[GTO]

Nice move, I fully support it. Though it entails an additional security step, using your credit card for online payments just got that much safer. Some corporates impose a similar security layer when employees need to log into the VPN (as an example).

What do you think?

Receiving the following email from my CC company:

Quote:

ONE TIME PASSWORD (OTP)

Important Notice for online and merchant IVR transactions:

Effective Jan 1, 2011, online & merchant IVR transactions
(E.g. Tata Sky, Vodafone etc) will require a One Time Password (OTP) for executing the transaction. The OTP is a six digit number and you are requested to generate an OTP prior to every such transaction.

Getting an OTP
Please SMS OTP XXXX (Last 4 digits of the Credit Card number) to 52484 or 9880752484 to generate an OTP.

Using OTP
Please key in the OTP alongwith other card details required such as card number, expiry date and CVV number, for completing the transaction.

Validity of OTP
The OTP is a single use password valid for 30 minutes from the time of placing request.

Please note: Online transactions will continue to be authenticated by the Internet PIN (IPIN) and similarly CitiPhone banking will continue with Telephone PIN (TPIN).

[fuel_addict]

An extra hassle but goes an additional step in ensuring safer online transactions. What is not clear is whether you need to send an SMS every time you have to generate an OTP?

[msdivy]

SBI already has OTP for every online transaction. Is this new process same as that?

[dhanushs]

Definitely makes online transactions much safer.

Quote:

Getting an OTP
Please SMS OTP XXXX

I'm not sure about the reliability of various mobile service providers. For eg; Sometimes it takes ages for me to add a payee in ICICI Bank, which employs a similar method for adding payees.

Is there any other way to generate an OTP?

[patron]

Quote:

Originally Posted by GTO

Getting an OTP
Please SMS OTP XXXX (Last 4 digits of the Credit Card number) to 52484 or 9880752484 to generate an OTP.

Surely a nice move but isn't sending SMS to these number's Rs. 3/message? Another hassle, suppose you forget your mobile while doing a transaction, you are stuck. But it's all for security so still worth it I guess.

[ghodlur]

Uptil now the OTP's were mainly used during registering a biller or an third party payments or for inter bank transfers. Good to know that they are being introduced for Credit cards too.

One ques though how is this different from the one time secure password which is presently available with most CC's. This is very much there for VISA cards, dont know if there's for Mastercard too. Every Visa card needs to be registered for one time password. This is there in my HSBC and Stanchart cards.

If only the OTP could replace the CVV code which is normally reqd for online payments, then it would have been better.

[sgiitk]

I pain in the a$$. What happens when you go abroad and have to make a payment!

[Newpunter]

Am I missing something? I thought this applied only to IVR transactions, not online transactions. Online transactions already have an additional layer of security like the "Verified by Visa" but an OTP would definitely improve security. But seems like this OTP is only applicable to IVR transactions as of now. I have used IVR only a couple of times when booking accommodation through Yatra.com. I'm not sure if IVR is used that widely.

Quote:

Originally Posted by fuel_addict

What is not clear is whether you need to send an SMS every time you have to generate an OTP?

Each OTP is valid for only one transaction and expires 2 hours after it is generated. So you do need to send an SMS everytime you need to use this. Ofcourse, I think there would be an option in the IVR itself which would send the OTP directly without us sending an SMS ( otherwise , we might have to disconnect our phone and then send an SMS or use another phone to send the SMS during the IVR process.

[joslicx]

Quote:

Originally Posted by sgiitk

I pain in the a$$. What happens when you go abroad and have to make a payment!

Exactly my first thoughts!
I have a banking a/c with Axis bank and they have this stupid process every time you need to login. Recently when I was out of India I just couldnt use it for paying my bills! Its quite frustrating!

[Rocky_Balboa]

Nice move.

@ fuel_addict,
As I understand OTP is valid for only one transaction. And You have to send an SMS for every transaction.

[safari_lover]

Why do they want us to SMS? Will this sms be free?
I think providing an RSA key generator would be ideal for OTP.
I have one for my HSBC Savings A/c and am required to use it for all online transactions.

[Milestone]

Quote:

Originally Posted by fuel_addict

An extra hassle but goes an additional step in ensuring safer online transactions. What is not clear is whether you need to send an SMS every time you have to generate an OTP?

+1

I dont think its required to generate pin all the time. If thats the case one should always have the registered mobile along for the transaction.

Cheers !!!

[v-drive]

This is only for the IvR transactions and not the internet transactions. Internet transactions already have the security step built in. This is for where you dial a number and it asks you to enter your credit card, followed by the date of birth for authentication etc.

Also, I doubt that you would dial into an IvR which is based out of India to renew your Tata sky subscription while you are travelling abroad. The IvRs based abroad will possibly not have this step, just like if you do a transaction with a foreign vendor over internet, they do not ask for the extra authentication

[Newpunter]

Quote:

Originally Posted by Milestone

I dont think its required to generate pin all the time. If thats the case one should always have the registered mobile along for the transaction.
Cheers !!!

I think the RBI has made this mandatory , so all credit card companies will be implementing this from Jan 1st ( but i have read that this is only for IVR transactions and not sure if it applies to online transactions ) . Regarding the cases when we want to complete a transaction from a different country, I think the OTP will be sent to both the registered mobile as well as the registered E-mail id. So even if we do not receive the SMS, we have a backup option in the mail.

[bullinb]

The mail I got from HDFC says it is only for IVR transactions. Which makes sense because online transactions already have a third layer of security - PIN.

Quote:

We understand that when you purchase products or avail services with your HDFC Bank Credit Card through a telephone (IVR) you expect complete security and convenience. Starting
1st January, 2011 these (IVR) transactions need to be authenticated with an additional password. This is mandatory as per the RBI guideline.

OTP is also sent to the registered email id.

Quote:

Alternate Options:

• You can call customer service to request for your IVR OTP
• Receive automatic OTP on call -If you are performing a transaction and have not requested for an OTP already, an OTP will be triggered to your registered mobile number and email ID, while the transaction is in process