RBI diktat on Uber could affect Google and Apple too

Some of the top internet firms follow the same payment model as the Google-funded taxi service

In their fight against their San Francisco-based Google-funded rival, Uber, local taxi fleets seem to have kicked up dust about a wider industry issue. The debate has now shifted to large multinational technology companies like Google and Apple, which follow almost the same payment model as Uber.

The Reserve Bank of India (RBI) on Friday issued a letter alleging some foreign entities were flouting credit card transaction rules and violating the Foreign Exchange Management Act (Fema) requirements. The central bank asked these service providers to comply with the rules by October 31.

The diktat has ramification for a wide range of internet companies operating in India which will have to alter their payment models. At present, the mobile application stores of Apple and Google, for example, do not follow the two-stage authentication process mandated by RBI for credit card transactions. Every time a user buys an application from these stores, the transaction is completed using the customer's credit card details already saved in these firms' database. This might be a violation of RBI's credit card transaction guidelines, which require a second-stage check in the form of a one-time password or verification services like 'verified by Visa'.

After the central bank's strong note, most of these entities might have to upgrade their technology to operate in India.

A spokerperson for Google India says the company takes regulatory compliance seriously. "We will look into this and respond suitably." Uber and Apple did not immediately respond to the queries sent by Business Standard.

RBI had introduced the two-stage authentication process a few years ago, following instances of card cloning, said Akhilesh Tuteja, executive director of audit and consultancy firm KPMG India. "The 3D secure technology is well developed and easy to implement. The convenience factor is the only reason why companies are not adopting it," Tuteja said, adding it would not be "big deal" for companies to implement it, provided users were ready to prefer security to convenience.

In the past, there have been several instances of hackers breaking into the servers of companies like Amazon and Adobe. An additional authentication layer serves as a safeguard if a user's credit card details are stolen: A transaction cannot be completed without a password is punched in. However, Tuteja says this layer of security is restricted to India alone, as global payment gateways do not require two-stage authentication.

The Fema matter relates to dollar billing, which is perceived as a larger and more complex issue. Like Uber, most application stores, including those of Google and Apple, use an international payment gateway, where the actual billing takes place in dollars (even if it shows in rupees).

Some experts are of the view that the exemption for a two-stage verification process is valid only when there is a foreign exchange outgo. Merely the presence of an overseas payment gateway does not qualify for such an exemption, they say. However, Tuteja says a company transacting in a foreign currency and using an international payment gateway doesn't mean it is not recording revenues in India and violating Fema. "Let's not make any allegations till the time all facts are clear."

But, given RBI's mandate, all transactions in India might have to go through a local payment gateway. This would improve security of transactions, at least in India.

The central bank on Friday said there had been instances of 'card not present' transactions, without the mandated additional authentication/validation, even where the transaction was taking place between two residents in India (card issued in India being used for purchase of goods and service offered by a merchant/service provider in India). "It is observed that these entities are evading the mandate of additional authentication/validation by following business/payment models which is resulting in foreign exchange outflow."

RBI further advised that where cards issued by banks in India were used for making 'card not present' payments towards purchase of goods and services provided within the country, the acquisition of such transactions had to be through a bank in India, and the transaction should necessarily be settled in the Indian currency, in adherence to extant instructions on security of card payments.

SECURITY THREAT

• RBI on Friday said several foreign entities were flouting rules governing credit card transactions and Fema
   
• Such service providers were given time until the end of October to follow the law of the land
   
• Large multinational technology companies like Google and Apple follow almost the same payment model as Uber
   
• The mobile application stores of Apple and Google do not follow the two-stage authentication process mandated for credit card transactions
   
• After RBI's strong note most of such foreign entities might have to upgrade their technology to operate in India