I have worked with shops that stored the entire credit card number in PLAIN TEXT!. Not just credit cards, even their users' passwords. This also explains why many of them got and still get hacked from time to time. Even credit card processors got hacked due to this. Lot of shitty ones in the Indian market actually.
The root cause of this, not to cause language flame wars here, but is most of the shops use script kiddos with just basic PHP knowledge. Bare minimum, they're recent fresh college grads who just know how to consume data from a form using PHP using GET and POST, that's it. Most of the code I've worked with just consumes this directly instead of stripping/processing it and end up introducing SQL injection attacks. Atleast, if they used a framework, this would be provided by default for free, but many of the developers hardly know about even MVC.
(As an aside) - As a personal mission, I started touring around the country teaching college kids for free about basics of web development, security, etc. But, still, I have a long way to go.
Well folks, that's it for today's note on why this was a good move. Have a nice day!
Edit: Some of the recent hacks that were not made public widescale like they should've been:
1. Domino's Pizza India (Yes, the international pizza chain)
2. BigBasket (Largest online grocery ordering App)
3. PayTm (One of the largest, if not the largest digital payments app in India)
e.g. One can control how much money can be withdrawn from the credit/debit card per-day according to domestic/International merchants/online/physical/ATM/ etc. through net-banking with the minimum in the multiples of INR 1000. So even if the card data gets stolen, Criminals can utmost withdraw only the minimum amount in the other part of the world.
But unfortunately due to the digital-divide, Not many have access or awareness of such facilities and hence control over card data is required.
IMO the single point of failure for India's financial security is its extraordinary dependence on mobile number for 2FA, Even security conscious customers can do little against SIM jacking attacks, But for those who are not security conscious; all it requires is a social engineered SMS with ngrok URL[1] or Phone call asking for that OTP.
Please write to RBI and demand your bank to support hardware tokens (or) at least TOTP.
> 3. PayTm (One of the largest, if not the largest digital payments app in India)
Did you mean that largest digital payments company which integrated the PoS facility on the merchant's app and the customers were asked to enter their credit/debit card details manually?[2]
[1] https://twitter.com/Abishek_Muthian/status/14069649600815718...
[2] https://abishekmuthian.com/paytm-says-to-me-that-its-pos-fea...
Back in my younger days, I've implemented exactly such a system. Looking back, it seems like a "WTF where you thinking" but somehow it made sense back then. What is obvious practice now took 20+ years of internet evolution to reach.
I've also worked for companies that:
- Stored user passwords in plaintext so you can email the customer their password if they forgot - Stored the CVV so "we could issue refunds" - Accidentally created anonymous email relays using copy & paste code from some "how do I create a webform in PHP" site. - Test data was simply a mirror of production - Test servers would send real emails to real customers (because the test data was a prod mirror)
There are probably some other atrocities I've been exposed to but those are the highlights.
Oh yeah, forgot one:
- To "save money" on hard drives for "the server" we did a RAID0 array. Works great until one of the disks die and you loose everything. (This was my own dumb fault though).
Live and learn I guess!
I don't have the experience to know if this is actually the case, but it seems completely plausible that different countries have different regulations (or enforcement thereof) such that US companies have to care about PCI more than Indian companies.
> These $100B in annual sales aren't processed by script kiddies, it's a very large and mature industry.
Those are less connected than you think; loads of companies run obscenely large monetary transactions and essential business processes with horrifying hacked-up systems (50k LoC files, 20-year-old Perl scripts that nobody understands, Solaris 2.x desktop in the maintenance closet...); utility and good code are less correlated than we wish.
Of the nearly 45-50 contract jobs I've seen, a lot of them use pirated WP or Magento plugins, and plain text storage of sensitive content.
It doesn't seem like a generalization at all. It's someone relaying their actual experience:
"having worked with many E-Commerce shops in India as a consultant"
It very often happens on HN that if someone talks about something they had personal experience with, that people try to characterize it as a generalization, as if that somehow magically makes the statements a fantasy. It does not.
Kudos for doing God's work! As someone who studied in India, I think youtube videos might have a better reach with Indian student audience. There is so many mediocre content out there on YouTube and high-SEO sites like GFG (they are kinda fine for algorithm / Leetcode stuff but I can't stand their student-contributed code for anything else). A higher quality de-facto tutorial series might make a better impact. But of course promoting is important.
1. The vendor is not aware that this is a problem 2. As a result of point 1, the vendor does not have budget planned for this. 3. The reward for the investment does not make sense for most of the vendors.
About point 3: For the vendor, there is no tangible improvement in sales (in fact, some security measures raise the barrier for their customers to place an order). So why should they do it? In their experience, the budget is better spent on improving the customer experience, marketing, increasing stock, lowering prices, etc.
Point 3 is really tricky, especially in some cultures and countries. If there is no legal consequence for leaking customer data, why should they be spending money on preventing something that may or may not happen in the future?
(No, this doesn’t make tokenized cards as dangerous as card numbers. Transferring a merchant account is a whole process. Not to mention that when a breach happens, you can cancel one merchant’s tokens without forcing every customer to get new cards)
The fix for the problems you highlight is a audit and stringent rule of law.
The justification for these decisions is always "consumer interest" but how is making consumers jump through hoops to do transact online in consumer interest? I wish the industry was more co-ordinated in lobbying against these crazy policies
Edit: A couple of replies below that say they don't mind authorizing subscriptions/recurring charges every time. I respect that view but I think people underestimate how much friction it adds if a business needs to ask your for permission every time to renew. Consumers are forgetful. They may not be available to authorize a payment when it's time to renew. Subscriptions reduce transaction costs, give businesses a predictable stream of income and allow consumers continued access to services without having to remember to renew it.
If you don't believe me, just look at the data and anecdotes posted by tech journalists and software devs on twitter - it's a shitshow.
If a businesses make cancellation hard, the right policy would have been to allow consumers to "stop" charge from the card issuer's website or app - not ask consumers to approve a charge everytime it happens.
Earlier, merchants could save the details, and this ability leads to massive amounts of fraud and theft (see US right now).
Then only regulated payment aggregators could save them, and issue a token to the merchants. Stealing the token wasn’t too helpful because you couldn’t grab the money, the token was tied to the merchant. But this still means my card number is stored on a bunch of companies that can suddenly take whatever funds they want, and I can’t cancel these tokens.
Fast forward to 2022, where only the issuer I got my card from can give out tokens - so I can now see a list of every single merchant who has access to my card tokens, and I can cancel them whenever I want.
So the functionality is not going away, it’s moving to another part of the regulated system that’s more in the control of the consumer.
As a person I welcome the move (no more struggling to understand card charges or pleading with companies to cancel my subscriptions). As a developer it’s more work to implement the new system, but it’s not much more work than the old one. Projects using Stripe or Razorpay will get the new system with no changes.
Some providers even had integration with banks, so when a credit card was auto-renewed and the expiration changed (the CC number was still the same), we didn't even have to ask the customer for an update. Only when the customer specifically asked for a new card.
So there's even the possibility of even more convenience to customers.
A century of unchecked lobbying is pretty much the reason why the US is at the state it is. The difference I’ve seen between how things run in india and the states is that in India what’s illegal and called corruption is called legal and lobbying here.
What exactly are you worried about ? Clicking authorize on nytimes subscription every month?
Why is that a good thing?
The constant reminder of how many of those subscriptions are useless has allowed me to cut my expenses. Case in point, was subscribed to linkedin premium for last 2 years, while I make use of it only once in 3-4 months. Now I simply dont recharge my credit card and only do so once its required.
Not sure if its the ideal solution but definitely am thankful to it!
There’s some use-cases maybe where automatic billing is required but the vast majority would do better to need to prompt the user.
Doing business in India is so frickin hard, especially after GST. I have to spend so much time on accounting nowadays and it's getting harder and harder every day (even though all the ads say otherwise).
I almost got my Digitalocean account suspended few months back because the credit cards won't bill anymore. Now i have to constantly monitor GCP, Porkbun, AWS, etc since nobody can bill me like before.
Also for some reason Indians aren't allowed to keep balance in Paypal but a lot of my customers prefer to pay via it, which means in the end I cannot process any refunds on time and makes customers angry (Paypal wants me to snail mail checks to them to add the USD balance since govt has banned adding the same from Bank account).
For recurring charges now you have to create an account with https://www.sihub.in which doesn't accept small businesses kinda making it an exclusive club for big companies. It's really a shit-show here.
If it were not for Stripe Atlas I would have been out of business a long time ago. So thank god for that.
PayPal restrictions exist because india doesn't have free capital account convertibility and forex providers need to implement regulatory mechanisms to comply with forex regulations. The regulations on forex haven't changed in many years. It's paypal who isn't bothered to comply with mechanisms implemented and hence removed those features as they felt customers like you aren't worth it to them.
Most developing countries have capital controls like India for financial stability reasons and removing it for the sake of small segment of entrepreneurs feeling difficulty to process some payments or can't manage the accounting is not in the interest of the state or it's people.
Stripe thinks you are worth it to them and are providing that service. Find better service providers. Talk to a bank.
As far as GST is concerned, every country has tax accounting. Some other countries like in Europe have it way worse on the paperwork. Have you ever dealt with pre-GST service tax or VAT paperwork? Accounting is a universal thing and it's the reality of doing business.If you think just by jumping one country to the other you can avoid taxes or paperwork you need to rethink your approach to business. Most countries who don't have taxes or tax paperwork are just tax havens living off someone else's money. Will you go to NZ/Canada and not do their tax paperwork?
If it's getting harder, maybe your size is large enough to hire an accountant to do that work for you.
If you have so many customers overseas maybe you better incorporate a foreign subsidiary or an IFSC subsidiary to manage USD transactions.
These rules won't be changed for you - there are larger socio economic reasons for the rules.
How has GST made things worse? I had paid Service Tax for 10 years prior to GST, and that was a far worse experience.
a) Prior to GST these was an enormous amount of tax fraud. GST makes that way harder, on account of people being able to track and claim input credits. Many (not all) people who were complaining did so because they were suddenly unable to dodge taxes. This forced them to disclose all sales, which affected income tax as well.
b) Everything is now visible on the portal. Who you paid, what they deposited etc.
c) Initially, there were many more compliance requirements. Now it's simpler, with quarterly filing if you qualify.
Why are you having to spend so much time? I mean all the popular accounting suites already support GST and automate most of the compliance. The rules haven't materially changed so, why is it getting progressively harder?
> I almost got my Digitalocean account suspended few months back because the credit cards won't bill anymore.
Why won't they bill anymore? After I enabled international transactions on my card, I haven't faced any problems with DO or AWS.
> If it were not for Stripe Atlas
If you have a Delaware C Corp, why are you even bothered by RBI rules? None of the limitations of the Credit cards or PayPal apply to you anymore.
The e-mandate system seems to be pretty good. Netflix is compliant and it worked seamlessly from day one of the switch. It could be because they have incorporated locally, which can be difficult for many other companies.
Basically running business is getting harder and harder in India.
So this one thing why USA is still leader: not because it is “great” but because it is still “Wild West” (sure somebody will say “free country” - let’s be honest it is more of a “Wild West”)
It's going to be a short-term pain but I think it's going to be great in long term.
> Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that."
Visa & Mastercard are just global duopolies, they have used their dominance to keep the cards easy to use but insecure. The cost of fraud is ultimately borne by the merchants, who try to pass on the hefty fee to the card holders.
India is trying to move to digital payments, a vast majority of the people are first time card holders or even account holders. Frauds do not make it easy, and we do not want to make digital payments more expensive than cash payments.
This is not a move against any card network. However, I personally think it is wrong for Visa/Mastercard to use their market dominance to charge 2-3% of every transaction. As we move more and more into a digital economy, this duopoly starts to sound like a New East India Company.
But as a rule of thumb, PayPal is a scammy company that I now try to avoid where I can.
First, they offered a poor conversion rate.
Second, they said they will charge in INR and hence no further markup by banks which was an outright lie as they charged in INR from PayPal Singapore which applied foreign markup anyway by the bank. So I paid double markup.
It's basically a scam.
If that is the case, then it is not for me.
Strange. Amazon India allows deleting the stored card details.
Why do companies want to store this data any way?
Edit: Looks like they do allow card tokenization (not part of original proposal) which should address a lot of use cases
Here is the commentary about the original proposal:
https://www.businessinsider.in/finance/banks/news/rbi-wants-...
Here is the one after push back from industry (Which allows tokenization):
https://timesofindia.indiatimes.com/business/india-business/...
Recurring payment greater than 5000Rs requires a separate auth. (EMI's are not impacted by this)
This isn’t a surprising change and was always going to be the future of PCI compliance.
It seems here people see this rule as "merchants can't store card numbers any more". This is actually a lot more than that, this is the new rule: you cannot store card numbers for recurring payment. Even if you are PCI-DSS compliant. Even if you are audited by the RBI. Even if you're sponsored by a bank. The only way to store a Visa number is to use the Visa tokenization service.
Now if you know a bit of the card payment industry, you will know that you need the card number just to process the payment, the refund, etc. So you still have to store the card number. And you can. You just can't use it for recurring payment any more.
My personal take: Giving full control to Visa and Mastercard over their card numbers for recurring payment seems to be a nice transfer of power to these two giants. But the time scale has been very short (a few months only). So practically, most recurring card payments will stop working or be illegal in two weeks. This is will more or less break existing subscriptions working with cards.
India (the RBI at least) has been in a campaign for independence in the payment infrastructure. American Express[0], Diners[1], Mastercard[2] have been banned in India. Diners' ban has been lifted now, but still. Rupay is a failure with a market share of 0.34%[3] (in comparison UPI is at 37.73%), in spite of having ZERO MDR on debit transactions[4].
This change is not for the sake of security. You can have the best firewalls, cutting-edge HSM, security team and pass 12 audits a year. You will be allowed to save these card numbers but you won't be able to authorized to use it for recurring payments. This is just a move against cards, and to promote UPI instead. By making recurring card payment a hindrance, more people will transition to UPI.
[0] https://www.americanexpress.com/en-in/company/notice/rbi-imp... [1] https://www.reuters.com/article/india-banking-american-expre... [2] https://westfaironline.com/138440/mastercard-banned-from-new... [3] https://www.npci.org.in/PDF/npci/statics/RETAIL-PAYMENTS-STA... [4] https://economictimes.indiatimes.com/opinion/et-editorial/st...
If they think it's time to move beyond cards due to the strategic overdependence on foreign service providers like Visa who can disrupt the Indian financial system at the behest of their US govt or other interests it's the right thing to discourage them directly or indirectly.
Think in the interest of the people. WTO commitments are not worth the paper they are written on. State should do the right thing to benefit the people as a whole not worry about inconvenience to a few people or few middle men or foreign companies.
I understand the confusion, but just to clarify I'm a big fan of UPI :).
Now, is it good move for the people? It's a complex topic, one could write a lot about it. This move will push people away from cards because card tokenization won't be supported for a while, making recurring payment harder. It's well known that very small amounts of friction can drastically reduce the conversion rate. Entering the card details every time is a hassle for sure.
So more UPI payments. But today there are no MDR for UPI transactions, meaning fintechs and banks are losing money when they process these transactions. For banks, it's supposed to be ok because a digital transaction is cheaper than a physical one. For fintechs, this is tough, you need to find money somewhere else. So less money = less incentives = less innovation. However there have been talks to put back some fees on UPI (banks are pushing a lot on this).
On the other hand, more card payments = higher MDRs. So merchants or customers, or both, will pay more to process the transactions. Banks and fintech get more money. But with a lack of competition, because of the current duopoly (Visa/Mastercard), and the difficulty to enter the market due to strict regulation, innovation is far from its peak. Just by looking at how long 3DS2 takes to roll out you can see that there is a lot inertia.
It's not black and white, as often. Personally I think UPI is a better direction. The only downside is that's it is only for domestic payment. I'd love to see an EU initiative as successful as UPI: instant payment could be the EU equivalent but the fees are crazily high in some countries.
Is there any evidence that the RBI actually thinks this? You seemingly criticise GP on their inference of an ulterior motive but then posit your own ulterior motive.
Rupay's failure is because of zero MDR, not in spite of it.
They then use this to attracts customers and/or banks to sign up. Rupay customers end up paying part of the hefty commissions (albeit indirectly) that Visa charges the merchants and the Visa customers get discounts, cash backs and offers.
A payment network is just a payment network, they shouldn't be using their market dominance to run marketing schemes.
Sometime you won't see Visa or Mastercard but instead "Debit Card" and "Credit Card" vs "Rupay" for instance.
With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.
If India is one of those places where the burden of proof is on the customer, and it's difficult to dispute charges, it makes sense to tokenize things.
Whereas the Indian Model is "Pessimistic". Put in as much checks as possible to reduce the rate of fraud before the transaction has even completed.
Thoughts?
this means, anyone who read the news understood this was going to happen and scammers put their numbers and sent out sms. any unsuspecting user would just call them whereby they would ask their aadhar card, pan card, otp and you are fucked.
For example, can the customer's credit card be anonymized but still tracked to know that the same credit card is used on 2 different transactions, for example?
E.g. if I wanted to give the customer only 1 special offer per credit card number, is that possible for the retailer to tell? Or is it even more sanitized such that every single transaction gets a different hashing?
How do refunds get issued if the number can't be stored and presumably you don't want the retailer to have the backwards decoding to be possible?
But I never found the idea that a saved credit card number (23 digits) would make a shopping experience so much convenient than having to enter it. A typical checkout still has me entering my address, choosing between 5 different delivery options, agreeing to various terms and so on. The payment step is just a minor step along the way.
I wonder if this entering of payment info is feeling more inconvenient to people who have become used to not having to do it, for example because they have used Amazon (I still never ordered anything there because they don't have a functioning operation where I live).
Paying with bank transfers completely negates all this protection. Merchants love it for this reason (and lower fees), but as a consumer it offers no benefits and a lot of drawbacks.
Reading through the actual notification titled "Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services", it is clear that the directive is a well deserved push away from Card on File (CoF) where the actual card details are stored by merchants, towards CoFT which is a lot less vulnerable. In fact this is exactly what Apple Pay, Google Pay, and several others are already doing worldwide.
So my takeaway from this is that, the fact that card companies are still accepting "card not present" style transactions from online retailers in India means they have been willing up to this point to tolerate a large amount of fraud and hacking in order to tap the market. The logical next step for them is to limit the number of data sources storing the card numbers and customer data themselves. Whether this comes in the form of a government decree or the slow moving of the card companies away from accepting these kinds of transactions, the change is inevitable. Local hosting and locally managed databases are no place for credit card numbers to be stored.
