top of page

How Single-Click Checkout Feature Exposes Online Shoppers to Fraud and Hacking

Updated: Nov 26, 2023

Recent changes in security standards for digital transactions in India have raised concerns among customers and merchants. The Reserve Bank of India (RBI) now mandates that all transactions above Rs. 2000 require an additional factor of authentication (AFA), such as an OTP or CVV. However, some online platforms allow customers to check out without AFA for transactions below Rs. 2000 using a feature called 'single-click checkout' or 'Visa Safe Click.'

Introduced by Visa in 2019, the single-click checkout feature was designed to offer a smoother and faster checkout experience for transactions worth up to Rs. 2000. Visa has voluntarily paused this service in the Indian market since March 2021, following the RBI's push to tighten security standards for digital payments. Visa is currently working on an evolved form of network authentication product under RBI guidelines.

The single-click checkout feature has been criticized for being vulnerable to fraud and hacking since it does not require any AFA. Hackers can use stolen card details to make multiple mini fraudulent transactions below Rs. 2000 without raising suspicion.

Additionally, some online platforms, such as Zomato, Swiggy, Blinkit, and Dunzo, have been asking for CVV for transactions below Rs. 2000 and also accepting the wrong CVV. This raises questions about whether the CVV is being provided to banks or not being sent by the online platforms to the bank or whether the bank does not accept CVV at all for cards saved with new guidelines.

It appears that CVV is not being sent to banks for transactions under 2000 with Visa cards secured using new RBI guidelines. This is because Visa had introduced a feature called 'Visa Safe Click' that allowed customers to check out without requiring CVV and OTP for repeated online transactions under 2000. However, in March 2021, Visa paused this feature in compliance with the RBI's directive to enforce additional factor authentication (AFA) for all online transactions. As a result, online platforms that ask for CVV for transactions under 2000 and accept incorrect CVV may not be sending the CVV to the bank, or the bank may not be accepting CVV at all for cards saved with new guidelines. This poses a significant security risk for customers and merchants, as hackers could exploit stolen card details to conduct multiple fraudulent transactions without AFA.

Some online platforms, such as Amazon, have not implemented the single-click checkout feature and require AFA for all online transactions, regardless of the amount. This shows that they follow the RBI's guidelines strictly and ensure the security of their customers' card details.

While the single-click checkout feature offered convenience and speed to online shoppers, it also compromised their security and privacy. The RBI's move to enforce AFA for all digital transactions is a welcome step to prevent fraud and hacking and protect the interests and safety of both customers and merchants.

Thank you for reading about the recent changes in security standards for online transactions in India. As the situation continues to evolve, it is important to stay informed about any further developments or updates. Stay tuned for more information on this topic.

bottom of page