it's a very large and mature industry.
|
| Those are less connected than you think; loads of companies
| run obscenely large monetary transactions and essential
| business processes with horrifying hacked-up systems (50k LoC
| files, 20-year-old Perl scripts that nobody understands,
| Solaris 2.x desktop in the maintenance closet...); utility
| and good code are less correlated than we wish.
| rob74 wrote:
| Yeah, seems plausible - after all, as I recently learned
| from another HN post, it is customary for trucks not to
| have side mirrors in India, whereas this is much rarer in
| the US and virtually unheard of in (western) Europe...
| dewey wrote:
| "such that US companies have to care about PCI more than
| Indian companies."
|
| If you think about the social security number system, paper
| checks or credit cards with magnet strips I think you'll
| notice that other countries sometimes have stricter and
| more advanced security regulations.
| yjftsjthsd-h wrote:
| Yes, of course. I would expect the US to be ahead of some
| countries in some places, and behind some countries in
| some places. My point is that it's perfectly plausible
| that in this very particular area India could be worse
| than the US just as, say, the EU is generally ahead of
| the US. And, in different areas India could be way better
| than the US; this isn't "good countries" and "bad
| countries", it's "different countries place differently
| on whatever metric you pick".
| dewey wrote:
| I miss-understood your initial comment then, apologies!
| You have a good point.
| ratww wrote:
| _> I don 't have the experience to know if this is actually
| the case, but it seems completely plausible that different
| countries have different regulations (or enforcement
| thereof) such that US companies have to care about PCI more
| than Indian companies._
|
| Or maybe even different companies forcing users to accept
| credit cards in different ways.
|
| A handful providers I had to integrate with in my career
| (in LatAm and Germany) had this rule where you couldn't
| have the numbers going trough your system unless you got
| PCI certification. You had to use an iFrame, or redirecting
| to their website where the form was served.
|
| Sometimes the APIs were there, in public, but even if you
| used a valid credit card number it would deny verification
| unless your merchant account was pre-authorised.
| reaperducer wrote:
| _That 's a weird generalization_
|
| It doesn't seem like a generalization at all. It's someone
| relaying their actual experience:
|
| "having worked with many E-Commerce shops in India as a
| consultant"
|
| It very often happens on HN that if someone talks about
| something they had personal experience with, that people try
| to characterize it as a generalization, as if that somehow
| magically makes the statements a fantasy. It does not.
| ehnto wrote:
| I have spent a long time in eComm in the west, and you see that
| kind of stuff there as well. The most erroneous was the company
| that would take credit cards in plain text, print them onto an
| order sheet for reception staff to put through their POS at the
| front desk, and then the order sheets just went into the bin
| near the entrance. Thousands of credit card numbers were just
| sitting there for the taking, in plain text, in plain sight.
| yibg wrote:
| Not just ecomm. I remember the days when customers would read
| their credit card numbers over the phone for small businesses
| (e.g. pizza joints). You'd write it down for processing
| later. The paper then gets disposed of at some point with the
| full credit card info and name written on them.
| spookthesunset wrote:
| > The most erroneous was the company that would take credit
| cards in plain text, print them onto an order sheet for
| reception staff to put through their POS at the front desk,
| and then the order sheets just went into the bin near the
| entrance
|
| Back in my younger days, I've implemented exactly such a
| system. Looking back, it seems like a "WTF where you
| thinking" but somehow it made sense back then. What is
| obvious practice now took 20+ years of internet evolution to
| reach.
|
| I've also worked for companies that:
|
| - Stored user passwords in plaintext so you can email the
| customer their password if they forgot - Stored the CVV so
| "we could issue refunds" - Accidentally created anonymous
| email relays using copy & paste code from some "how do I
| create a webform in PHP" site. - Test data was simply a
| mirror of production - Test servers would send real emails to
| real customers (because the test data was a prod mirror)
|
| There are probably some other atrocities I've been exposed to
| but those are the highlights.
|
| Oh yeah, forgot one:
|
| - To "save money" on hard drives for "the server" we did a
| RAID0 array. Works great until one of the disks die and you
| loose everything. (This was my own dumb fault though).
|
| Live and learn I guess!
| chefandy wrote:
| Indeed, astonishing retail-level security shenanigans will
| happen anywhere relying on simple credit card numbers. That
| said, the attack surface of a piece of paper is vastly
| smaller than a web-app-connected database.
| fishtacos wrote:
| Not quite as egregious, but when I worked in QA for an
| internally accessible, hospital record keeping web app, most
| of the "test" data was real customer data, and OBVIOUSLY I
| had complete access to prod with no particular oversight
| (although I'm certain logging was enabled) for HIPPA. Still,
| glad it was available, as going through approval processes
| would've been a nightmare for our implementations.
| coldcode wrote:
| The healthcare place I worked (mid 00's) kept all the prod
| passwords in a text file accessible to half the company. No
| auditing of logins into those servers either, so who knows
| what was leaked.
| Tempest1981 wrote:
| > going through approval processes would've been a
| nightmare
|
| So internal apps can skip the HIPPA approval process? Or
| everyone can?
| NavinF wrote:
| I agree as long as merchant banks let you transfer tokenized
| cards to a new provider. Otherwise businesses will get locked
| into one provider for recurring billing.
|
| (No, this doesn't make tokenized cards as dangerous as card
| numbers. Transferring a merchant account is a whole process.
| Not to mention that when a breach happens, you can cancel one
| merchant's tokens without forcing every customer to get new
| cards)
| Abishek_Muthian wrote:
| RBI(Central bank) has been filling-up for a long time for the
| total lack of security practices by merchants & data-privacy
| laws.
|
| e.g. One can control how much money can be withdrawn from the
| credit/debit card per-day according to domestic/International
| merchants/online/physical/ATM/ etc. through net-banking with
| the minimum in the multiples of INR 1000. So even if the card
| data gets stolen, Criminals can utmost withdraw only the
| minimum amount in the other part of the world.
|
| But unfortunately due to the digital-divide, Not many have
| access or awareness of such facilities and hence control over
| card data is required.
|
| IMO the single point of failure for India's financial security
| is its extraordinary dependence on mobile number for 2FA, Even
| security conscious customers can do little against SIM jacking
| attacks, But for those who are not security conscious; all it
| requires is a social engineered SMS with ngrok URL[1] or Phone
| call asking for that OTP.
|
| Please write to RBI and demand your bank to support hardware
| tokens (or) at least TOTP.
|
| > 3. PayTm (One of the largest, if not the largest digital
| payments app in India)
|
| Did you mean that largest digital payments company which
| integrated the PoS facility on the merchant's app and the
| customers were asked to enter their credit/debit card details
| manually?[2]
|
| [1]
| https://twitter.com/Abishek_Muthian/status/14069649600815718...
|
| [2] https://abishekmuthian.com/paytm-says-to-me-that-its-pos-
| fea...
| andi999 wrote:
| So who has to pay up. What I mean, let's say your cc data
| gets stolen and somebody draws money from your card, can't
| you just initiate a charge back?
| Abishek_Muthian wrote:
| Although charge back mechanisms exists for merchant
| transactions, I don't know of anyone who had got back their
| money lost through the theft of their card data. I wouldn't
| be surprised if VISA/MASTER/AMEX don't have such
| liabilities in India as they do in US/Europe.
|
| I had a conversation with cyber-crime police reg the
| aforementioned SMS scam using ngrok, They mentioned that
| many in my city have lost huge sums of money through it and
| the scam is not just for stealing bank credentials, the
| attacker's application tries to exploit victim's system and
| had successfully installed RAT.
|
| Successive Indian Govt. have been at loggerheads with
| VISA/MASTER duopoly and have successfully derailed it for
| domestic payments, Now Unified Payments Interface(UPI)[1]
| which works with payment apps has more transactions than
| debit/CC. So the domestic criminals have largely switched
| to UPI/Bank account based scams.
|
| Occasionally some of these criminals get caught and some
| get their money back.
|
| [1] https://timesofindia.indiatimes.com/business/india-
| business/...
| PeterisP wrote:
| Chargeback rights and liability of fraud for creditcards
| are significantly different in different regions even for
| seemingly identical visa/mastercard cards.
| andi999 wrote:
| Yes, it is interesting though how it is in India, which
| might put low incentives on the companies to ramp up
| security.
| unbanned wrote:
| And yet people still think hiring Indian software and IT
| engineers is a good idea.
|
| This is not a racist thing. So don't disagree because it hurts
| someone else's assumed feelings.
|
| There is a significant gap in that sort of knowledge there.
| neya wrote:
| I disagree with this premise, I have worked across many
| countries and I can tell you bad script kiddies and
| programmers exist universally, everywhere. It just so happens
| the population of India and China are quite large compared to
| the rest of the world, so they're more easily visible. I have
| worked with some of the best talent from these nations as
| well, so I would be very hesitant to attach a particular
| country to it.
| [deleted]
| aniforprez wrote:
| "assumed feelings"?
|
| Does that somehow magically excuse racist statements like
| this? Good engineers are everywhere. Bad engineers are
| everywhere
| [deleted]
| pronlover723 wrote:
| What is this Apple email masking service? I keep reading about
| it but every time I pick "Apple Pay" to pay some service it
| tells me it's going to give them my icloud address and it gives
| me no option to choose "mask my email" or anything remotely
| related or giving some alternate email
| dewey wrote:
| It's called "Hide My Email" and you can use it to sign up to
| services in apps:
|
| https://support.apple.com/en-us/HT210425
| powerapple wrote:
| Agree. There is really no way of knowing which website has my
| credit information now (I choose not to save credit details
| anyway). I wish all websites can ask permission every year to
| hold my information.
| chakkepolja wrote:
| > (As an aside) - As a personal mission, I started touring
| around the country teaching college kids for free about basics
| of web development, security, etc. But, still, I have a long
| way to go.
|
| Kudos for doing God's work! As someone who studied in India, I
| think youtube videos might have a better reach with Indian
| student audience. There is so many mediocre content out there
| on YouTube and high-SEO sites like GFG (they are kinda fine for
| algorithm / Leetcode stuff but I can't stand their student-
| contributed code for anything else). A higher quality de-facto
| tutorial series might make a better impact. But of course
| promoting is important.
| randombits0 wrote:
| I'm a PCI QSA and this is exactly correct. No one should store
| card data for recurring transactions. India just made it a law.
| Good for them.
| kashif wrote:
| This is not all that - this is a push to move people to digital
| wallets such as PayTM (more crony capitalism)
|
| The fix for the problems you highlight is a audit and stringent
| rule of law.
| [deleted]
| txtsd wrote:
| How do I get these firms to hire me instead? I know enough
| about the basics of security to not make these mistakes. Why
| would they choose college grads who know nothing about it
| instead?
| the_other wrote:
| Cost.
| nmstoker wrote:
| It's really cost plus a chance they'll get away with it (or
| the team/mgr hiring will have moved on by the time it's
| found out).
|
| If it were cost but they were guaranteed to get caught they
| wouldn't do it.
| LeonM wrote:
| The issue is often that:
|
| 1. The vendor is not aware that this is a problem 2. As a
| result of point 1, the vendor does not have budget planned
| for this. 3. The reward for the investment does not make
| sense for most of the vendors.
|
| About point 3: For the vendor, there is no tangible
| improvement in sales (in fact, some security measures raise
| the barrier for their customers to place an order). So why
| should they do it? In their experience, the budget is better
| spent on improving the customer experience, marketing,
| increasing stock, lowering prices, etc.
|
| Point 3 is really tricky, especially in some cultures and
| countries. If there is no legal consequence for leaking
| customer data, why should they be spending money on
| preventing something that may or may not happen in the
| future?
| supernova87a wrote:
| I'm interested to know what level of "cannot store" the info is
| implemented? Or is it mediated by a 3rd party company / algorithm
| that sanitizes the data but to a certain amount that some
| association can still be done?
|
| For example, can the customer's credit card be anonymized but
| still tracked to know that the same credit card is used on 2
| different transactions, for example?
|
| E.g. if I wanted to give the customer only 1 special offer per
| credit card number, is that possible for the retailer to tell? Or
| is it even more sanitized such that every single transaction gets
| a different hashing?
|
| How do refunds get issued if the number can't be stored and
| presumably you don't want the retailer to have the backwards
| decoding to be possible?
| vinay_ys wrote:
| For card-linked offer constructs you can infer the issuer based
| on first 4 digits (bin number) and actually store last 4 digits
| and name on card.
| Tempest1981 wrote:
| Sounds prudent, but can the government actually enforce this?
| How?
| vivekv wrote:
| Mastercard is banned in India because they violated local data
| storage rules https://www.livemint.com/news/world/us-trade-
| officials-calle...
| alkonaut wrote:
| I always enter my card details (unless direct bank transfer is
| available, which is becoming pretty popular lyckily).
|
| But I never found the idea that a saved credit card number (23
| digits) would make a shopping experience so much convenient than
| having to enter it. A typical checkout still has me entering my
| address, choosing between 5 different delivery options, agreeing
| to various terms and so on. The payment step is just a minor step
| along the way.
|
| I wonder if this entering of payment info is feeling more
| inconvenient to people who have become used to not having to do
| it, for example because they have used Amazon (I still never
| ordered anything there because they don't have a functioning
| operation where I live).
| martinald wrote:
| You probably don't want to use bank transfers, depending on
| your jurisdiction. Using any sort of visa/masterdcard/amex
| gives you some protection via chargebacks. In the UK (and I
| think many other places), paying with a credit card over PS100
| gives you enormous additional protection (the credit card
| company is also liable for any problems). So if someone goes
| bankrupt, the credit card company has to make you whole. This
| is super helpful if eg you can't do a warranty claim on a
| product because the supplier went bankrupt. The credit card
| company has to resolve it (which generally means a full
| refund).
|
| Paying with bank transfers completely negates all this
| protection. Merchants love it for this reason (and lower fees),
| but as a consumer it offers no benefits and a lot of drawbacks.
| noduerme wrote:
| So, in the early days of online retail, I built shopping carts
| that stored credit card numbers in the business's database and
| connected directly with a credit card gateway (not a provider
| like Stripe). By around 2006 it became clear that this was
| insanely dangerous to do. Every merchant could not be storing a
| database of their customers' credit card numbers. I don't know if
| it's actually illegal to do online card processing this way in
| the US now, but no card company would work with you if you did.
|
| So my takeaway from this is that, the fact that card companies
| are still accepting "card not present" style transactions from
| online retailers in India means they have been willing up to this
| point to tolerate a large amount of fraud and hacking in order to
| tap the market. The logical next step for them is to limit the
| number of data sources storing the card numbers and customer data
| themselves. Whether this comes in the form of a government decree
| or the slow moving of the card companies away from accepting
| these kinds of transactions, the change is inevitable. Local
| hosting and locally managed databases are no place for credit
| card numbers to be stored.
| deanc wrote:
| The sooner we move everything to one-time tokens (apart from
| subscriptions) the better. It's absolutely a ridiculous security
| model we have in place at the moment. I pay absolutely everything
| I can with Apple Pay now. I also would like to be able to use
| one-time disposable cards (without an additional fee) in Europe
| (ala privacy.com) but I have yet to find such a service.
| criddell wrote:
| Doesn't the Apple credit card do this? I think they call them
| virtual numbers.
| niyaven wrote:
| Disclosure: I work for a fintech in India, specialized in card
| payment.
|
| It seems here people see this rule as "merchants can't store card
| numbers any more". This is actually a lot more than that, this is
| the new rule: you cannot store card numbers for recurring
| payment. Even if you are PCI-DSS compliant. Even if you are
| audited by the RBI. Even if you're sponsored by a bank. The only
| way to store a Visa number is to use the Visa tokenization
| service.
|
| Now if you know a bit of the card payment industry, you will know
| that you _need_ the card number just to process the payment, the
| refund, etc. So you still have to store the card number. And you
| can. You just can 't use it for recurring payment any more.
|
| My personal take: Giving full control to Visa and Mastercard over
| their card numbers for recurring payment seems to be a nice
| transfer of power to these two giants. But the time scale has
| been very short (a few months only). So practically, most
| recurring card payments will stop working or be illegal in two
| weeks. This is will more or less break existing subscriptions
| working with cards.
|
| India (the RBI at least) has been in a campaign for independence
| in the payment infrastructure. American Express[0], Diners[1],
| Mastercard[2] have been banned in India. Diners' ban has been
| lifted now, but still. Rupay is a failure with a market share of
| 0.34%[3] (in comparison UPI is at 37.73%), in spite of having
| _ZERO_ MDR on debit transactions[4].
|
| This change is not for the sake of security. You can have the
| best firewalls, cutting-edge HSM, security team and pass 12
| audits a year. You will be allowed to save these card numbers but
| you won't be able to authorized to use it for recurring payments.
| This is just a move against cards, and to promote UPI instead. By
| making recurring card payment a hindrance, more people will
| transition to UPI.
|
| [0] https://www.americanexpress.com/en-in/company/notice/rbi-
| imp... [1] https://www.reuters.com/article/india-banking-
| american-expre... [2]
| https://westfaironline.com/138440/mastercard-banned-from-new...
| [3] https://www.npci.org.in/PDF/npci/statics/RETAIL-PAYMENTS-
| STA... [4] https://economictimes.indiatimes.com/opinion/et-
| editorial/st...
| rowls66 wrote:
| What you are saying does not align with the text of the
| directive. It clearly says that card numbers cannot be stored
| for any purpose. Quoting from the directive:
|
| With effect from January 1, 2022, no entity in the card
| transaction / payment chain, other than the card issuers and /
| or card networks, shall store the actual card data. Any such
| data stored previously shall be purged.
| naruvimama wrote:
| I believe merchants are not allowed to charge extra for visa or
| mastercard, but there is a hefty commission payed to them.
|
| They then use this to attracts customers and/or banks to sign
| up. Rupay customers end up paying part of the hefty commissions
| (albeit indirectly) that Visa charges the merchants and the
| Visa customers get discounts, cash backs and offers.
|
| A payment network is just a payment network, they shouldn't be
| using their market dominance to run marketing schemes.
| niyaven wrote:
| > I believe merchants are not allowed to charge extra for
| visa or mastercard, but there is a hefty commission payed to
| them. This is not the case in India but is the case in other
| markets, yes. The IRCTC (national railway company) is for
| instance displaying it and the customer has to pay fees
| depending on the selected payment option. Some actors even
| hide this amount until you reach the page asking you for an
| OTP! I don't think it's necessarily done with malicious
| intent, but it exists.
|
| Sometime you won't see Visa or Mastercard but instead "Debit
| Card" and "Credit Card" vs "Rupay" for instance.
| naruvimama wrote:
| But IRCTC is a behemoth (though it is publicly listed).
|
| We are talking about smaller merchants, would they be able
| to get away with the same?
| unmole wrote:
| > Rupay is a failure with a market share of 0.34%[3] (in
| comparison UPI is at 37.73%), in spite of having ZERO MDR on
| debit transactions[4].
|
| Rupay's failure is _because_ of zero MDR, not _in spite_ of it.
| spikengineer wrote:
| I don't agree with your interpretation on this being a stealth
| tactic but even if this was one it's just the state
| institutions acting in the interest of their mandate. This
| might not be beneficial to you employer or Visa or MasterCard
| or few high flying credit card users of the super rich class
| but it is in the interest of the people.
|
| If they think it's time to move beyond cards due to the
| strategic overdependence on foreign service providers like Visa
| who can disrupt the Indian financial system at the behest of
| their US govt or other interests it's the right thing to
| discourage them directly or indirectly.
|
| Think in the interest of the people. WTO commitments are not
| worth the paper they are written on. State should do the right
| thing to benefit the people as a whole not worry about
| inconvenience to a few people or few middle men or foreign
| companies.
| niyaven wrote:
| Ah maybe my comment is not clear, I am not judging on whether
| this is a good/bad move for people. I wanted to explain that
| the card number will still be stored: it only applies to
| recurring payment (at least for now). So for anyone worried
| about entities storing the card number... this will continue.
|
| I understand the confusion, but just to clarify I'm a big fan
| of UPI :).
|
| Now, is it good move for the people? It's a complex topic,
| one could write a lot about it. This move will push people
| away from cards because card tokenization won't be supported
| for a while, making recurring payment harder. It's well known
| that very small amounts of friction can drastically reduce
| the conversion rate. Entering the card details every time is
| a hassle for sure.
|
| So more UPI payments. But today there are no MDR for UPI
| transactions, meaning fintechs and banks are losing money
| when they process these transactions. For banks, it's
| supposed to be ok because a digital transaction is cheaper
| than a physical one. For fintechs, this is tough, you need to
| find money somewhere else. So less money = less incentives =
| less innovation. However there have been talks to put back
| some fees on UPI (banks are pushing a lot on this).
|
| On the other hand, more card payments = higher MDRs. So
| merchants or customers, or both, will pay more to process the
| transactions. Banks and fintech get more money. But with a
| lack of competition, because of the current duopoly
| (Visa/Mastercard), and the difficulty to enter the market due
| to strict regulation, innovation is far from its peak. Just
| by looking at how long 3DS2 takes to roll out you can see
| that there is a lot inertia.
|
| It's not black and white, as often. _Personally_ I think UPI
| is a better direction. The only downside is that 's it is
| only for domestic payment. I'd love to see an EU initiative
| as successful as UPI: instant payment _could_ be the EU
| equivalent but the fees are crazily high in some countries.
| spikengineer wrote:
| MDR problem can be solved as you indicated. It also needs a
| solution pretty soon too.
|
| EU and developed countries' banks live and finance their
| profits on fees as they don't make much or any money on
| loans and other traditional financial tools. Those fees
| aren't going to go away.
| kranner wrote:
| > If they think it's time to move beyond cards due to the
| strategic overdependence on foreign service providers like
| Visa who can disrupt the Indian financial system at the
| behest of their US govt
|
| Is there any evidence that the RBI actually thinks this? You
| seemingly criticise GP on their inference of an ulterior
| motive but then posit your own ulterior motive.
| spikengineer wrote:
| Yes, some basis exists for such assumptions. RuPay and UPI
| were originally conceptualised by RBI and Govt of India to
| solve the overdependence problem. Otherwise RBI and GoI had
| no reason to introduce RuPay and they could have let the
| market develop organically.
|
| Recent RBI moves of data localisation and enforcement
| actions against Diners, American Express and Mastercard
| also indicate strong intent.
| kranner wrote:
| I'm talking about your statement of "disrupt[ing] the
| Indian financial system at the behest of their US govt".
|
| It's a pretty strong claim. If you have any evidence for
| this, please share it here.
| spikengineer wrote:
| It's a potential situation India is always worried about
| from a strategic aspect. India is neither strategically
| aligned to the US nor against it. Historically US
| strongly supported India's enemies and actively worked
| against India's interests all the way from 1945 to
| mid-2000's. US under various administration even
| threatened attack or sanctions when things don't go their
| way.
|
| Current day:
|
| Right now in 2021, US is threatening sanctions under a US
| law called CAATSA just because India bought a few
| missiles from Russia which is a long standing defence
| supplier to India. I know that CAATSA is forced on Biden
| and Trump by US Congress but it doesn't matter to India
| whether the US executive is doing it intentionally or
| not, the US state is threatening sanctions over CAATSA.
| In this era, when India is actively fighting/hindering
| Chinese agression on it's borders and taking actual
| casualties where acting against China is also in US
| interests, US threatens economic sanctions against Indian
| institutions and companies just because they bought a few
| surface to air missiles which they think are the most
| economical option to deter Chinese attack.
|
| US Treasury calls India a currency manipulator and
| threatens to cutoff India from the USD financial system
| (as per US appropriation acts enacted to target China)
| although economists call such a designation as stupid
| when used against low per capita income developing
| countries with a current account deficit just because
| India tries to prevent an exchange rate blowout that
| could lead to many millions of Indians falling below the
| poverty line or losing line of income.
|
| Historical:
|
| In 1999, Clinton threatened to summarily sanction India
| on all fronts including financial when India threatened
| to go beyond the de-facto border to restrain Pakistan
| forces after they occupied Indian territory in Kargil.
| This threat repeated in 2002 after they supported the
| Pakistani position after Pakistan sponsored terrorists
| attacked the Indian parliament and India threatened to
| retaliate against Pakistan.
|
| Every time Pakistan does something stupid against India,
| US intervenes and threatens to sanction India under the
| vacuous argument that they want to prevent a "nuclear
| armageddon". It's not in india's interests to succumb to
| such threats when they aren't the source of the problem.
|
| In 1998, when India tested it's nukes for the 2nd time,
| Clinton placed a breadth of sanctions on India because US
| doesn't like nuclear proliferation although India had
| nukes sinces 1974 and everyone knew pak had since the
| mid-1980's and US turned a blind eye although it knew
| that China, Pak and North Korea are working together on
| them. US wants so called strategic balance between India
| and Pakistan and actively supports Pakistan on many
| issues. This prevents India from deterring China as it
| has spend resources countering Pakistan which itself is
| propped up by US Military and economic aid.
|
| In 1971, Nixon threatened to nuke India if India doesn't
| withdraw from current day Bangladesh when India
| intervened to stop a Pakistan Army led genocide and the
| resulting refugee crisis. Nixon didn't follow through
| because India convinced USSR to provide a similar counter
| threat.
|
| What happens to an economy if 100% of retail electronic
| transactions stop overnight?
|
| It is not in India's sovereign interest to let foreign
| companies control any significant chunk of the financial
| sector and it's especially not acceptable if they are US
| companies because US frequently uses this leverage of
| threat of sanctions to get it's way against Indian
| ineterests.
| Abishek_Muthian wrote:
| Great, I'd also like if the merchants were forced to not message
| via WhatsApp; From couriers to securities every business in India
| expects that you have WhatsApp and are willing to communicate
| with them through it.
| wtmt wrote:
| I just tell all of them that I don't have or use WhatsApp, and
| that's true. They wouldn't be able to send anything over
| WhatsApp since my number was never registered with that
| platform. Those who want my business will have to abide by my
| preferences.
| Abishek_Muthian wrote:
| I've had customer service personal change their tone towards
| me after I tell them that I don't use WhatsApp and requested
| them to send an email instead, They seem to take it as a
| personal insult (or) Couldn't believe that someone couldn't
| have WhatsApp.
| nicolinox wrote:
| I found the approach of disposable virtual card numbers (Visa and
| Mastercard) that Revolut is giving to each app owner for free is
| amazing. This number (always different) can be autopopulated from
| a browser plugin during checkout from the PC and has a very
| smooth user experience. I don't need to take a card out of my
| wallet or open the smartphone app to do this. I am happy and
| regulator is happy too, in this case.
| teleforce wrote:
| Kudos to Indian govt, this should be the default for any
| e-commerce websites. I have to resort to PayPal to avoid my
| credit card being stored in the e-commerce merchant sites but
| some of sites do not support PayPal. It seems that Amazon somehow
| would not even allow me to delete my old and expired credit card
| from my account.
| pronlover723 wrote:
| paypal is worse than credit card for me. For one the paypal
| always shares your paypal email address where as when I pay
| with credit card I always give a different email address to
| every merchant.
| usr1106 wrote:
| Why I needed to change the email address I use for paypal
| repeatedly. Now I have mostly stopped to use paypal. It's
| full of dark patterns like making authorization recurring
| without giving me an option. Need to cancel authorization for
| future payments manually afterwards. I guess in the wost case
| this could be racy, another payment before I cancel.
| oefrha wrote:
| Does PayPal still share email addresses? I accept donations
| on PayPal for my open source projects, and starting from a
| few months ago I can no longer see people's email addresses,
| which have been replaced by links to an internal chat system.
| mkbkn wrote:
| > It seems that Amazon somehow would not even allow me to
| delete my old and expired credit card from my account.
|
| Strange. Amazon India allows deleting the stored card details.
| vivekv wrote:
| Indian merchants have to support UPI - another payment
| mechanism which is secure. I tend to use that in most places so
| that I dont have to store my card details.
| rg111 wrote:
| Do you have to use your cellphone number to avail UPI
| services?
|
| If that is the case, then it is not for me.
| echlipse wrote:
| You need to have a bank account to use UPI. Banks require a
| phone number afaik.
| rg111 wrote:
| Yes, I know that.
|
| But does one need to share one's phone number to barely
| send or receive money?
| echlipse wrote:
| nope. just your vpa.
| jetsetgo wrote:
| it is not for you and no one cares
| spikengineer wrote:
| UPI primarily uses a virtual private address in the form of
| an email address.
|
| You only need to disclose this vpa to the merchant.
|
| It looks like username@statebank
|
| You don't need to disclose your phone number or bank
| account number to the merchant if you don't want to as UPI
| has multiple address mechanisms.
|
| You can also use QR
| mkbkn wrote:
| Yes, UPI needs a phone number linked to your bank account.
| wtmt wrote:
| Just to clear things up since some of the other comments
| seem unsure or have partial information, UPI requires a
| cell phone, a cell phone number and the bank account linked
| with the cell phone number. It cannot be used from a
| computer (IMPS, which is like UPI's cousin with a slightly
| more cumbersome interface, can be used from a computer).
|
| The primary form of UPI usage is from smartphone apps
| (provided by banks or by the operator of UPI, which is the
| NPCI BHIM app).
|
| See the UPI overview page [1] by NPCI (a private consortium
| operating UPI, IMPS and a few other services).
|
| [1]: https://www.npci.org.in/what-we-do/upi/product-
| overview
| rg111 wrote:
| Thanks.
|
| But if one just needs to send or receive money does one
| need to share one's cell phone number to this 2nd party?
| scriptdevil wrote:
| You don't need to - you can also share your unique UPI ID
| which is text like username@bankcode
| wtmt wrote:
| GP here. No, you don't necessarily have to share your
| cell phone number as the sender or as the receiver. But
| take note of the details below.
|
| UPI assigns/allows one or more Virtual Payment Address
| (VPAs) for each account, which looks kinda like an email
| address. The default VPA is usually phone-
| number@bankname, but you can (and should) disable that
| default VPA (mainly because UPI also has a payment
| request mode where anyone can request anyone else for
| money and there are plenty of scams with that and
| enumerable phone numbers). Instead, create the VPA as
| some-random-name@bankname (assuming nobody else has taken
| that). The sender and the receiver would know the VPA of
| the counter-party as well as the full name of the person
| (the name gets displayed before confirming a payment, and
| is helpful to know that it's going to the right person).
|
| Also note that while some banks allow only one VPA for an
| account, some banks allow several VPAs for the same
| account (think of them as similar to what email aliases
| are for the same email account). So you could have
| mybusiness@bankname for your clients to send business
| payments, mybigdinnerparty@bankname for your friends to
| send their share of the dinner party bill, and so on --
| all linked to your name and the same bank account.
| illegalmemory wrote:
| I have created UPI ID directly with bank and there is no
| need of any third party app. It can be used to transfer
| money directly without sharing bank and card details.
| captn3m0 wrote:
| You can receive money over UPI without a smartphone.
|
| But sending money actively (as a customer) from a
| personal bank account is not possible afaik.
| samarthr1 wrote:
| What no? My business, and my family business both run off
| the ability to make upi payments by just giving a UPI Id,
| amount and everything your pin. Quite often, i settle
| accounts with my friends over UPI. One of them pays for
| coffee, and i just upi him his share. And we work with
| our own personal savings accounts.
| captn3m0 wrote:
| Needs a smartphone, that's what I was pointing out.
| seesawtron wrote:
| >It seems that Amazon somehow would not even allow me to delete
| my old and expired credit card from my account. If you are in
| the EU, in my experience with the GDPR, this is not allowed.
| The e-commerce merchant must allow users to have the option to
| remove this information. PS: I had to file a formal complaint
| against a telecom company to have this resolved.
| pmontra wrote:
| Unless they have to store those details for N years because
| of local laws. Obviously they could hide old cards in the UI
| and/or implement a soft delete.
| zerocount wrote:
| I agree. I had to do the PayPal thing with my Visible phone
| service because I couldn't delete an old card. Luckily PayPal
| doesn't require me to have anything linked just to have an
| account.
|
| Why do companies want to store this data any way?
| konschubert wrote:
| Be careful if you pay with PayPal in foreign currency, they
| have super-bad conversion rates that they try to trick you into
| accepting. You can turn this off if you can see through their
| dark patterns.
|
| But as a rule of thumb, PayPal is a scammy company that I now
| try to avoid where I can.
| beebeepka wrote:
| Convenience Vs security. All in all, looks like a good thing
| kgdinesh wrote:
| I see the US Model as "Optimistic". Let the transactions through
| and fight back fraud with a strong chargeback mechanism.
|
| Whereas the Indian Model is "Pessimistic". Put in as much checks
| as possible to reduce the rate of fraud before the transaction
| has even completed.
|
| Thoughts?
| aniforprez wrote:
| I love it. The optimistic model forces me to be hyper aware of
| all my banking activities and know when fraud happens
| retroactively. All the Indian regulations mean I effectively
| don't have to worry as much unless something serious happens.
| CC stolen? I don't care they won't have the pin or the secure
| pin used for online transactions so it's useless and I can just
| close the card on the banking website. Mobile phone stolen?
| They won't have the pin to do UPI transactions so they can sell
| my phone but not have access to any of my banking activities.
| It's a total Erin. This new regulation helps prevent my card
| info from getting leaked by all these cheap sites with intern
| developers
| 2Gkashmiri wrote:
| yesterday saw a family member get an sms "your jio mobile
| e-kyc is pending. please call 6006xxxxxx number to get your
| e-kyc done so that there is no disruption to your service".
| this came after trai decided to
| https://telecom.economictimes.indiatimes.com/news/trai-
| pushe...
|
| this means, anyone who read the news understood this was
| going to happen and scammers put their numbers and sent out
| sms. any unsuspecting user would just call them whereby they
| would ask their aadhar card, pan card, otp and you are
| fucked.
___________________________________________________________________
(page generated 2021-12-17 23:02 UTC)