Indian online merchants cannot store credit card information from 2022

266 points by vivekv 3 years ago | 147 comments
  • neya 3 years ago
    This is actually a good thing. Think of it like Apple's email masking service - Merchants can only store a tokenized version of your credit card instead of the real card details. I say this is a good thing after having worked with many E-Commerce shops in India as a consultant. Most of them barely know a thing about security, let alone about PCI DSS compliance.

    I have worked with shops that stored the entire credit card number in PLAIN TEXT!. Not just credit cards, even their users' passwords. This also explains why many of them got and still get hacked from time to time. Even credit card processors got hacked due to this. Lot of shitty ones in the Indian market actually.

    The root cause of this, not to cause language flame wars here, but is most of the shops use script kiddos with just basic PHP knowledge. Bare minimum, they're recent fresh college grads who just know how to consume data from a form using PHP using GET and POST, that's it. Most of the code I've worked with just consumes this directly instead of stripping/processing it and end up introducing SQL injection attacks. Atleast, if they used a framework, this would be provided by default for free, but many of the developers hardly know about even MVC.

    (As an aside) - As a personal mission, I started touring around the country teaching college kids for free about basics of web development, security, etc. But, still, I have a long way to go.

    Well folks, that's it for today's note on why this was a good move. Have a nice day!

    Edit: Some of the recent hacks that were not made public widescale like they should've been:

    1. Domino's Pizza India (Yes, the international pizza chain)

    2. BigBasket (Largest online grocery ordering App)

    3. PayTm (One of the largest, if not the largest digital payments app in India)

    • Abishek_Muthian 3 years ago
      RBI(Central bank) has been filling-up for a long time for the total lack of security practices by merchants & data-privacy laws.

      e.g. One can control how much money can be withdrawn from the credit/debit card per-day according to domestic/International merchants/online/physical/ATM/ etc. through net-banking with the minimum in the multiples of INR 1000. So even if the card data gets stolen, Criminals can utmost withdraw only the minimum amount in the other part of the world.

      But unfortunately due to the digital-divide, Not many have access or awareness of such facilities and hence control over card data is required.

      IMO the single point of failure for India's financial security is its extraordinary dependence on mobile number for 2FA, Even security conscious customers can do little against SIM jacking attacks, But for those who are not security conscious; all it requires is a social engineered SMS with ngrok URL[1] or Phone call asking for that OTP.

      Please write to RBI and demand your bank to support hardware tokens (or) at least TOTP.

      > 3. PayTm (One of the largest, if not the largest digital payments app in India)

      Did you mean that largest digital payments company which integrated the PoS facility on the merchant's app and the customers were asked to enter their credit/debit card details manually?[2]

      [1] https://twitter.com/Abishek_Muthian/status/14069649600815718...

      [2] https://abishekmuthian.com/paytm-says-to-me-that-its-pos-fea...

      • andi999 3 years ago
        So who has to pay up. What I mean, let's say your cc data gets stolen and somebody draws money from your card, can't you just initiate a charge back?
        • Abishek_Muthian 3 years ago
          Although charge back mechanisms exists for merchant transactions, I don't know of anyone who had got back their money lost through the theft of their card data. I wouldn't be surprised if VISA/MASTER/AMEX don't have such liabilities in India as they do in US/Europe.

          I had a conversation with cyber-crime police reg the aforementioned SMS scam using ngrok, They mentioned that many in my city have lost huge sums of money through it and the scam is not just for stealing bank credentials, the attacker's application tries to exploit victim's system and had successfully installed RAT.

          Successive Indian Govt. have been at loggerheads with VISA/MASTER duopoly and have successfully derailed it for domestic payments, Now Unified Payments Interface(UPI)[1] which works with payment apps has more transactions than debit/CC. So the domestic criminals have largely switched to UPI/Bank account based scams.

          Occasionally some of these criminals get caught and some get their money back.

          [1] https://timesofindia.indiatimes.com/business/india-business/...

          • PeterisP 3 years ago
            Chargeback rights and liability of fraud for creditcards are significantly different in different regions even for seemingly identical visa/mastercard cards.
        • ehnto 3 years ago
          I have spent a long time in eComm in the west, and you see that kind of stuff there as well. The most erroneous was the company that would take credit cards in plain text, print them onto an order sheet for reception staff to put through their POS at the front desk, and then the order sheets just went into the bin near the entrance. Thousands of credit card numbers were just sitting there for the taking, in plain text, in plain sight.
          • spookthesunset 3 years ago
            > The most erroneous was the company that would take credit cards in plain text, print them onto an order sheet for reception staff to put through their POS at the front desk, and then the order sheets just went into the bin near the entrance

            Back in my younger days, I've implemented exactly such a system. Looking back, it seems like a "WTF where you thinking" but somehow it made sense back then. What is obvious practice now took 20+ years of internet evolution to reach.

            I've also worked for companies that:

            - Stored user passwords in plaintext so you can email the customer their password if they forgot - Stored the CVV so "we could issue refunds" - Accidentally created anonymous email relays using copy & paste code from some "how do I create a webform in PHP" site. - Test data was simply a mirror of production - Test servers would send real emails to real customers (because the test data was a prod mirror)

            There are probably some other atrocities I've been exposed to but those are the highlights.

            Oh yeah, forgot one:

            - To "save money" on hard drives for "the server" we did a RAID0 array. Works great until one of the disks die and you loose everything. (This was my own dumb fault though).

            Live and learn I guess!

            • yibg 3 years ago
              Not just ecomm. I remember the days when customers would read their credit card numbers over the phone for small businesses (e.g. pizza joints). You'd write it down for processing later. The paper then gets disposed of at some point with the full credit card info and name written on them.
              • fishtacos 3 years ago
                Not quite as egregious, but when I worked in QA for an internally accessible, hospital record keeping web app, most of the "test" data was real customer data, and OBVIOUSLY I had complete access to prod with no particular oversight (although I'm certain logging was enabled) for HIPPA. Still, glad it was available, as going through approval processes would've been a nightmare for our implementations.
                • coldcode 3 years ago
                  The healthcare place I worked (mid 00's) kept all the prod passwords in a text file accessible to half the company. No auditing of logins into those servers either, so who knows what was leaked.
                  • Tempest1981 3 years ago
                    > going through approval processes would've been a nightmare

                    So internal apps can skip the HIPPA approval process? Or everyone can?

                  • chefandy 3 years ago
                    Indeed, astonishing retail-level security shenanigans will happen anywhere relying on simple credit card numbers. That said, the attack surface of a piece of paper is vastly smaller than a web-app-connected database.
                    • dzhiurgis 3 years ago
                      Isn't that how booking.com still operates with like millions of hotels worldwide, but via fax machine?
                      • ehnto 3 years ago
                        I wouldn't be surprised. I wonder what is more secure, fax or plain text email?
                    • paxys 3 years ago
                      That's a weird generalization. Yes there are terrible, insecure e-commerce sites in India, the same as there are in the USA and everywhere else on the planet. India is also the top 7-8 e-commerce market in the world. Large local apps in the space have valuations in the tens of billions of dollars, and all major global players like Amazon and Walmart are involved in the country as well. These $100B in annual sales aren't processed by script kiddies, it's a very large and mature industry.
                      • yjftsjthsd-h 3 years ago
                        > That's a weird generalization. Yes there are terrible, insecure e-commerce sites in India, the same as there are in the USA and everywhere else on the planet.

                        I don't have the experience to know if this is actually the case, but it seems completely plausible that different countries have different regulations (or enforcement thereof) such that US companies have to care about PCI more than Indian companies.

                        > These $100B in annual sales aren't processed by script kiddies, it's a very large and mature industry.

                        Those are less connected than you think; loads of companies run obscenely large monetary transactions and essential business processes with horrifying hacked-up systems (50k LoC files, 20-year-old Perl scripts that nobody understands, Solaris 2.x desktop in the maintenance closet...); utility and good code are less correlated than we wish.

                        • ratww 3 years ago
                          > I don't have the experience to know if this is actually the case, but it seems completely plausible that different countries have different regulations (or enforcement thereof) such that US companies have to care about PCI more than Indian companies.

                          Or maybe even different companies forcing users to accept credit cards in different ways.

                          A handful providers I had to integrate with in my career (in LatAm and Germany) had this rule where you couldn't have the numbers going trough your system unless you got PCI certification. You had to use an iFrame, or redirecting to their website where the form was served.

                          Sometimes the APIs were there, in public, but even if you used a valid credit card number it would deny verification unless your merchant account was pre-authorised.

                          • rob74 3 years ago
                            Yeah, seems plausible - after all, as I recently learned from another HN post, it is customary for trucks not to have side mirrors in India, whereas this is much rarer in the US and virtually unheard of in (western) Europe...
                            • dewey 3 years ago
                              "such that US companies have to care about PCI more than Indian companies."

                              If you think about the social security number system, paper checks or credit cards with magnet strips I think you'll notice that other countries sometimes have stricter and more advanced security regulations.

                            • deathtrader666 3 years ago
                              Yes, but large valuations don't correlate with better security practices.. Obviously the person above isn't talking about Amazon or Walmart when referring to "script kiddies".

                              Of the nearly 45-50 contract jobs I've seen, a lot of them use pirated WP or Magento plugins, and plain text storage of sensitive content.

                              • sidm83 3 years ago
                                Again, generalization. What you're talking about mostly refers to small time sites with maybe not more than few dozen orders a day. Typical ecommerce businesses (usually the kind with at least 100s or 1000s of orders a day) write their own code rather than using WP plugins.

                                As far as PCI DSS goes, there are multiple levels. Even at the tier 2 Indian ecom company I used to work at, we did not store any card info, it was just submitted in an iframe rendered by the payment gateway. And even then we were subjected to annual/semi-annual security audits (this was in addition to quarterly external security audits we ordered ourselves apart from typical OWASP top 10 checks performed by QAs in weekly sprints).

                              • reaperducer 3 years ago
                                That's a weird generalization

                                It doesn't seem like a generalization at all. It's someone relaying their actual experience:

                                "having worked with many E-Commerce shops in India as a consultant"

                                It very often happens on HN that if someone talks about something they had personal experience with, that people try to characterize it as a generalization, as if that somehow magically makes the statements a fantasy. It does not.

                              • randombits0 3 years ago
                                I’m a PCI QSA and this is exactly correct. No one should store card data for recurring transactions. India just made it a law. Good for them.
                                • chakkepolja 3 years ago
                                  > (As an aside) - As a personal mission, I started touring around the country teaching college kids for free about basics of web development, security, etc. But, still, I have a long way to go.

                                  Kudos for doing God's work! As someone who studied in India, I think youtube videos might have a better reach with Indian student audience. There is so many mediocre content out there on YouTube and high-SEO sites like GFG (they are kinda fine for algorithm / Leetcode stuff but I can't stand their student-contributed code for anything else). A higher quality de-facto tutorial series might make a better impact. But of course promoting is important.

                                  • powerapple 3 years ago
                                    Agree. There is really no way of knowing which website has my credit information now (I choose not to save credit details anyway). I wish all websites can ask permission every year to hold my information.
                                    • txtsd 3 years ago
                                      How do I get these firms to hire me instead? I know enough about the basics of security to not make these mistakes. Why would they choose college grads who know nothing about it instead?
                                      • LeonM 3 years ago
                                        The issue is often that:

                                        1. The vendor is not aware that this is a problem 2. As a result of point 1, the vendor does not have budget planned for this. 3. The reward for the investment does not make sense for most of the vendors.

                                        About point 3: For the vendor, there is no tangible improvement in sales (in fact, some security measures raise the barrier for their customers to place an order). So why should they do it? In their experience, the budget is better spent on improving the customer experience, marketing, increasing stock, lowering prices, etc.

                                        Point 3 is really tricky, especially in some cultures and countries. If there is no legal consequence for leaking customer data, why should they be spending money on preventing something that may or may not happen in the future?

                                        • the_other 3 years ago
                                          Cost.
                                          • nmstoker 3 years ago
                                            It's really cost plus a chance they'll get away with it (or the team/mgr hiring will have moved on by the time it's found out).

                                            If it were cost but they were guaranteed to get caught they wouldn't do it.

                                        • pronlover723 3 years ago
                                          What is this Apple email masking service? I keep reading about it but every time I pick "Apple Pay" to pay some service it tells me it's going to give them my icloud address and it gives me no option to choose "mask my email" or anything remotely related or giving some alternate email
                                        • 3 years ago
                                          • NavinF 3 years ago
                                            I agree as long as merchant banks let you transfer tokenized cards to a new provider. Otherwise businesses will get locked into one provider for recurring billing.

                                            (No, this doesn’t make tokenized cards as dangerous as card numbers. Transferring a merchant account is a whole process. Not to mention that when a breach happens, you can cancel one merchant’s tokens without forcing every customer to get new cards)

                                            • kashif 3 years ago
                                              This is not all that - this is a push to move people to digital wallets such as PayTM (more crony capitalism)

                                              The fix for the problems you highlight is a audit and stringent rule of law.

                                              • unbanned 3 years ago
                                                And yet people still think hiring Indian software and IT engineers is a good idea.

                                                This is not a racist thing. So don't disagree because it hurts someone else's assumed feelings.

                                                There is a significant gap in that sort of knowledge there.

                                                • neya 3 years ago
                                                  I disagree with this premise, I have worked across many countries and I can tell you bad script kiddies and programmers exist universally, everywhere. It just so happens the population of India and China are quite large compared to the rest of the world, so they're more easily visible. I have worked with some of the best talent from these nations as well, so I would be very hesitant to attach a particular country to it.
                                                  • aniforprez 3 years ago
                                                    "assumed feelings"?

                                                    Does that somehow magically excuse racist statements like this? Good engineers are everywhere. Bad engineers are everywhere

                                                    • 3 years ago
                                                    • 3 years ago
                                                  • korginator 3 years ago
                                                    The real story is far less sensationalist than the title on HN, "Indian online merchants cannot store credit card information from 2022".

                                                    Reading through the actual notification titled "Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services", it is clear that the directive is a well deserved push away from Card on File (CoF) where the actual card details are stored by merchants, towards CoFT which is a lot less vulnerable. In fact this is exactly what Apple Pay, Google Pay, and several others are already doing worldwide.

                                                    • teleforce 3 years ago
                                                      Kudos to Indian govt, this should be the default for any e-commerce websites. I have to resort to PayPal to avoid my credit card being stored in the e-commerce merchant sites but some of sites do not support PayPal. It seems that Amazon somehow would not even allow me to delete my old and expired credit card from my account.
                                                      • konschubert 3 years ago
                                                        Be careful if you pay with PayPal in foreign currency, they have super-bad conversion rates that they try to trick you into accepting. You can turn this off if you can see through their dark patterns.

                                                        But as a rule of thumb, PayPal is a scammy company that I now try to avoid where I can.

                                                        • blntechie 3 years ago
                                                          I have been burned couple of times by them. I thought it's a genuine and useful feature.

                                                          First, they offered a poor conversion rate.

                                                          Second, they said they will charge in INR and hence no further markup by banks which was an outright lie as they charged in INR from PayPal Singapore which applied foreign markup anyway by the bank. So I paid double markup.

                                                          It's basically a scam.

                                                        • vivekv 3 years ago
                                                          Indian merchants have to support UPI - another payment mechanism which is secure. I tend to use that in most places so that I dont have to store my card details.
                                                          • rg111 3 years ago
                                                            Do you have to use your cellphone number to avail UPI services?

                                                            If that is the case, then it is not for me.

                                                            • wtmt 3 years ago
                                                              Just to clear things up since some of the other comments seem unsure or have partial information, UPI requires a cell phone, a cell phone number and the bank account linked with the cell phone number. It cannot be used from a computer (IMPS, which is like UPI’s cousin with a slightly more cumbersome interface, can be used from a computer).

                                                              The primary form of UPI usage is from smartphone apps (provided by banks or by the operator of UPI, which is the NPCI BHIM app).

                                                              See the UPI overview page [1] by NPCI (a private consortium operating UPI, IMPS and a few other services).

                                                              [1]: https://www.npci.org.in/what-we-do/upi/product-overview

                                                              • illegalmemory 3 years ago
                                                                I have created UPI ID directly with bank and there is no need of any third party app. It can be used to transfer money directly without sharing bank and card details.
                                                                • spikengineer 3 years ago
                                                                  UPI primarily uses a virtual private address in the form of an email address.

                                                                  You only need to disclose this vpa to the merchant.

                                                                  It looks like username@statebank

                                                                  You don't need to disclose your phone number or bank account number to the merchant if you don't want to as UPI has multiple address mechanisms.

                                                                  You can also use QR

                                                                  • echlipse 3 years ago
                                                                    You need to have a bank account to use UPI. Banks require a phone number afaik.
                                                                    • mkbkn 3 years ago
                                                                      Yes, UPI needs a phone number linked to your bank account.
                                                                      • jetsetgo 3 years ago
                                                                        it is not for you and no one cares
                                                                    • mkbkn 3 years ago
                                                                      > It seems that Amazon somehow would not even allow me to delete my old and expired credit card from my account.

                                                                      Strange. Amazon India allows deleting the stored card details.

                                                                      • pronlover723 3 years ago
                                                                        paypal is worse than credit card for me. For one the paypal always shares your paypal email address where as when I pay with credit card I always give a different email address to every merchant.
                                                                        • usr1106 3 years ago
                                                                          Why I needed to change the email address I use for paypal repeatedly. Now I have mostly stopped to use paypal. It's full of dark patterns like making authorization recurring without giving me an option. Need to cancel authorization for future payments manually afterwards. I guess in the wost case this could be racy, another payment before I cancel.
                                                                          • oefrha 3 years ago
                                                                            Does PayPal still share email addresses? I accept donations on PayPal for my open source projects, and starting from a few months ago I can no longer see people’s email addresses, which have been replaced by links to an internal chat system.
                                                                          • zerocount 3 years ago
                                                                            I agree. I had to do the PayPal thing with my Visible phone service because I couldn't delete an old card. Luckily PayPal doesn't require me to have anything linked just to have an account.

                                                                            Why do companies want to store this data any way?

                                                                            • seesawtron 3 years ago
                                                                              >It seems that Amazon somehow would not even allow me to delete my old and expired credit card from my account. If you are in the EU, in my experience with the GDPR, this is not allowed. The e-commerce merchant must allow users to have the option to remove this information. PS: I had to file a formal complaint against a telecom company to have this resolved.
                                                                              • pmontra 3 years ago
                                                                                Unless they have to store those details for N years because of local laws. Obviously they could hide old cards in the UI and/or implement a soft delete.
                                                                            • blueblisters 3 years ago
                                                                              Is the RBI deliberately trying to handicap credit cards in India? The decision to make recurring payments impossible, followed by having to enter card information every time I do an online transaction is making for a very frustrating experience.

                                                                              The justification for these decisions is always "consumer interest" but how is making consumers jump through hoops to do transact online in consumer interest? I wish the industry was more co-ordinated in lobbying against these crazy policies

                                                                              Edit: A couple of replies below that say they don't mind authorizing subscriptions/recurring charges every time. I respect that view but I think people underestimate how much friction it adds if a business needs to ask your for permission every time to renew. Consumers are forgetful. They may not be available to authorize a payment when it's time to renew. Subscriptions reduce transaction costs, give businesses a predictable stream of income and allow consumers continued access to services without having to remember to renew it.

                                                                              If you don't believe me, just look at the data and anecdotes posted by tech journalists and software devs on twitter - it's a shitshow.

                                                                              If a businesses make cancellation hard, the right policy would have been to allow consumers to "stop" charge from the card issuer's website or app - not ask consumers to approve a charge everytime it happens.

                                                                              • sudhirj 3 years ago
                                                                                So the order doesn’t prohibit tokenizing or saving cards, it specifies who can save them.

                                                                                Earlier, merchants could save the details, and this ability leads to massive amounts of fraud and theft (see US right now).

                                                                                Then only regulated payment aggregators could save them, and issue a token to the merchants. Stealing the token wasn’t too helpful because you couldn’t grab the money, the token was tied to the merchant. But this still means my card number is stored on a bunch of companies that can suddenly take whatever funds they want, and I can’t cancel these tokens.

                                                                                Fast forward to 2022, where only the issuer I got my card from can give out tokens - so I can now see a list of every single merchant who has access to my card tokens, and I can cancel them whenever I want.

                                                                                So the functionality is not going away, it’s moving to another part of the regulated system that’s more in the control of the consumer.

                                                                                As a person I welcome the move (no more struggling to understand card charges or pleading with companies to cancel my subscriptions). As a developer it’s more work to implement the new system, but it’s not much more work than the old one. Projects using Stripe or Razorpay will get the new system with no changes.

                                                                                • vishnugupta 3 years ago
                                                                                  Thanks for clear and jargon-free response. I wish this were top-level and top comment.
                                                                                  • ratww 3 years ago
                                                                                    Yep, this is how most of the companies I worked for handled recurring payments. The only time the customer needs to input their credit card again is when the credit card number changes.

                                                                                    Some providers even had integration with banks, so when a credit card was auto-renewed and the expiration changed (the CC number was still the same), we didn't even have to ask the customer for an update. Only when the customer specifically asked for a new card.

                                                                                    So there's even the possibility of even more convenience to customers.

                                                                                    • sidm83 3 years ago
                                                                                      This is a great response throwing light on the actual new protocol which does seem to make sense.
                                                                                    • ramraj07 3 years ago
                                                                                      As a consumer in India I’m so happy at least some part of this government is doing what it’s supposed to do.

                                                                                      A century of unchecked lobbying is pretty much the reason why the US is at the state it is. The difference I’ve seen between how things run in india and the states is that in India what’s illegal and called corruption is called legal and lobbying here.

                                                                                      What exactly are you worried about ? Clicking authorize on nytimes subscription every month?

                                                                                      • sumedh 3 years ago
                                                                                        > Clicking authorize on nytimes subscription every month?

                                                                                        Why is that a good thing?

                                                                                        • bobthepanda 3 years ago
                                                                                          Why is it bad?

                                                                                          One of the first pieces of advice for anyone sorting out personal finances is "figure out what subscriptions you aren't using." Cancelling in many cases is an anti-pattern (looking at you, NYT)

                                                                                          • blntechie 3 years ago
                                                                                            Because for NYTimes e.g. they don't allow online cancelation and need to through the phone retention loop.

                                                                                            RBI mandate thing could have been implemented better but I absolutely support the idea that recurring payment control should be with the consumer and not the merchant.

                                                                                        • adi2907 3 years ago
                                                                                          As an entrepreneur, I empathise with fellow startups losing customers due to mandatory check for recurring payments. However as a customer, this has been a godsend as I had almost 15 subscriptions totalling $300 monthly, quite a large amount in India.

                                                                                          The constant reminder of how many of those subscriptions are useless has allowed me to cut my expenses. Case in point, was subscribed to linkedin premium for last 2 years, while I make use of it only once in 3-4 months. Now I simply dont recharge my credit card and only do so once its required.

                                                                                          Not sure if its the ideal solution but definitely am thankful to it!

                                                                                          • vlovich123 3 years ago
                                                                                            I would love to be able to have to proactively authorize every single recurring purchase via a tap on my phone. If I have enough that I’m being overwhelmed there’s a good chance I’m not tracking my purchases very well and there could even be fraud I’m missing.

                                                                                            There’s some use-cases maybe where automatic billing is required but the vast majority would do better to need to prompt the user.

                                                                                            • mrweasel 3 years ago
                                                                                              There’s a Danish company that provides a service which will integrate into online banking platforms, that will allow you to cancel recurring payments directly from your banking app. How they make it work I don’t know, but I hope that my own bank will signup shortly.
                                                                                            • ghoomketu 3 years ago
                                                                                              Yes this is stupid and it has caused me a lot of trouble since this all started. I am now seriously thinking of leaving this country and going to NZ or Canada (something which I did not want to do because of my parents).

                                                                                              Doing business in India is so frickin hard, especially after GST. I have to spend so much time on accounting nowadays and it's getting harder and harder every day (even though all the ads say otherwise).

                                                                                              I almost got my Digitalocean account suspended few months back because the credit cards won't bill anymore. Now i have to constantly monitor GCP, Porkbun, AWS, etc since nobody can bill me like before.

                                                                                              Also for some reason Indians aren't allowed to keep balance in Paypal but a lot of my customers prefer to pay via it, which means in the end I cannot process any refunds on time and makes customers angry (Paypal wants me to snail mail checks to them to add the USD balance since govt has banned adding the same from Bank account).

                                                                                              For recurring charges now you have to create an account with https://www.sihub.in which doesn't accept small businesses kinda making it an exclusive club for big companies. It's really a shit-show here.

                                                                                              If it were not for Stripe Atlas I would have been out of business a long time ago. So thank god for that.

                                                                                              • spikengineer 3 years ago
                                                                                                Please understand the context behind the rules before ranting.

                                                                                                PayPal restrictions exist because india doesn't have free capital account convertibility and forex providers need to implement regulatory mechanisms to comply with forex regulations. The regulations on forex haven't changed in many years. It's paypal who isn't bothered to comply with mechanisms implemented and hence removed those features as they felt customers like you aren't worth it to them.

                                                                                                Most developing countries have capital controls like India for financial stability reasons and removing it for the sake of small segment of entrepreneurs feeling difficulty to process some payments or can't manage the accounting is not in the interest of the state or it's people.

                                                                                                Stripe thinks you are worth it to them and are providing that service. Find better service providers. Talk to a bank.

                                                                                                As far as GST is concerned, every country has tax accounting. Some other countries like in Europe have it way worse on the paperwork. Have you ever dealt with pre-GST service tax or VAT paperwork? Accounting is a universal thing and it's the reality of doing business.If you think just by jumping one country to the other you can avoid taxes or paperwork you need to rethink your approach to business. Most countries who don't have taxes or tax paperwork are just tax havens living off someone else's money. Will you go to NZ/Canada and not do their tax paperwork?

                                                                                                If it's getting harder, maybe your size is large enough to hire an accountant to do that work for you.

                                                                                                If you have so many customers overseas maybe you better incorporate a foreign subsidiary or an IFSC subsidiary to manage USD transactions.

                                                                                                These rules won't be changed for you - there are larger socio economic reasons for the rules.

                                                                                                • jeswin 3 years ago
                                                                                                  > Doing business in India is so frickin hard, especially after GST.

                                                                                                  How has GST made things worse? I had paid Service Tax for 10 years prior to GST, and that was a far worse experience.

                                                                                                  a) Prior to GST these was an enormous amount of tax fraud. GST makes that way harder, on account of people being able to track and claim input credits. Many (not all) people who were complaining did so because they were suddenly unable to dodge taxes. This forced them to disclose all sales, which affected income tax as well.

                                                                                                  b) Everything is now visible on the portal. Who you paid, what they deposited etc.

                                                                                                  c) Initially, there were many more compliance requirements. Now it's simpler, with quarterly filing if you qualify.

                                                                                                  • unmole 3 years ago
                                                                                                    > Doing business in India is so frickin hard, especially after GST. I have to spend so much time on accounting nowadays and it's getting harder and harder every day (even though all the ads say otherwise).

                                                                                                    Why are you having to spend so much time? I mean all the popular accounting suites already support GST and automate most of the compliance. The rules haven't materially changed so, why is it getting progressively harder?

                                                                                                    > I almost got my Digitalocean account suspended few months back because the credit cards won't bill anymore.

                                                                                                    Why won't they bill anymore? After I enabled international transactions on my card, I haven't faced any problems with DO or AWS.

                                                                                                    > If it were not for Stripe Atlas

                                                                                                    If you have a Delaware C Corp, why are you even bothered by RBI rules? None of the limitations of the Credit cards or PayPal apply to you anymore.

                                                                                                    • fareesh 3 years ago
                                                                                                      This is primarily because those companies haven't updated their payments systems to be compliant.

                                                                                                      The e-mandate system seems to be pretty good. Netflix is compliant and it worked seamlessly from day one of the switch. It could be because they have incorporated locally, which can be difficult for many other companies.

                                                                                                      • spookthesunset 3 years ago
                                                                                                        > This is primarily because those companies haven't updated their payments systems to be compliant.

                                                                                                        For big companies with decades or more of legacy cruft, it's a hell of a lift to make their universe compliant. Especially if your large company tends to fall onto the "decentralized org structure" part of the spectrum where a billion teams run around doing their own thing with very little top-down oversight.

                                                                                                        It's the same kind of story as it was for GDPR (and CCPA to some extent). Some companies can pull it off easy because their org structure is way more top down. Others that are bottoms up have a much harder time because you have to heard a million different teams towards something new that doesn't really deliver much immediate business value.

                                                                                                        I assure you though, these companies are all no doubt hard at work making life better for their india customers... it is just a much harder lift for their organizations to handle. Which is not to say their org structure is a bad one. It just isn't optimized for top-down mandates like these.

                                                                                                      • 2Gkashmiri 3 years ago
                                                                                                        i help businesses in setting up their gst, accounting integration and returns filing. if you need help, lets talk
                                                                                                      • tlogan 3 years ago
                                                                                                        This “authorize charge” change is really giving headache both to customers and companies. If person owning CC is not available, emails are misses, etc. so scheduled e-mail campaigns are not sent, backups are not done, scheduled data loads were not performed, etc.

                                                                                                        Basically running business is getting harder and harder in India.

                                                                                                        So this one thing why USA is still leader: not because it is “great” but because it is still “Wild West” (sure somebody will say “free country” - let’s be honest it is more of a “Wild West”)

                                                                                                        • 3 years ago
                                                                                                          • manojlds 3 years ago
                                                                                                            It just adds onus on the vendor. Google have implemented it very well and I love this a lot more as the end user gets more visibility and control.

                                                                                                            It's going to be a short-term pain but I think it's going to be great in long term.

                                                                                                            • paxys 3 years ago
                                                                                                              If you'd bother to read the article (or heck the first two lines of the article) you'll see that this rule does not mean you'll have to re-enter your credit card info on every order.
                                                                                                              • kranner 3 years ago
                                                                                                                From the HN guidelines:

                                                                                                                > Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that."

                                                                                                              • naruvimama 3 years ago
                                                                                                                Credit cards are from an era where magnetic stripes was a novelty. It is just a bunch of numbers and very lax in security.

                                                                                                                Visa & Mastercard are just global duopolies, they have used their dominance to keep the cards easy to use but insecure. The cost of fraud is ultimately borne by the merchants, who try to pass on the hefty fee to the card holders.

                                                                                                                India is trying to move to digital payments, a vast majority of the people are first time card holders or even account holders. Frauds do not make it easy, and we do not want to make digital payments more expensive than cash payments.

                                                                                                                This is not a move against any card network. However, I personally think it is wrong for Visa/Mastercard to use their market dominance to charge 2-3% of every transaction. As we move more and more into a digital economy, this duopoly starts to sound like a New East India Company.

                                                                                                                • rowls66 3 years ago
                                                                                                                  You should know that a small portion of the 2-3% transaction fees goes to the card networks. Most goes to the card issuing bank. Now in fairness, the banks also cover the cost of some fraud, and payout generous rewards to their best customers.
                                                                                                                • naruvimama 3 years ago
                                                                                                                  A lot of business around the world are built around this silent charges and people being forgetful or not active in checking their expenses.
                                                                                                                • diebeforei485 3 years ago
                                                                                                                  Something I learned in college - not all countries have the same laws as the US where it's easy to dispute a charge and the burden of proof is with the merchant.

                                                                                                                  If India is one of those places where the burden of proof is on the customer, and it's difficult to dispute charges, it makes sense to tokenize things.

                                                                                                                  • unmole 3 years ago
                                                                                                                    Disputing transactions is very simple in India. The transaction notification email/sms itself usually contains a URL to dispute the transaction.
                                                                                                                    • vivekv 3 years ago
                                                                                                                      The burden of proof in India is with the merchant. Proof of transaction has to be provided (invoice etc.,)
                                                                                                                      • frupert52 3 years ago
                                                                                                                        The rules around chargebacks et al are dictated by the card scheme and remain the same regardless of country the merchant is operating in or car holder is transacting in. How this translates on the ground would be the primary point of difference to other countries.
                                                                                                                        • flak48 3 years ago
                                                                                                                          I've filed a chargeback before in India, the burden of proof was on the merchant at that time. Maybe I got lucky with my card issuer.
                                                                                                                          • ratww 3 years ago
                                                                                                                            Different banks/card issuers have different rules too.
                                                                                                                            • mwnn 3 years ago
                                                                                                                              Yes. On forums and online IM groups you'd find plenty of people suggesting "raise a chargeback" without realising it means nothing in India. It's just a gesture. Merchant can just deny the charge back and that's it, your credit card provider is done you are charged.
                                                                                                                            • kgdinesh 3 years ago
                                                                                                                              I see the US Model as "Optimistic". Let the transactions through and fight back fraud with a strong chargeback mechanism.

                                                                                                                              Whereas the Indian Model is "Pessimistic". Put in as much checks as possible to reduce the rate of fraud before the transaction has even completed.

                                                                                                                              Thoughts?

                                                                                                                              • aniforprez 3 years ago
                                                                                                                                I love it. The optimistic model forces me to be hyper aware of all my banking activities and know when fraud happens retroactively. All the Indian regulations mean I effectively don't have to worry as much unless something serious happens. CC stolen? I don't care they won't have the pin or the secure pin used for online transactions so it's useless and I can just close the card on the banking website. Mobile phone stolen? They won't have the pin to do UPI transactions so they can sell my phone but not have access to any of my banking activities. It's a total Erin. This new regulation helps prevent my card info from getting leaked by all these cheap sites with intern developers
                                                                                                                                • 2Gkashmiri 3 years ago
                                                                                                                                  yesterday saw a family member get an sms "your jio mobile e-kyc is pending. please call 6006xxxxxx number to get your e-kyc done so that there is no disruption to your service". this came after trai decided to https://telecom.economictimes.indiatimes.com/news/trai-pushe...

                                                                                                                                  this means, anyone who read the news understood this was going to happen and scammers put their numbers and sent out sms. any unsuspecting user would just call them whereby they would ask their aadhar card, pan card, otp and you are fucked.

                                                                                                                              • Abishek_Muthian 3 years ago
                                                                                                                                Great, I'd also like if the merchants were forced to not message via WhatsApp; From couriers to securities every business in India expects that you have WhatsApp and are willing to communicate with them through it.
                                                                                                                                • wtmt 3 years ago
                                                                                                                                  I just tell all of them that I don’t have or use WhatsApp, and that’s true. They wouldn’t be able to send anything over WhatsApp since my number was never registered with that platform. Those who want my business will have to abide by my preferences.
                                                                                                                                  • Abishek_Muthian 3 years ago
                                                                                                                                    I've had customer service personal change their tone towards me after I tell them that I don't use WhatsApp and requested them to send an email instead, They seem to take it as a personal insult (or) Couldn't believe that someone couldn't have WhatsApp.
                                                                                                                                • noduerme 3 years ago
                                                                                                                                  So, in the early days of online retail, I built shopping carts that stored credit card numbers in the business's database and connected directly with a credit card gateway (not a provider like Stripe). By around 2006 it became clear that this was insanely dangerous to do. Every merchant could not be storing a database of their customers' credit card numbers. I don't know if it's actually illegal to do online card processing this way in the US now, but no card company would work with you if you did.

                                                                                                                                  So my takeaway from this is that, the fact that card companies are still accepting "card not present" style transactions from online retailers in India means they have been willing up to this point to tolerate a large amount of fraud and hacking in order to tap the market. The logical next step for them is to limit the number of data sources storing the card numbers and customer data themselves. Whether this comes in the form of a government decree or the slow moving of the card companies away from accepting these kinds of transactions, the change is inevitable. Local hosting and locally managed databases are no place for credit card numbers to be stored.

                                                                                                                                  • deanc 3 years ago
                                                                                                                                    The sooner we move everything to one-time tokens (apart from subscriptions) the better. It's absolutely a ridiculous security model we have in place at the moment. I pay absolutely everything I can with Apple Pay now. I also would like to be able to use one-time disposable cards (without an additional fee) in Europe (ala privacy.com) but I have yet to find such a service.
                                                                                                                                    • criddell 3 years ago
                                                                                                                                      Doesn't the Apple credit card do this? I think they call them virtual numbers.
                                                                                                                                      • deanc 3 years ago
                                                                                                                                        Yes this is why I mentioned I only use Apple Pay
                                                                                                                                    • supernova87a 3 years ago
                                                                                                                                      I'm interested to know what level of "cannot store" the info is implemented? Or is it mediated by a 3rd party company / algorithm that sanitizes the data but to a certain amount that some association can still be done?

                                                                                                                                      For example, can the customer's credit card be anonymized but still tracked to know that the same credit card is used on 2 different transactions, for example?

                                                                                                                                      E.g. if I wanted to give the customer only 1 special offer per credit card number, is that possible for the retailer to tell? Or is it even more sanitized such that every single transaction gets a different hashing?

                                                                                                                                      How do refunds get issued if the number can't be stored and presumably you don't want the retailer to have the backwards decoding to be possible?

                                                                                                                                      • vinay_ys 3 years ago
                                                                                                                                        For card-linked offer constructs you can infer the issuer based on first 4 digits (bin number) and actually store last 4 digits and name on card.
                                                                                                                                      • alkonaut 3 years ago
                                                                                                                                        I always enter my card details (unless direct bank transfer is available, which is becoming pretty popular lyckily).

                                                                                                                                        But I never found the idea that a saved credit card number (23 digits) would make a shopping experience so much convenient than having to enter it. A typical checkout still has me entering my address, choosing between 5 different delivery options, agreeing to various terms and so on. The payment step is just a minor step along the way.

                                                                                                                                        I wonder if this entering of payment info is feeling more inconvenient to people who have become used to not having to do it, for example because they have used Amazon (I still never ordered anything there because they don't have a functioning operation where I live).

                                                                                                                                        • martinald 3 years ago
                                                                                                                                          You probably don't want to use bank transfers, depending on your jurisdiction. Using any sort of visa/masterdcard/amex gives you some protection via chargebacks. In the UK (and I think many other places), paying with a credit card over £100 gives you enormous additional protection (the credit card company is also liable for any problems). So if someone goes bankrupt, the credit card company has to make you whole. This is super helpful if eg you can't do a warranty claim on a product because the supplier went bankrupt. The credit card company has to resolve it (which generally means a full refund).

                                                                                                                                          Paying with bank transfers completely negates all this protection. Merchants love it for this reason (and lower fees), but as a consumer it offers no benefits and a lot of drawbacks.

                                                                                                                                        • niyaven 3 years ago
                                                                                                                                          Disclosure: I work for a fintech in India, specialized in card payment.

                                                                                                                                          It seems here people see this rule as "merchants can't store card numbers any more". This is actually a lot more than that, this is the new rule: you cannot store card numbers for recurring payment. Even if you are PCI-DSS compliant. Even if you are audited by the RBI. Even if you're sponsored by a bank. The only way to store a Visa number is to use the Visa tokenization service.

                                                                                                                                          Now if you know a bit of the card payment industry, you will know that you need the card number just to process the payment, the refund, etc. So you still have to store the card number. And you can. You just can't use it for recurring payment any more.

                                                                                                                                          My personal take: Giving full control to Visa and Mastercard over their card numbers for recurring payment seems to be a nice transfer of power to these two giants. But the time scale has been very short (a few months only). So practically, most recurring card payments will stop working or be illegal in two weeks. This is will more or less break existing subscriptions working with cards.

                                                                                                                                          India (the RBI at least) has been in a campaign for independence in the payment infrastructure. American Express[0], Diners[1], Mastercard[2] have been banned in India. Diners' ban has been lifted now, but still. Rupay is a failure with a market share of 0.34%[3] (in comparison UPI is at 37.73%), in spite of having ZERO MDR on debit transactions[4].

                                                                                                                                          This change is not for the sake of security. You can have the best firewalls, cutting-edge HSM, security team and pass 12 audits a year. You will be allowed to save these card numbers but you won't be able to authorized to use it for recurring payments. This is just a move against cards, and to promote UPI instead. By making recurring card payment a hindrance, more people will transition to UPI.

                                                                                                                                          [0] https://www.americanexpress.com/en-in/company/notice/rbi-imp... [1] https://www.reuters.com/article/india-banking-american-expre... [2] https://westfaironline.com/138440/mastercard-banned-from-new... [3] https://www.npci.org.in/PDF/npci/statics/RETAIL-PAYMENTS-STA... [4] https://economictimes.indiatimes.com/opinion/et-editorial/st...

                                                                                                                                          • spikengineer 3 years ago
                                                                                                                                            I don't agree with your interpretation on this being a stealth tactic but even if this was one it's just the state institutions acting in the interest of their mandate. This might not be beneficial to you employer or Visa or MasterCard or few high flying credit card users of the super rich class but it is in the interest of the people.

                                                                                                                                            If they think it's time to move beyond cards due to the strategic overdependence on foreign service providers like Visa who can disrupt the Indian financial system at the behest of their US govt or other interests it's the right thing to discourage them directly or indirectly.

                                                                                                                                            Think in the interest of the people. WTO commitments are not worth the paper they are written on. State should do the right thing to benefit the people as a whole not worry about inconvenience to a few people or few middle men or foreign companies.

                                                                                                                                            • niyaven 3 years ago
                                                                                                                                              Ah maybe my comment is not clear, I am not judging on whether this is a good/bad move for people. I wanted to explain that the card number will still be stored: it only applies to recurring payment (at least for now). So for anyone worried about entities storing the card number... this will continue.

                                                                                                                                              I understand the confusion, but just to clarify I'm a big fan of UPI :).

                                                                                                                                              Now, is it good move for the people? It's a complex topic, one could write a lot about it. This move will push people away from cards because card tokenization won't be supported for a while, making recurring payment harder. It's well known that very small amounts of friction can drastically reduce the conversion rate. Entering the card details every time is a hassle for sure.

                                                                                                                                              So more UPI payments. But today there are no MDR for UPI transactions, meaning fintechs and banks are losing money when they process these transactions. For banks, it's supposed to be ok because a digital transaction is cheaper than a physical one. For fintechs, this is tough, you need to find money somewhere else. So less money = less incentives = less innovation. However there have been talks to put back some fees on UPI (banks are pushing a lot on this).

                                                                                                                                              On the other hand, more card payments = higher MDRs. So merchants or customers, or both, will pay more to process the transactions. Banks and fintech get more money. But with a lack of competition, because of the current duopoly (Visa/Mastercard), and the difficulty to enter the market due to strict regulation, innovation is far from its peak. Just by looking at how long 3DS2 takes to roll out you can see that there is a lot inertia.

                                                                                                                                              It's not black and white, as often. Personally I think UPI is a better direction. The only downside is that's it is only for domestic payment. I'd love to see an EU initiative as successful as UPI: instant payment could be the EU equivalent but the fees are crazily high in some countries.

                                                                                                                                              • spikengineer 3 years ago
                                                                                                                                                MDR problem can be solved as you indicated. It also needs a solution pretty soon too.

                                                                                                                                                EU and developed countries' banks live and finance their profits on fees as they don't make much or any money on loans and other traditional financial tools. Those fees aren't going to go away.

                                                                                                                                              • kranner 3 years ago
                                                                                                                                                > If they think it's time to move beyond cards due to the strategic overdependence on foreign service providers like Visa who can disrupt the Indian financial system at the behest of their US govt

                                                                                                                                                Is there any evidence that the RBI actually thinks this? You seemingly criticise GP on their inference of an ulterior motive but then posit your own ulterior motive.

                                                                                                                                                • spikengineer 3 years ago
                                                                                                                                                  Yes, some basis exists for such assumptions. RuPay and UPI were originally conceptualised by RBI and Govt of India to solve the overdependence problem. Otherwise RBI and GoI had no reason to introduce RuPay and they could have let the market develop organically.

                                                                                                                                                  Recent RBI moves of data localisation and enforcement actions against Diners, American Express and Mastercard also indicate strong intent.

                                                                                                                                              • unmole 3 years ago
                                                                                                                                                > Rupay is a failure with a market share of 0.34%[3] (in comparison UPI is at 37.73%), in spite of having ZERO MDR on debit transactions[4].

                                                                                                                                                Rupay's failure is because of zero MDR, not in spite of it.

                                                                                                                                                • naruvimama 3 years ago
                                                                                                                                                  I believe merchants are not allowed to charge extra for visa or mastercard, but there is a hefty commission payed to them.

                                                                                                                                                  They then use this to attracts customers and/or banks to sign up. Rupay customers end up paying part of the hefty commissions (albeit indirectly) that Visa charges the merchants and the Visa customers get discounts, cash backs and offers.

                                                                                                                                                  A payment network is just a payment network, they shouldn't be using their market dominance to run marketing schemes.

                                                                                                                                                  • niyaven 3 years ago
                                                                                                                                                    > I believe merchants are not allowed to charge extra for visa or mastercard, but there is a hefty commission payed to them. This is not the case in India but is the case in other markets, yes. The IRCTC (national railway company) is for instance displaying it and the customer has to pay fees depending on the selected payment option. Some actors even hide this amount until you reach the page asking you for an OTP! I don't think it's necessarily done with malicious intent, but it exists.

                                                                                                                                                    Sometime you won't see Visa or Mastercard but instead "Debit Card" and "Credit Card" vs "Rupay" for instance.

                                                                                                                                                    • naruvimama 3 years ago
                                                                                                                                                      But IRCTC is a behemoth (though it is publicly listed).

                                                                                                                                                      We are talking about smaller merchants, would they be able to get away with the same?

                                                                                                                                                  • rowls66 3 years ago
                                                                                                                                                    What you are saying does not align with the text of the directive. It clearly says that card numbers cannot be stored for any purpose. Quoting from the directive:

                                                                                                                                                    With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.

                                                                                                                                                  • _hyn3 3 years ago
                                                                                                                                                    How would recurring transactions or metered billing work? Does this only apply to merchants or providers that are not PCI-DSS compliant and cannot safely store cardholder data?
                                                                                                                                                    • mittalsuraj18 3 years ago
                                                                                                                                                      The headline is kinda misleading. They can store credit card information, but they can only do that in tokenized format instead of the current way of storing. Tokenized format hides the number and other information making it more secure. You can read more about it here https://www.thequint.com/explainers/rbi-allows-card-on-file-...
                                                                                                                                                      • Dylan16807 3 years ago
                                                                                                                                                        The token is a random number, so depending on context it's fair to say that the token is not credit card information.
                                                                                                                                                        • planet_1649c 3 years ago
                                                                                                                                                          Yes. But the reply above was regarding how recurring payments would work
                                                                                                                                                      • option_greek 3 years ago
                                                                                                                                                        There is no exception for recurring payments. Also unfortunately this applies to all online merchants and Payment aggregators regardless of size and certifications. So as it stands a separate auth is needed for each transaction which is completely regressive and precludes a lot of convenience use cases. My guess is that they are doing this to make Upi more convenient in comparison. But I won't be surprised if its just another short sighted we know it all mentality decision from the regulator who has a history of u-turns.

                                                                                                                                                        Edit: Looks like they do allow card tokenization (not part of original proposal) which should address a lot of use cases

                                                                                                                                                        Here is the commentary about the original proposal:

                                                                                                                                                        https://www.businessinsider.in/finance/banks/news/rbi-wants-...

                                                                                                                                                        Here is the one after push back from industry (Which allows tokenization):

                                                                                                                                                        https://timesofindia.indiatimes.com/business/india-business/...

                                                                                                                                                        • mittalsuraj18 3 years ago
                                                                                                                                                          Recurring payment for less than 5000Rs do not require a separate auth. The bank has to notify the user by sending a message.

                                                                                                                                                          Recurring payment greater than 5000Rs requires a separate auth. (EMI's are not impacted by this)

                                                                                                                                                        • LammyL 3 years ago
                                                                                                                                                          This change just says that only the card issuer or card network can store the card number (PAN). Everyone else in the processing chain can only store card tokens.

                                                                                                                                                          This isn’t a surprising change and was always going to be the future of PCI compliance.

                                                                                                                                                          • rohithkp 3 years ago
                                                                                                                                                            Any card details that are being stored in the merchant's database need to be tokenised. It applies to all entities who are retrieving card details from customers, irrespective of PCI/DSS compliance.
                                                                                                                                                            • freakynit 3 years ago
                                                                                                                                                              I have already lost my online book store: "perlego" subscription because of this. This is has 100% directly stopped my access to learning. There is no other way to put it.
                                                                                                                                                              • 3 years ago
                                                                                                                                                                • charcircuit 3 years ago
                                                                                                                                                                  couldn't credit card companies expose an API to let you do this?
                                                                                                                                                                  • jetsetgo 3 years ago
                                                                                                                                                                    It won't. Like it should be. No one should be able to take your money without your consent.
                                                                                                                                                                  • nicolinox 3 years ago
                                                                                                                                                                    I found the approach of disposable virtual card numbers (Visa and Mastercard) that Revolut is giving to each app owner for free is amazing. This number (always different) can be autopopulated from a browser plugin during checkout from the PC and has a very smooth user experience. I don't need to take a card out of my wallet or open the smartphone app to do this. I am happy and regulator is happy too, in this case.
                                                                                                                                                                    • _chompsky 3 years ago
                                                                                                                                                                      Pardon me if I’m incorrect, but isn’t this like one of the best use cases of Stripe? Stripe usually takes care of CC/ACH information and tokenizes it, only passing the tokens to the merchant instead of the merchant having to store the CC information. Maybe this would be a good way to start a payments company boom in India?
                                                                                                                                                                      • option_greek 3 years ago
                                                                                                                                                                        There are already several (razorpay, paytm, payu) that do exactly that. They do charge 2% flat fee which is still high by Indian standards (comparing to cash and upi). So merchants do try custom solutions with bank gateways to reduce the fee.
                                                                                                                                                                      • Tempest1981 3 years ago
                                                                                                                                                                        Sounds prudent, but can the government actually enforce this? How?
                                                                                                                                                                      • beebeepka 3 years ago
                                                                                                                                                                        Convenience Vs security. All in all, looks like a good thing