Wednesday, 10 August 2016

Your credit card may be used without your knowledge

(Part of Devendra Narain's Memoirs)

        Do you know that if someone has knowledge of (a) the type of your credit card, (b) your name as printed on the credit card, (c) your credit card number and (d) CVV (printed on the back of the card), he/she can use your credit to make online purchases from several sites without your knowledge? You will come to know only after the damage has been done. Since technology exists for cloning credit/debit card, PIN/OTP is supposed to be additional safeguard but it is not always demanded.  Even without cloning a smart person can note down card number and CVV when the card is handed over for payment at, say, a petrol pump.

     I learnt about this risk recently when I placed online  order for  a software. After I had entered (a), (b), (c) and (d) and clicked hoping that I would be asked to enter the PIN or the OTP the bank intimates on mobile. To my utter shock the ICICI bank paid the amount immediately without mandatory verification. I received an email confirmation from the merchant and SMS about confirmation of payment by ICICI bank on my mobile.

      Luckily, the merchant with which I had placed the order turned out to be genuine but the chances of misuse are plenty.  

      I was in for more shock when I brought this experience to the notice of the ICICI Bank.

     Soon after the payment I sent an email to the ICICI Bank about payment without PIN/OTP.
     The reply received from the bank on July 11, 2016 is reproduced below.

 "Dear Mr. Narain,

Greetings from ICICI Bank!

We inform you that to make online shopping safer, Reserve Bank of India (RBI) has mandated that all online transactions need to have an extra level of authentication from August 1, 2009.

At ICICI Bank, this extra level of authentication is your 6-digit numeric PIN /OTP which you can create while shopping online.

The merchant with whom your transaction WWW.SAFECART.COM  made on July 10, 2016 for Rs. 1405.68 was attempted and/or the merchant's bank has not complied with the above RBI regulation.

Hence the PIN was not asked and your card transaction went through without the mandatory requirement of entering the 6-digit numeric PIN.

We recommend that you always transact on websites/with merchants that are 3D-Secure authenticated.

There is a unbilled transaction of Rs. 1405.68  done on  July 10, 2016 at WWW.SAFECART.COM.

Hence, the available limit has been blocked due to the unbilled transaction.

We confirm you that we will be unable to stop the transaction processed from your credit card account.

Further, the merchant may settle the transaction in 15 to 21 days from the date of transaction and claim the amount. However, if the merchant fails to claim the amount within 15 to 21 days, the transaction gets purged and will not be billed to you in your credit card statement and the limit that has been blocked due to these unsettled transactions will also get released.

Moreover, if the merchant settles the transaction later, it will be billed to you in your credit card statement and you can make the payment before the due date of the respective statement.

We look forward to your co-operation to serve you better.
Rajyasree K”

       Immediately, I wrote back that  “I am not satisfied with your answer. It is your responsibility to ensure that no transaction is completed without PIN/OTP. A credit cardholder, due to lack of awareness or otherwise, may not know that the website/merchant is not 3D-secure authenticated. The cardholder relies on you to protect his interest. I request you to please bring such cases of violation of RBI regulation to the notice of the RBI.”

The bank’s reply  received on July 12, 2016 is also reproduced below.

Dear Mr. Narian,

Greetings from ICICI Bank!

We appreciate the efforts you have taken in order to improve our service standards.

Any suggestions from discerning customers like you will be most welcome to help us serve all our customers better. Your feedback enables us to work towards improving our services.

We have initiated an internal discussion on your suggestions and are checking the feasibility for implementation.

Please continue to share your feedback and suggestions by writing to us.

We look forward to your co-operation and patience in helping us serve you better.


L Kavitha
Wealth Management Officer
ICICI Bank Limited

        In my reply to the bank.  I expressed hope that the bank “will take up the matter with the RBI. In fact, all credit card providers should unite to protect the interest of their customers by blocking any transaction without PIN or OTP.”

       I do not know what action will be taken by the bank or by the Reserve Bank of India.  It is surprising that online merchants are able to defy the RBI mandate with impunity and a highly reputed bank issuing the credit card expresses helplessness.  

     I am sharing this experience with the readers  to caution them and to advise them to be careful while using credit card  in the market.

Devendra Narain
July 13, 2016


I have not received any further information from the ICICI Bank till today. I have found many more sellers violating RBI mandate.

January 12, 2017


I have not received any further information from the ICICI Bank till today. I have found many more sellers violating RBI mandate.

May 21, 2017