 "Got AFA alert for fraud transaction? Block, report and replace card")
On February 7, the Reserve Bank of India (RBI) announced the implementation of Additional Factor Authentication (AFA) for cross-border “Card Not Present” (CNP) transactions. With the volume of international shopping and subscriptions to services rising, this measure aims to strengthen security for cardholders.
“AFA has already proved its effectiveness in reducing fraud in the domestic digital payment ecosystem. Until now, AFA was not mandated for international transactions. But with the growing numbers and adoption of digital payments, it was only a matter of time,” says Venkat Narayanan, associate vice-president-products, Worldline.
Likely modus operandi
Many people subscribe to international services requiring monthly payments. “An AFA will be a must at the time of mandate registration, modification, or deletion,” says Narayanan.
Currently, users receive notifications before auto-debits. Under the new system, the process may change slightly. “Customers will need to approve the payment via an OTP or another authentication method, as mandated by their bank. If users do not authenticate within a stipulated time, the transaction will not be processed,” says Prashant Mali, cyber law expert and advocate, Bombay High Court.
Some experts believe authentication may not be required monthly but at specific intervals. “Payment processors will need to come up with end-to-end encryption-based solutions that require frequent renewal of payment authorisation for subscriptions, that is, once every three or six months, using AFA,” says Dip Mehta, partner, EY forensic and integrity services.
Larger transactions may require extra verification. “There will also be a threshold transaction value beyond which the customer will have to go through extra verification by means of an OTP that the issuing bank will trigger to the registered mobile number,” says Narayanan.
Enhanced security
AFA provides an extra layer of security. “This verification is conducted through an alternative channel, different from the one where the purchase is being made,” says Narayanan. For example, when making an online purchase, users may receive an OTP on their registered mobile number or be prompted for biometric authentication using a certified programme.
The system makes unauthorised transactions more difficult. “With AFA, even if a fraudster obtains a user’s card details, they cannot complete a transaction without additional verification, such as an OTP sent to a registered mobile number. They would require access to your phone or email for OTP authentication, making it significantly harder to misuse the card,” says Mali.
Phishing will also become harder to pull off. Using links, online shoppers are directed to fraudulent websites that capture payment details. “With AFA, customers will have an alternative channel to track payments initiated on their cards. They will also have control over whether to allow the payment to go ahead, after validating the merchant establishment and the amount,” says Narayanan.
Stay vigilant, nonetheless
If a hacker attempts an unauthorised transaction using stolen card details, the cardholder will receive an AFA notification. “They should deny the transaction and report it to their bank. They should also cancel the card and replace it,” says Narayanan.
Mehta suggests relying on advanced AFA solutions such as biometrics and facial recognition
Even with AFA in place, users must remain cautious. “They should avoid storing card details on websites and instead consider using virtual cards or one-time payment modes,” says Mali.
Users must also remain on alert for phishing scams. “Avoid clicking on suspicious links or sharing information on untrusted websites,” says Mali.
Additional security measures you must adopt
- When shopping internationally, use only well-known and trusted websites or apps
- Ensure the website where you shop is secure (https) and is the merchant’s official site
- Enable SMS and email notifications for all transactions to detect unauthorised activity quickly
- Do not click on links in unsolicited emails
- Watch for spelling or logo errors, as phishing websites often mimic legitimate brands but may have slight differences in spelling, logos, or domain names
One subscription. Two world-class reads.
Already subscribed? Log in
Subscribe to read the full story →*Subscribe to Business Standard digital and get complimentary access to The New York Times
Smart Quarterly
₹900
3 Months
₹300/Month
SAVE 25%
Smart Essential
₹2,700
1 Year
₹225/Month
SAVE 46%
*Complimentary New York Times access for the 2nd year will be given after 12 months
Super Saver
₹3,900
2 Years
₹162/Month
Subscribe
Renews automatically, cancel anytime
Here’s what’s included in our digital subscription plans
Exclusive premium stories online
Over 30 premium stories daily, handpicked by our editors
Complimentary Access to The New York Times
News, Games, Cooking, Audio, Wirecutter & The Athletic
Business Standard Epaper
Digital replica of our daily newspaper — with options to read, save, and share
Curated Newsletters
Insights on markets, finance, politics, tech, and more delivered to your inbox
Market Analysis & Investment Insights
In-depth market analysis & insights with access to The Smart Investor
Archives
Repository of articles and publications dating back to 1997
Ad-free Reading
Uninterrupted reading experience with no advertisements
Seamless Access Across All Devices
Access Business Standard across devices — mobile, tablet, or PC, via web or app
SAVE 25%