Date and Time: Wednesday 9 March 2022 4:01:00 PM IST

Job Number: 166139085

Documents (5)

1. 6.3 Earlier E-Payment Systems

Client/Matter: -None-

2. 6.4 The Current E-Payment Systems

Client/Matter: -None-

3. 6.5 Credit Cards

Client/Matter: -None-

4. 6.6 Use of SET in Online Payment System

Client/Matter: -None-

5. 6.7 Conclusion
Client/Matter: -None-

| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2022 LexisNexis
 6.3 Earlier E-Payment Systems
Computers, Internet and New Technology Laws, 3rd Edn

Dr Karnika Seth

Computers, Internet and New Technology Laws, 3rd Edn > Dr Karnika Seth: Computers, Internet and
New Technology Laws, 3rd Edn > CHAPTER 6 ELECTRONIC MONEY

CHAPTER 6 ELECTRONIC MONEY

6.3 Earlier E-Payment Systems

6.3.1 First Virtual

The First Virtual was introduced as a payment system as early as 1994 but is not used anymore.
In this system security parameters were embedded to ensure that credit card numbers are
replaced with other numbers termed First Virtual Personal Identification Number. This eliminated
the fear of interception or misuse. A person’s account was not charged till e-mail verification was
obtained from the person confirming the purchase. The seller could use the e-mail, known as
the Simple MIME Exchange Protocol to verify accounts and make payment online. The
customer would submit his First Virtual Pin Number and the e-merchant would inform this
number to the First Virtual together with the seller’s pin and purchase money involved. The First
Virtual would confirm the transaction by requesting via an e-mail to the buyer and on receiving
his confirmation process the transaction. The merchant in this model is liable for all risks which
made it unpopular.
6.3.2 Cyber Cash

Cyber cash is a payment method that makes use of encryption technology in transferring credit
card information. It uses unique programmes called as a “Cyber Cash Wallet Software
Programme”. A customer would register with cyber cash and be allotted a wallet ID and a
password connected with one credit card. E-merchant sets up an account with the bank that
accepts a payment transaction using cyber cash and the bank approves or denies a transaction
in an encrypted form to the merchant. The merchant’s account gets credited fairly quickly. This
model has its own advantages and disadvantages. Its success depends on the bank’s
 Page 2 of 3

6.3 Earlier E-Payment Systems

acceptability of the cyber cash system and installation of the required software and its security
parameters.
6.3.3 Digi Cash

The Digi Cash system is generally used for micro payments.55 Digi Cash provides for safe
account system to avoid misuse of sensitive data of customer when they make payments online.
This system is no more being used. However, we will briefly discuss its key features. Each user
was required to have a bank account with an electronic cash issuing bank and the required
software for its transaction. The case was generated by the buyer’s computer using the special
software that allotted the random numbers through which “coins” can be identified. Coins were
nothing but encrypted messages relating to specific currency in which transaction was being
made. The software acted as an interface without revealing the individual number, the issuing
bank would validate the coins. When a customer purchases the goods on a website then the
trader who has the same software and the issuing bank account, the required coins for a
transaction were credited into the merchant’s account. The buyer decodes the random number
through his private key and the buyer’s software sends coins to the bank for verification. The
bank checks unique identification number on the coins and if they are not earlier spent, on
verification, they are stored and the merchant is accordingly informed so that he can deliver the
goods purchased to the buyer. Money laundering is one of the most important flaws of Digi Cash
system. Buyers often used fake names in online transactions and the bank could not identify the
coins have been spent by which buyer.56
6.3.4 Mondex

Mondex initially applied to the offline world and slowly shifted its base to online transactions. It is
a chip card based system that applies to card transfers of money and invalidates spoofing
requests to transfer money. This system is similar to the E-Cash system wherein funds are
stored on the chip. However, it did not require central clearing or verification by a bank. But this
system required a chip card reader to operate which made it unpopular. This system is also no
more operational.
6.3.5 Auripay

This system uses a unique number which is deactivated on single use. Consumer often uses
this payment method for online shopping. The advantage of this system is that the number can
be customised based on the number of times it can be used, dollar limit of a specific transaction,
 Page 3 of 3

6.3 Earlier E-Payment Systems

the value stored on a card, card holder’s name and address and the validity period. There are
rare chances of misuse, because this system shall deny authorisation to impostors. A consumer
who receives the numbers may charge the proceeds to their credit cards or checking accounts.
The Auripay numbers are acceptable at any website that allows credit card payments. It
synchronises with the traditional banking systems. For issuing the Auripay number the value of
money for a transaction is transferred from the consumer’s bank account to the Auripay account
in the same bank. On closing for the day, the money is transferred from the local account to the
Auripay account through Visa or other networks. On transfer of money the network operators
settle their amounts with the merchants. This maintains secrecy of confidential information,
offers the flexibility to use any credit card and this system can be used at any website which
accepts payment by credit card without the need for traders to register with Auripay.

55 E-Cash was developed by Digi Cash and this facility is being rendered by Market Twain Bank, St. Louis since the
beginning of 1995. Also the Deutsche Bank AG Frankfurt renders this facility to its customers since the year 1997. The
Net Cash is a decentralised method which was prepared at the University of South California. It uses the existing
infrastructure for accounting and procedures in financial institutions. The Millicent method is developed by Digital
Equipment Corporation (DEC) to manage small amounts of payments. See Juergen Seitz and Eberhard Stickel,
“Internet Banking – An Overview” Available at : http://www.arraydev.com/commerce/jibc/9801-8.htm (last accessed in
September 2021).

56 Stephen York, Ken Chia, Hammond Suddards (Firm), E-Commerce: A Guide to the Law of Electronic Business,
LexisNexis Butterworths, 1999, p74.

End of Document
 6.4 The Current E-Payment Systems
Computers, Internet and New Technology Laws, 3rd Edn

Dr Karnika Seth

Computers, Internet and New Technology Laws, 3rd Edn > Dr Karnika Seth: Computers, Internet and
New Technology Laws, 3rd Edn > CHAPTER 6 ELECTRONIC MONEY

CHAPTER 6 ELECTRONIC MONEY

6.4 The Current E-Payment Systems

6.4.1 Online Payment Gateways

One of the currently popular e-payment systems is the PayPal. PayPal was introduced around
1990 and undertakes its business activity of online payment services in more than 30 countries.
PayPal offers certain services free to its consumers whereas certain services are fee based. A
registered user who is the seller in a transaction receives the money through PayPal if the buyer
is also a registered user who inputs payment information and the seller’s e-mail address and the
amount which is then deducted from the buyer’s account with PayPal or the buyer can charge
the payment to a credit card or authorise Automated Clearing House (ACH) transfer from a
“checking account”. In case the buyer is not a registered user of PayPal, the seller is able to ask
the buyer to log on to PayPal for one-time payment. This payment gets credited to the seller’s
account with PayPal charging the applicable service fees. The money received by the seller in
his PayPal account can be maintained or he can ask PayPal to transfer the same into his bank
account. In this manner the seller and the buyer does not need to disclose the sensitive
information about their credit cards or their identity. Another example similar to PayPal is that of
Bill Point which operates in almost 37 countries. It was introduced in 1998 and is currently
owned by eBay. In Bill Point, the buyers pay through credit cards or ACH transfer, and
payments after deduction of the service fees are credited to the seller’s bank account. In case of
credit card payments this is instantaneous. But in case of ACH transfer, it takes more than three
business days. A seller requires registration with Bill point to receive the payments. In case the
buyer is not registered user, he provides credit card or bank account information when he
 Page 2 of 3

6.4 The Current E-Payment Systems

intends to make the payment. Another payment system is that of ProPay. ProPay does not act
as intermediary to a payment transaction and enables sellers to establish its individual credit
card account so that when buyer pays through credit card it gets credited to the seller’s account.
ProPay does not charge registration or maintenance fees, but charges a higher fee for every
transaction processed. CC Avenue now is also an online payment system which acts as a
retailer in auction sales. Its role is to purchase the products from the original seller and re-sell
them to the buyer. It collects the payment from the buyer made through a credit card and pays
to the seller after charging its commission. CC Avenue.com also provides quick and cost
effective payment delivery in the online world. The ICICI e-payments limited has incorporated
Visa International Global Authentication Payment System which is a 3D secure protocol that
uses a unique PIN number of credit card and a unique login ID and password for authentication.
This company is also providing payment gateway services to CC Avenue. Verisign offers
payment security services and allows the users to make payments through credit cards online in
a secure manner.57
6.4.2 Latest Smart Card Systems

Smart Cards which are quite commonly used offer added security as compared to magnetic strip
technology and electronic wallet is an apt example. It is like a smart card that stores in a
purchasing power of the consumer which he can make use of. The deposit is debited whenever
there is a purchase made irrespective of the bank used for a transaction. As described earlier,
this e-payment method is acceptable mainly for micro payments. This system is user friendly for
internet payments and is akin to the France Telecom Tele-carte. This facility can also be used
with mobile phones. In Belgium, Proton introduced in February 1995, has been a successful
model. In Germany, the GeldKarte is a popular e-Wallet system. It uses the DES cryptography
and is technically compatible for operations within France, Germany and Luxembourg. In France
the Moneo, another form of e-wallet was created in 1999. This is used either with a credit card
or can be used separately. Due to its instant payment process, low charges and/or seamless
interoperability electronic wallets such as Proton from Belgium and Octopus from Hong Kong
have flourished in the e-commerce market. Moneo in France has almost diminished due to
security concerns and high costs of usage. However, it has been found through some studies
that card holders are fairly satisfied with its performance and it is likely to be adopted as a
successful model with greater marketing efforts.58
6.4.3 Mobile payment modes
 Page 3 of 3

6.4 The Current E-Payment Systems

In India, few mobile wallet applications are quite popular such as Paytm, Mobikwik, Google Pay,
Payumoney, etc. These are used by customers for online shopping payments, utility bill
payments, mobile recharge, DTH recharge online, online events/movie ticket booking. These
are semi closed and do not allow for money withdrawal or cash redemption. Open wallets allow
this facility. For example, Vodafone powered M-pesa wallet. Example of closed wallet is Jabong
or MakeMyTrip which returns money if order is cancelled as money gets credited to their
account directly when payment is made by a customer.59

57 See Sorkin, David E, “Payment Methods for Consumer to Consumer Online Transactions”, Akron Law Review, vol 35,
No.1, pp 1-30, 2001, Available at : http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1057521 (last accessed in
September 2021).

58 In Belgium, the Proton Cards are used for using public pay phone and for vending machines. The Proton does not
charge any fees from the card holder and provides a quick payment facility. Octopus has the advantage of good
interoperability. As the system is RFID based, it provides a quick and convenient means of making payments. Added
attractions are that Octopus operates and facility to re-allot the E-Wallet automatically. The merchants also pay low
transaction fees as compared to credit cards. See the M’Chirgui, Zouhaïer, “Market Difficulty for Use of the Moneo
Electronic Purse” in Journal of Internet Banking and Commerce, August 2006, vol 11, No. 3, Available at :
http://www.arraydev.com/commerce/JIBC/2006-12/mchirgui.htm (last accessed in September 2021); Jean Michel
Sahut, “Electronic Wallets in Danger” in Journal of Internet Banking and Commerce, August 2006, vol 11, No. 2,
Available at : http://www.icommercecentral.com/open-access/electronic-wallets-in-danger-1-5.pdf (last accessed in
September 2021). Stewart, David C, “The Future of Digital Cash on the Internet”, Available at :
http://www.icommercecentral.com/open-access/the-future-of-digital-cash-on-the-internet.pdf (last accessed in
September 2021).

59 Best 5 mobile wallets for online payments in India, Available at : http://www.ampercent.com/best-5-mobile-wallets-for-

online-payments-in-india/16425/ (last accessed in September 2021)

End of Document
 6.5 Credit Cards
Computers, Internet and New Technology Laws, 3rd Edn

Dr Karnika Seth

Computers, Internet and New Technology Laws, 3rd Edn > Dr Karnika Seth: Computers, Internet and
New Technology Laws, 3rd Edn > CHAPTER 6 ELECTRONIC MONEY

CHAPTER 6 ELECTRONIC MONEY

6.5 Credit Cards

6.5.1 Plastic Money for E-Payments

The use of credit cards or debit cards or plastic money is quite popular means of effecting
payment both in the conventional and online world.60 On the internet, usually the credit card
number is required and the three-digit number (CVV) at the back of the credit card is also
required to make an online payment. The websites that use the credit cards as a means to
accept payment use SSL (Secured Socket Layer technology) which automatically encrypts the
data which is being transmitted for security reasons.61 Certain websites request credit cards
details over the telephone also. Credit cards are being used to purchase software, make
payments to utility service providers, to do shopping online or even to play games as
entertainment. In United Kingdom, the consumers pay using a credit card as they are protected
under Consumer Credit Act, 1974.62 The e-merchant is required to sign up an account with the
issuer of the card to accept payment through credit cards. This entails heavy costs and opens
risk of charge backs. At the same time, there are many advantages of using credit card for e-
transactions. One of the prime advantages is the stipulated time window of credit without
charging interest. Encryption platforms for use of credit cards offer varied combinations to use a
credit card to make payments at point of sales or at ATMs, net-banking or through CC Avenue.
A number of acceptable credit issuers operate this business including Visa Card, Master Card,
American Express, amongst other service providers. In a nutshell, a “credit card” is a payment
card wherein the holder enters into a contract that provides that the issuer can “discharge less
 Page 2 of 14

6.5 Credit Cards

than whole of any outstanding balance on his payment card account on or before the expiry of
specified period subject to any contractual requirement with respect to minimum of fixed amount
of payments”.63 The card holder may avail credit to the highest amount stated on the card and
pays against statements with or without interest. Interest is payable on the outstanding amount
as per bank’s policy. Although credit cards can be used with much ease, there are growing
concerns about security threats. Cybercriminals may adopt skimming, install hidden cameras
near ATM machines, clone the stolen credit card or introduce virus to steal secret pin and pass
words to create unauthorised and fraudulent transactions. Due to these technical vulnerabilities
credit card frauds are on the rise. There are new solutions being devised to counter such
cybercrime attacks. One of the common methods is to segregate the purchase transaction from
the payment process. For example, when a user shops a product online, through a telephone
call, the credit card number may be disclosed.64 However, this system may have flaws and
additional burdens such as more man power requirement and chances of misuse of the
information. Another method suggested is use of Secure Socket Layer Server which uses
cryptography to transmit any sensitive data. Two factor authentication system is used as apart
from CVV number of card, a unique One Time password is generated to complete an online
payment transaction. This is one way of buying goods on Amazon. The aspect of credit card
frauds is dealt with in greater detail in the chapter on cybercrime in this book.
6.5.2 Card Holder, Card Issuer and Electronic Merchant

Generally established banks take a franchise from reputed payment system provider in order to
undertake the business of credit cards. Most phone banking services, ATM withdrawals, internet
purchases are based on the credit card number submitted by the card holder. In UK, once
payment is made through a credit card it discharges the debt. However, in case the payment
process is not completed and the payment is lost mid-way it does not discharge the debt. This
position of law is applicable in the Indian context as well.65 In a credit card transaction, there
are three separate contracts and three parties and each party is party to two contracts. But none
of them is a party to the third contract. This means the card holder who pays using a credit card
enters into a contract with the supplier and the supplier will contact the card issuer for receiving
its payment. In this case once the payment has been made the payment cannot be withdrawn
and in case the card issuer does not pay to the e-merchant, the e-merchant cannot ask the card
holder for payment.66
 Page 3 of 14

6.5 Credit Cards

6.5.3 Charge Backs

Chargebacks offer protection to a cardholder against fraudulent or fake transactions carried out
unauthorised by another person by misusing his card. In UK, according to the UK Consumer
Credit Act, 1974, in case of misuse of credit card by a third party, section 83 provides that a
consumer is not held liable. However, a card holder may be held liable when the card has been
previously accepted by him or it is first used by him or any person authorized by him to use it as
per section 66 of the Act) when the card is not in the card holder’s possession and in case any
loss is suffered due to a third party who possesses the card with the card holder’s permission,
the card holder is liable until he informs the card issuer of the loss of the card (section 84 of the
Consumer Credit Act, 1974). A card holder can within a prescribed time object to a transaction
which is caused owing to theft, fraud or mistake and if the card issuer accepts its default, a
charge back occurs and the e-merchant is liable to repay the said amount along with processing
fee. The same position applies in India as most international banks offer charge back facility in
their contractual terms with customers. On the internet, it is not possible for an e-merchant to
verify the card holder’s identity easily. In the conventional setting, the signature of a card holder
is matched with the signature of the card holder on the back of the card. If the signature on the
back of the card matches with the purchase slip, the identity of the card holder is verified. On the
internet the e-merchant may need to pay higher fees to the bank as the risk of chargeback is
higher in e-goods and services. Also, special procedures need to be put in place to verify the
identity of the card holder through use of Secure Socket Layer or digital signatures. Secure
Electronic Transaction (SET) is a system which verifies the identity of the card holder and aims
to reduce the risk of chargeback, misuse of credit cards or related information and also reduce
the cost of processing and e-purchase transaction.67
6.5.4 Credit Cards and Indian Legal System

The credit and debit cards were introduced in United States as early as in 1960s and in United
Kingdom this form of plastic money was launched by Barclays Bank in 1966. In India, credit
cards were introduced around early 1980s. This form of plastic money is commonly used to buy
food, book hotels or air lines tickets, buy consumer goods and to pay services providers, for
example, telephone department, recharge mobile talk time amongst other services. In India,
2010 statistics of RBI reported that approximately 191.21 million credit cards and debit cards
 Page 4 of 14

6.5 Credit Cards

had been issued.68 According to the Reserve Bank of India, use of paper-based instruments
(like cheques, drafts, and the like) is approximately 60% of the volume of total non-cash
transactions and in terms of total value it amounts to around 11%.69 The Indian Negotiable
Instruments Act is not applicable to credit cards as it is different from cheques. Therefore, the
principles under the Negotiable Instruments Act particularly payment in due course, forged
endorsement are not applicable to credit cards.

The Banks that issue credit cards apply different regulations to the use of credit cards. In a
nutshell, a customer is generally liable where a transaction is undertaken using the card which is
duly authorised by the customer and in case of a fake transaction using the credit card, the
customer is liable up to a prescribed limit. This limited liability ends at the time when the
customer notifies the Bank the fact that the card was either lost or stolen.70 This attribution of
liability is analogous to the loss of electronic signatures under IT Act, 2000 and consequent
liability illustrated in section 42 of the IT Act, 2000 discussed in chapter on electronic signatures.

Check other notif

Any legal framework provides a limit to exposure for an issuer of a credit card and prescribes
the rules on eligibility of persons that can avail the credit card facility. A customer is also
informed at the time of issue of card about the possible liability that a customer may be exposed
in order to satisfy consumer protection concerns. Generally, the issue of liability is clarified
through contractual arrangement.71 In case of SET, a contract aims to safeguard the interest of
the merchant but the principles enshrined under common law continue to hold good to protect a
consumer, particularly in cases involving insolvency of a card issuer,72 unfair trade practice,
deficiency in rendering any service73 (under Consumer Protection Act), use of counterfeiting
techniques amongst other matters.74

In India, the Consumer Protection Act, 2019 offers protection to consumers against unfair trade
practice and deficiency in services. RBI’s recent notification has laid down rules of zero liability
to a consumer for unauthorised debits made to his account. As per RBI, circular 4 January 2019,
registration of customers of prepaid instruments must register for SMS alerts, email alerts.
Customer has zero liability in case contributory fraud / negligence / deficiency on the part of the
 Page 5 of 14

6.5 Credit Cards

PPI issuer, including PPI-MTS issuer (irrespective of whether or not the transaction is reported
by the customer). In case of third party breach where the deficiency lies neither with the PPI
issuer nor with the customer but lies elsewhere in the system, and the customer notifies the PPI
issuer regarding the unauthorised payment transaction. If customer informs in three days, there
is zero liability of a customer, if in 10 days, transaction value or # 10,000/- per transaction,
whichever is lower, beyond seven days as per the Board approved policy of the PPI issuer.

In cases where the loss is due to negligence by a customer, such as where he / she has shared
the financial details, such as net banking, the customer will bear the entire loss until he / she
reports the unauthorised transaction to the PPI issuer. PPI issuer shall bear any loss occurring
after the reporting of the unauthorised transaction.75

It will be interesting to analyse if a consumer has protection against a foreign trader, particularly
when goods are sold through online market place by global giants like Amazon. The new
Consumer Protection Act, 2019 provides E-commerce will be governed by all the laws that apply
to direct selling. The Consumer Protection (E Commerce ) Rules, 2020 provide that platforms
like Amazon, Flipkart, Snapdeal will be required to disclose sellers’ details, such as their
address, website, email, and other conditions related to secure payment, refund, exchange,
terms of contract and warranty on their website to increase transparency and also appoint public
grievance officers in India to address consumer complaints. 76

Also, in case it can be proved that the foreign merchant has an office in India or actively solicits
Indian clients, such disputes could be adjudicated in India based on jurisdictional principles
discussed in chapter 2. However, the IT Act, 2000 and Indian Penal Code, 1860 (IPC) applies to
Indian citizens and also to foreign nationals in matters that involve fraudulent credit card
transactions. According to the IPC (section 3) any person liable under Indian law to be tried for
an offence committed beyond India shall be dealt with according to the IPC for any acts
committed beyond India in the same manner as if such act has been committed within India.
Further, section 4 of the IPC states that the provisions of the Code also apply to any offence
committed by any Indian citizen in any place beyond India and to any person of any ship or air
craft registered in India wherever it may be. Moreover, section 1(2) of the IT Act, 2000 provides
that the Act applies to any offence or contravention committed outside by any person. Section
 Page 6 of 14

6.5 Credit Cards

75 of the IT Act, 2000 states that the provisions of the Act also apply to any offence or
contravention committed outside India by any person irrespective of his nationality if it involves a
computer, computer system or computer network located in India. Important provisions of IPC
which are applicable to online credit card frauds include sections 463, 470, 471 for forgery of
electronic records; section 420 for cheating and fraud and under IT Act, 2000, section 66 for
hacking or section 66C, punishment for identity theft, section 66D of the IT Act, 2000 that
prescribes punishment for cheating by personation by use of a computer. These provisions will
be discussed in greater detail in the chapter on cybercrimes.

Recently, the Reserve Bank of India Act, 1934 was amended by the IT Act, 2000.77 In case of
section 58(2), after clause (p), the amendments inserted provisions to regulate electronic fund
transfer and prescribe rights and obligations of parties and conditions to be complied with for
effecting fund transfers.

Through such amendments Reserve Bank of India was empowered to prescribe norms for
electronic funds transfer and real time gross settlements. It becomes important at this stage to
discuss the regulatory regime that Reserve Bank of India has in place to govern electronic
payment systems in India.
6.5.5 Reserve Bank of India’s (RBI’s) Notification on Credit Card Business

On 21 November 2005, the Reserve Bank of India issued a notification regarding credit card
operations by non-banking financial companies and banks.78 The RBI recommended regulatory
mechanisms to encourage the use of credit cards with adequate security measures in place.
These regulations govern the card issuing banks and contain best customer practices relating to
credit card operations by bank and Non Banking Financial Companies (NBFC).79 This is based
on the IBA’s Fair Practices Code for credit card operations issued in March 2005. According to
this Notification, every bank/NBFC is required to form a Fair Practices Code for its credit card
operations. This Fair Practice Code should incorporate the requirements established by this
notification.

On the issue of credit cards, the banks are required to independently analyse the risk of giving
credit and add-on cards may be issued on the basis that the basic liability will be that of the main
 Page 7 of 14

6.5 Credit Cards

card holder. The banks ought to also assess credit limit which the customer avails from other
banks before deciding the credit limit for a customer. All KYC norms are required to be complied
with. This applies where DSAs/DMAs or other agents are soliciting business on behalf of the
NBFC/Bank. This was a positive provision as it is important to curtail credit card frauds and
misuse of stolen credit cards. For all the cards issued, the terms and conditions for using a
credit card and the issue of a credit card need to be clearly declared to an applicant. This is an
important provision that ensures transparency and prior information requirements as regards
contracting for credit card services. The terms which are extremely important should be
highlighted so that the customer reads them carefully at every stage, including while advertising,
at the time of making the application, when the card is issued and in every other important
notice from the bank.

As a pro-consumer approach, on charging of interest rates or other miscellaneous charges, the

notification provides that the banks/NBFC must dispatch bills timely so that a customer has at
least one fortnight to make the payment and the interest is not unnecessarily charged. This also
curtails chances of unfair trade practices by banks that may intentionally delay bills and
unreasonably charge interest for delayed payments. NBFC/Banks are required to mention
Annualised Percentage Rates (APR) on the card products and in case the retail purchase and
cash advance is different; the rate should be separately mentioned. Both the Annual Fee and
the APR therefore should be mentioned clearly and a customer should clearly be explained with
examples the method of calculating the APR. In case of late payment charges, the formula for
this calculation and number of days for which it is charged must be clearly given. Also the
outstanding unpaid amount when included for calculating interest must be shown clearly in all
monthly statements. In case there is a minimum threshold requirement to keep the card valid, it
should be shown in bold letters that the bank shall charge an interest on the said amount after
its due date of payment. All this information must be given in the welcome kit apart from the
monthly statements.

Notification further directs that no bank/NBFC can levy any charge not explained to the credit
card holder without his express consent, excluding the service tax or other charges levied by
any government authority. In every credit card the minimum payment due and other essential
terms should be clearly specified and any changes or revisions in charges (apart from interest)
 Page 8 of 14

6.5 Credit Cards

can be made only with prospective effect by giving prior notice of one month. Here it is important
to point out that in case of a dispute generally consumers prefer to approach the banking
ombudsman for speedy settlement of their grievances. In case a card holder intends to
surrender the credit card, his request should be accepted without levy of any extra charges. On
the aspect of wrong billing, the card issuers are required to assure that wrong bills are not
issued to customers. In case a customer challenges or objects to any billing, a card issuer must
produce sufficient documentary evidence and explanation within the maximum period of 60 days
to settle the matter. The Reserve Bank of India also recommended that in order to avoid delays
in making payments, the credit card statement should be available online with adequate security
measures. According to the Notification, when banks outsource credit card operations they must
ensure that the quality of customer service is maintained and confidentiality is not compromised.
Also, while collecting the debts fair practices are required to be ensured. The Reserve Bank of
India endorsed the Code of Conduct for direct sales agents drafted by the Indian Banks
Association for use as a guideline to form their own codes. The credit card issuers must
establish surprise checks to monitor the activities of their agents including the manner of
soliciting customers, privacy of customer information, and correct description of the terms and
conditions relating to product being offered. This has certainly benefitted in protecting personal
information of customers and preventing abuse of position by credit card agents during money
collection process.

The Reserve Bank of India recommended that the customer’s rights with respect to credit card
operations must be clearly maintained including right to privacy, clear description of rights and
duties, safeguarding customer records and using fair practices to collect any debts. The card
issuer is responsible in the capacity of the principal for acts or omissions of their agents
including DSA, DMA and recovery agents. The Reserve Bank of India strictly provides that in
case the customer had not requested for issuance of credit card, it should not be activated or
issued without the consent of the customer and in case there is a bill raised for the same, apart
from reversing the charges, penalty shall be payable by the Bank for duties, equating to twice
the value of charges reversed. This provision assists in cybercrime investigations where banks
are involved in credit card frauds as in certain cases a customer may not have requested a
credit card but an employee of the bank fraudulently issues it and misuses it to make illegal
gains. Further, unsolicited loans must not be offered to credit card holders without their express
 Page 9 of 14

6.5 Credit Cards

consent. In case the bank issues credit facility without consent of the customer, it is liable to pay
a penalty. Similarly, upgrading of credit cards without request of a customer should not be
made. Specific provisions have been prescribed to maintain privacy of customers, particularly as
regards information regarding credit history of a customer and unsolicited calls or messages for
advertising credit cards. Card issuers are allowed to make calls to a number only if a number is
not registered with the “Do Not Call Registry”. Pertinent issues of maintaining a customer’s
privacy are discussed in greater detail in the chapter on Privacy in this book.

In collection of debts, the guidelines on Fair Practice Code for Lenders (Circular DBOD Leg No
BC104/09.07.007/2002-03 dated 5 May 2003) and of International Business Association (IBA)
Code for collection of dues and repossession of security are prevalent. In case the card issuers
adopt their own code for collection of dues, it ought to embody all the required terms of the IBAs
Code. In collecting debts, the agents of the bank should not disparage the reputation of the bank
and any notice to be sent to the defaulters must bear the address and name of a responsible
senior officer of a card issuer who can be contacted by the customer. The banks, NBFCs or their
agents are required to abstain from adopting any practice which harasses or intimidates any
person for collection of debts or interferes with the privacy of an individual or makes unsolicited
calls, or use of false and misleading statements.

In case of customer complaints, it was directed that within 30 days from the date of complaint, it
should be resolved as every card issuer is required to form a Grievance Redressal Mechanism
within its organisation and declare the facility on its website and through print media. The
contact details of the Designated Redressal Officer of the bank ought to be clearly shown on the
credit card bills. The time for responding to the complaint and the procedure should be
mentioned on the website of the card issuer and a complaint number must be allotted to every
customer who submits a complaint. In case a customer does not receive a response from the
bank within 30 days when the complaint was submitted, he may contact the concerned Banking
Ombudsman who decides the liability and compensates the complainant as appropriate in the
case. In most cases the consumer complaints have been found to be settled before customer
reaches a banking ombudsman. This mechanism has led to speedy settlement of consumer
complaints. The notification provides that the Standing Committee on Customer Services in
each bank may review on a monthly basis the operations of credit card, reporting of defaulters to
 Page 10 of 14

6.5 Credit Cards

CIBIL, credit card complaints and recommend steps to make the system more efficient. To
maintain adequate control through supervision, the Reserve Bank of India also reserves its right
to impose penalty on a card issuer for violating any of the aforesaid guidelines, as per the
Banking Regulation Act, 1949.80 These provisions have facilitated sound functioning of credit
card system in India. Recently a notification on enhancing security of card transactions dated 15
January 2020 was passed. Another circular was earlier passed by RBI to monitor credit card
operations by banks. We will briefly discuss the key provisions of the circular and how it is
beneficial to strengthen current controls on credit card business.
6.5.6 RBI notification on Enhancing Security of Card Transactions dated 15 January 2020

As per the notification, at the time of issue / re-issue, all cards (physical and virtual) shall be
enabled for use only at contact based points of usage (viz. ATMs and Point of Sale (PoS)
devices) within India. Cardholders have been provided a facility for enabling card not present
(domestic and international) transactions, card present (international) transactions and
contactless transactions as per procedure described therein.

Cards which have never been used for online (card not present) / international / contactless
transactions are required to be mandatorily disabled. Issuer is under an obligation to send alerts
through SMS / e-mail, as and when there is any change in status of the card or card is used.81

As per RBI’s new direction, all the new debit and credit cards issued by banks will only be
enabled for domestic transactions at ATMs and point of sale (PoS) terminals from 16 March
2020. For existing cards, issuers can take a decision based on their risk perception whether to
disable the card not present (domestic and international) for transactions.

• If the cardholder is interested to use the Debit/Credit card outside India, then the card
holder is required to request the bank to enable international transactions.

• Cardholders can switch on and switch off their card or any particular facility like ATM
transaction, online transactions available in the Debit or Credit Card.

• Customers can get the facility to set their transaction limits. RBI’s new rule for debit and
credit cards will come into effect from 16 March 2020. It is pertinent to note that, it will not
be applicable for prepaid gift cards and those cards used at the mass transit system.82
 Page 11 of 14

6.5 Credit Cards

In a new development RBI has directed all e-tailers not to store credit card information of
customers on its servers to avert cybersecurity risks.83

6.5.7 Master Circular on Credit Card Operations of Banks

RBI had issued a Master circular on Credit card operations way back in in July 2010, which
provided regulatory framework for the credit card issuing banks/NBFCs for their credit card
business and incorporates the best customer practices. The Circular recommended that the
Banking Codes and Standards of India (BCSBI) has released a “Code of Bank’s Commitment to
Customers” (Code) in July 2006, and a Guidance Note in December 2006, which may be
adopted by banks along with Fair Practice Code for lenders84 for framing Fair Practices Code
for credit card operations, instead of IBA Fair Practices Code. According to the instructions
contained in the Circular,85 banks are required to provide written reasons for rejection of
request for issuance of credit card applications. Also, banks ought to assess request of issuance
of credit card keeping in view credit cards issued to the customer by other banks. Banks have
been instructed vide circular86 dated 9 April 2010 that Base Rate system will apply instead of
the BPLR system with effect from 1 July 2010 to determine interest rate on credit card dues.

The Circular advised banks to set up do not call registry mechanisms. It may be noted herein
that the Telecom Regulatory Authority of India (TRAI) has framed the Telecom Unsolicited
Commercial Communications (UCC) Regulations, 2007 for controlling unsolicited marketing
calls by maintaining a Private Do Not Call List. TRAI has mandated that the telemarketers are
required to register with the DoT, Ministry of Communication and Information Technology,
Government of India otherwise their telecom services may be terminated. This was essential to
protect privacy of customers as excessive calls were being made by banks and their agents to
solicit business. The banks are also required to comply with the guidelines in respect of
engagement of recovery agents provided in circular87 dated 24 April 2008 issued by RBI. Banks
were required to implement security parameters pertaining to online credit/debit card
transactions from 1 August 2009 and follow operational framework set out in the Circular88
dated 18 February 2009 issued by Department of Payment and Settlement Systems, Reserve
Bank of India. As per Circular89 dated 23 April 2010 the requirement of additional
 Page 12 of 14

6.5 Credit Cards

authentication/validation to all on-line card not (CNP) transactions has been made applicable to
IVR transactions as well which has been brought into effect from 1 January 2011.90

60 Chip based cards are more secure than magnetic strip based cards. Chip based cards are really hard to clone as data
on chip based card is dynamic as opposed to magnetic strip based card which holds static data. Also, chip based card
have more advanced encryption technologies.

61 Secured Socket Layer is a protocol that transmits private information over the internet and uses asymmetric
cryptography. The URLs that use a SSL connection begin with “https’.

62 Section 75 of the Consumer Credit Act, 1974 is applicable whenever there is a pre-existing agreement between a card
issuer and a supplier. In case of misrepresentation or breach of contract a consumer may pursue either the supplier or
the card issuer.

63 Ahmad, Nehaluddin, “Credit Card Fraud and the Law: A Critical Study of Malaysian Perspective”, Available at :
http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2009_2/ahmad/ahmad.pdf (last accessed in September 2021). Also see
Article 29(1) of the UK’s Credit Card (Merchant Acquisition) Order, 1990, SI 1990/2158, H M Ogilvie, Canadian Banking
Law, Carswell, Scarborough, 1991, pp 647–648.

64 In 2007, the Association for Financial Professionals conducted a survey on payment frauds in 2006, Available at :
www.afponline.org/pub/pdf/2007PaymentsFraudSurvey.pdf (last accessed in September 2021), Keith Lamond,
Deborah Whitman (ed), “Credit Card Transactions-Real World and Online” Available at :
http://www.virtualschool.edu/mon/ElectronicProperty/klamond/credit_card.htm (last accessed in September 2021).

65 Shah, Vinod K., “All About Plastic Cards”, 2003, PL WebJour 3.

66 This position was elucidated in UK by Millett J in “Re Charge Card Services”, (1987) Ch 150 (QB) on appeal (1989) Ch
497 (CA).

67 Stephen York, Ken Chia, Hammond Suddards (Firm), E-Commerce: A Guide to the Law of Electronic Business,
LexisNexis Butterworths, 1999, p 69.

68 Card Bhai, “India-Top issuers of credit cards”, Available at : http://credit.cardbhai.com/2011/02/india-top-issuers-of-

credit-cards.html (last accessed in September 2021).

69 RBI, “Overview of Payment Systems in India”, Available at : http://www.rbi.org.in/scripts/PaymentSystems_ UM.aspx

(last accessed in September 2021).

70 Bohm, Nicholas, Brown, Ian and Gladman, Brian, “Maintaining Consumer Confidence in Electronic Payment
Mechanisms”, Available at : http://discovery.ucl.ac.uk/3883/ (last accessed in September 2021).
 Page 13 of 14

6.5 Credit Cards

71 During covid lockdown a three month moratorium for loan repayment and credit card dues was declared by RBI. “RBI
extends moratorium on credit card dues by 3 months: Here’s how it will impact you”, Available at :
https://economictimes.indiatimes.com/wealth/borrow/rbi-extends-moratorium-on-credit-card-dues-by-3-months-heres-
what-it-means-for-
you/articleshow/75886389.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst (last accessed
in September 2021).

72 In Re Charge Cards Services Ltd, (1988) 3 All ER 702 (C.A.), court ruled that a transaction using a credit card amounts
to an absolute payment by the customer. The court stated that in case of insolvency of a card company the card holder
shall not be liable to a supplier.

73 For Consumer Protection Act, 1986, see section 2(1)(g) for definition of deficiency in services. Deficiency in service
means “any fault, imperfection, short coming or inadequacy in the quality, nature and manner of performance” required
under law to be performed by a person under a contract to deliver any goods or services. “Unfair Trade Practice” is
defined in section 2(1)(r) Consumer Protection Act as a trade practice that adopts any unfair method to promote the
“sale, use or supply of any goods or provisions of any services”. See in Central Bank of India v Mohinder Singh, (2000)
3 CPJ 56 (Punj), the complainant had booked for an insurance of lost or stolen credit card with a protection to the
extent of Rs 50, 000/-. The credit card was lost and due intimation was sent to the Bank. It was ruled the Bank was not
liable to charge upto Rs 50, 000/-. In Mercantile Credit v Dinesh, (1998) 1 CPR 719 (Del), the Card Issuing Company
was held liable for its deficiency in services if any entity which was a party to the credit card arrangement refused to
accept the credit card. In American Express Bank Ltd v Girdhari Jewellers Pvt Ltd, (2006) 8 AD (Del) 338, the case
involved the issue of unfair trade practice under section 12B of MRTP Act, 1969. The customer used credit card to pay
for jewellery and the card was fake. The court held that since the shop keeper could not have known that the card was
fake, the petitioner cannot avail the full recourse clause in the agreement. In Anupama Purohit v Make My Trip.com,
case (decided by a Delhi District Consumer Forum on 9 March 2007) the court awarded damages of Rs 10,000/- to the
complainant whose credit card was fraudulently charged twice by the respondent and amounted to unfair trade practice
and deficiency in service.

74 In Society National Bank v Kenzie, 11 Ohio App 3d 178, the court stated that the onus of proof for the authorized use of
a card lies with the issuer. In case the use was not authorized the onus is on the card issuer to prove that the conditions
to attract liability for unauthorized use are satisfied.

75 Available at : https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11446 (last accessed in September 2021).

76 Available at : https://economictimes.indiatimes.com/wealth/spend/heres-how-consumers-will-benefit-under-the-new-
consumer-protection-
act/articleshow/70711304.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst (last accessed
in September 2021).

77 Section 94 of the IT Act, 2000 brought about amendments in the Reserve Bank of India Act, 1934 specifying the
provisions in the fourth schedule to the Act.

78 Notification of RBI – RBI/2005-06/211 dated 21 November 2005. DBOD.FSD.BC.49/24.01.011/ 2005–06.

 Page 14 of 14

6.5 Credit Cards

79 Banknet India, “Credit Card Operations of banks-RBI Guidelines”, 21 November 2005, Available at : (last accessed in
September 2021).

80 Bank net India, “Credit Card Operations of banks—RBI Guidelines”, 21 November 2005, Available at :
http://www.banknetindia.com/banking/creditcardnov05.htm (last accessed in September 2021).

81 Available at : https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11788&Mode=0 (last accessed in September

2021).

82 RBI New Debit Card, Credit Card Rules: Here’re Some Key Points Cardholders Must Know, Available at :
https://www.indiatvnews.com/business/news-rbi-new-debit-card-credit-card-rules-online-transaction-atms-rbi-
guidelines-581325 (last accessed in September 2021).

83 E-tailers cant store your card, The Times of India, 24 September 2021, Available at :
https://timesofindia.indiatimes.com/business/india-business/e-tailers-cant-store-your-card-data-says-
rbi/articleshow/85581684.cms#:&:text=According%20to%20sources%2C%20the%20central,kicks%20in%20from%20S
eptember%202021. (last accessed in September 2021)

84 Circular DBOD.Leg.No.BC.104/09.07.007/2002-03 dated 5 May 2003.

85 DBOD.No.Leg.BC.65/09.07.005/2006-07 dated 6 March 2007.

86 DBOD.No.Dir.BC.88/13.03.00/2009-10.

87 Circular No. DBOD.No.Leg.BC.75 /09.07.005/2007-08.

88 RBI/DPSS.No.1501/02.14.003/2008-09.

89 RBI/DPSS No.2303/02.14.003/2009-2010dated 23 April 2010.

90 RBI, “Master Circular on Credit Card Operations of Banks”, 1 July 2010, Available at :
https://www.rbi.org.in/scripts/BS_ViewMasCirculardetails.aspx?id=7338 (last accessed in September 2021).

End of Document
 6.6 Use of SET in Online Payment System
Computers, Internet and New Technology Laws, 3rd Edn

Dr Karnika Seth

Computers, Internet and New Technology Laws, 3rd Edn > Dr Karnika Seth: Computers, Internet and
New Technology Laws, 3rd Edn > CHAPTER 6 ELECTRONIC MONEY

CHAPTER 6 ELECTRONIC MONEY

6.6 Use of SET in Online Payment System

6.6.1 Role of Secure Electronic Transaction (SET)

Encryption techniques have been used to create secure payment systems on the internet. In
earlier times, symmetric cryptography was extensively used for this purpose. However, the
major disadvantage of using symmetric cryptography was the same key was required to be used
by the sender and the receiver and any third party could also intercept if the key was
compromised. The RSA data security introduced the public key cryptography commonly known
as “Asymmetric Key Encryption”. Master Card and other credit card companies also accepted
the SET protocol as a security technique to effect online payments. Although there was
widespread publicity of the protocol but it did not receive expected acceptance, perhaps due to
need to install e-wallet, SSL was cheaper and easier to use, and difficulty in distributing client
side certificates. The SET protocol aimed to ensure the privacy of a transaction and verify the
identity of the payer before processing payment in an online transaction. The SET was created
by credit card companies’ Visa and Master card in conjunction with other companies including
Netscape, IBM, and Verisign. Similar to the Cyber Cash system is the SET software system and
the payment processing is akin to processing of a credit card transaction.

When a buyer wants to shop online and he intends to use a credit card, the merchant will issue
an invoice. The buyer is required to have the software in his browsers that establishes
communications with the merchant’s system. When the buyer decides to use a payment card,
the software of the buyer calls for the merchant’s public key and that of the merchant’s bank.
The merchant produces that information issuing identification details which are verified by the
 Page 2 of 14

6.6 Use of SET in Online Payment System

buyer’s software. The Certifying Authority that has issued the certificate verifies that the public
key belongs to the merchant. The buyer then sends his purchase order and this instruction is
encrypted with the merchant’s key. This ensures the integrity and confidentiality of a transaction
is maintained. On receipt of the purchase order that bears the credit card details, date of
transaction and the transaction identifier, the instruction is transmitted to the payment gateway
and merchant’s bank system. The payment gateway also conducts verification to ensure the
integrity of the information transmitted. The gateway transmits the information to card issuing
bank for authorisation. The payment system sends back an authorisation request to the
merchant and when the merchant decrypts it and authorises, the payment system informs the
buyer that his purchase is approved. The merchant then sends a “capture request message” to
the payment gateway that bears the confirmed authorisation.91
6.6.2 Functioning of SET

The functioning of SET is based on an asymmetric cryptography discussed in chapter on

electronic signatures. The private key is used to encrypt a message and its corresponding public
key is used for its decryption. The public key is accessed by any party as it is published on the
certifying authority’s website or directory. However, a private key is necessary to encrypt a
message and is not shared or publicly known. The digital signatures verify the identity of the
sender of a message and ensure that the integrity of a message is not tampered. The digital
certificate is issued by the certifying authority who is the trusted third party in a transaction. The
cryptographic algorithm used to encrypt a message is known a “hash function” created by use of
sender’s private key. On receipt of the message, the receiver uses public key of the sender to
match the hash produced at his end for checking authenticity. A minor change to the original
message will not lead to the same hash result at the recipient’s end. The SET protocol ensures
non-repudiation. Generally, an express clause is incorporated in the terms and conditions that
state that the payment instructions are irrevocable except when proved that the message is not
authentic or tampered.
6.6.3 Benefits of SET

SET system has many benefits, inter alia, it establishes a connection between a credit card
issuer and buyer and seller in a transaction. A seller is able to check the digital signature
certificates of the buyers and the buyer can use the credit card to pay. The buyer is at ease as
the privacy of the transaction is maintained when the credit card company authorises the
 Page 3 of 14

6.6 Use of SET in Online Payment System

payment and indicates to the seller that the transaction has been completed without disclosing
sensitive information relating to the buyer’s credit card. An e-merchant also finds the charge
back protection quite useful. The e-merchants are not liable for chargebacks when a fake
purchaser conducts a transaction using SET that contains card holder’s digital certificates.
However, the SET was unsuccessful because of its cost and complexity and logistical problems,
and currently VISA uses 3-D secure in place of SET.
6.6.4 3-D Secure

It is an XML based protocol that provides additional security for online payments made by use of
debit or credit cards.

It was developed by Visa but the services are also used by Mastercard. It got its name from
architecture it uses at three levels, acquirer level (merchant and the bank that receives money),
issuer level (the bank that issued credit card) and interoperability level (Infrastructure of card
scheme to interface with 3D secure protocol). The protocol sends XML messages using the
Secure Socket Layer technology for authentication. Today, One Time Password (OTP) method
by SMS is generally used for authentication purposes. It reduces risk of unauthorised
transaction chargebacks. Its disadvantage is the costs of purchasing merchant plugins to
connect to Visa server. Also, cardholders may get induced and entrapped by phishing attacks as
there is possibility of fake popup window emerging for authentication and not by genuine service
provider.
6.6.5 Technical Tools to Track Investments

Today we use internet to make online reservations, pay for air tickets and make other
purchases. Of late there are certain high tech tools and applications developed by Industry to
securely make online investments and manage one’s investment portfolio.

People rely on these tools to make calculations, and arrive at critical decisions on portfolios and
then sell or buy securities online. This assists not only investors but has made it easier for
companies selling investment products to market their products. It has minimised risk of errors
through security online payment transactions. Cellphones are used to manage calendars for
premium payments. Stock exchange recently set up Bombay Stock Exchange, BSE (Star MF)
and National Stock Exchange of India Ltd., NSE (NSEMFSS) and electronic platform for sale of
mutual fund schemes. The Association of Mutual Funds in India (AMFI), mutual fund trade body
 Page 4 of 14

6.6 Use of SET in Online Payment System

has launched its own portal to help investors. Most online trading portals have instruction
manuals, Systematic investment plan(SIP) schemes based calculators, portfolio tracker
software, currency calculators, mathematical formulae applications, news and alert based
systems. With SIP calculators one can put in a denomination of money and calculate the figure
arrived at after few years of continuous SIP payment. Financial advisors could assist through
online chat or SMS in case you need financial advice. Portfolio trackers on various websites
update one on current value of portfolio, cost to strengthen it and determine profit or loss. Some
broking houses use SMS system to report on stock name and current value. This also requires
registration on their website for SMS alerts. Some companies enable buying and selling of fund
schemes through use of cellphones which is software based system. It is also possible to
receive Consolidated Accounts Statement for all mutual fund investments of all fund houses. On
the website of Employees Provident fund organization, a tool assists in calculation of Employees
provident funds. It displays records of latest payment transactions of settlement, details of loans
and transfers made from EPF account. Account balance in provident fund account can be sent
via SMS on the PF account holder’s mobile. For easy dividend payments into a person’s
account, people register with (National Electronic Funds Transfer) NEFT which is supervised by
RBI. For Apple, Blackberry or other smart phone users provide different free or paid software to
enable investors to make investments including special software directed at commodities
markets.92
6.6.6 Latest Position of India’s Payment Systems

At present, in India, different payment systems are functioning including paper based system
and Electronic Fund Transfer System which are secure and settle payment transactions on a
gross and real time basis. These payment systems are used for low value payments and high
value payments and involves settlement of Inter Bank Money Market, Government Securities
and Foreign Exchange transactions. In India, there are approximately 1000 Cheque Clearing
Houses to clear and settle payment transactions involving cheque, drafts, payment orders,
interest/dividends. In many of the clearing houses the cheque processing centers use MICR
Technology. The Clearing Houses, particularly, in metropolitan cities are maintained by the
Reserve Bank which also acts as a settlement bank. In other places, the Clearing Houses may
be managed by public sector banks. The Clearing Houses are in the nature of voluntary entities
constituted by the participating banks and post offices to function in an independent mode.
These Clearing Houses are governed by the uniform regulations and rules for bankers’ Clearing
 Page 5 of 14

6.6 Use of SET in Online Payment System

Houses that prescribes the rules for membership, withdrawal and suspension and prescribes the
procedures to conduct clearing and settlement actions.93

Electronic clearing system functions as a payment system for credit and debit transactions
wherein most of these systems are under the supervision of Reserve Bank and the others are
managed by the State Bank of India. The ECS performs same functions as that of the ACH in
other countries. Around September 2008, the RBI introduced a new service known as National
Electronic Clearing Service (NECS), at National Clearing Cell (NCC), Mumbai94 and in 2009,
the Regional ECS (RECS)95 was launched. The ECS (Debit) scheme enabled debits from an
account of the subscriber of a utility service as a result of a mandate on routine basis. National
Automated Clearing House (NACH) have the same features as ECS with a centralised mandate
management system.

The EFT, electronic funds transfer system is managed by the Reserve Bank at approximately 15
places. These payment systems have set all rules to govern their operations. In NEFT system
batch settlements occur at hourly intervals. The Special Electronic Funds Transfer (SEFT) is
supervised by the Reserve Bank. These electronic funds transfer system use the method of
deferred net settlement to settle a transaction. As regards high value payment transactions, the
interbank cheque clearing systems, high value cheque clearing systems, the government
securities clearing systems, the foreign exchange clearing systems, and the real time gross
settlement system are used. All these systems process the transactions electronically excluding
the high value cheque clearing systems. In these systems interbank/another financial
institution’s payments are processed leaving aside the high value clearing transactions wherein
the cheque deposited by customers are processed for clearing. Whereas the high value clearing
is processed at 15 places managed by the Reserve Bank, the interbank clearing takes place at
around seven places. The Government securities clearing system and the foreign exchange are
supervised by the Clearing Corporation of India Limited. The Real Time Gross Settlement
System is also supervised by the Reserve Bank. Most of these clearing systems excluding
interbank clearing and high value clearing have been shifted to high security systems or the
RTGS system.96 The Reserve Bank also established National Payments Corporation of India
(NPCI) to oversee Retail Payment Systems (RPS) in India which began operating from 2009.97

Unified Payments Interface (BHIM UPI Platform) was launched in August 2016. The BHIM UPI
 Page 6 of 14

6.6 Use of SET in Online Payment System

Platform, is application-based and is usable on smartphones with internet access. The

customers can provide just a registered virtual address for making or receiving payments.

Currently 144 banks participate in the scheme. The system enables two factor authentication,
and instant money transfer through a simple payment address. The payment transaction is
facilitated through a mobile phone application, which could be from a service provider and not
required to be only the user’s bank.

The system has grown rapidly with 800 million transactions per month in March 2019.

Aadhaar Payment Bridge System (APBS) – APBS uses Aadhaar number as the unique key for
electronically availing the Government subsidies and benefits under Direct Benefit Transfer
(DBT) schemes in the Aadhaar-linked bank accounts of the intended beneficiaries. APBS is a
part of National Automated Clearing House(NACH).

Aadhaar Enabled Payment System (AEPS) – With the Aadhaar authentication, AEPS allows
“online interoperable financial inclusion transactions at Micro-ATM through the Business
Correspondent (BC) of any bank”. The beneficiary is identified and authenticated based on
Aadhaar biometric authentication for the purpose of carrying out payment electronically from her
/ his account. Withdrawing money or depositing it.

BHIM Aadhaar Pay – BHIM Aadhaar Pay enables the traders to accept payments from
customers using their Aadhaar number and authentication.
6.6.6.1 Electronic Toll Collections

National Electronic Toll Collection (NETC) System – NETC system facilitates an automated and
interoperable electronic toll collection across the country’s network of highways. An estimated
15% of the toll collection is through this system.

Bharat Bill Payment System (BBPS) – BBPS is an integrated bill payment system which offers
“anytime anywhere” bill payment service to customers using online payments as well as through
a network of physical agent locations.

BharatQR (BQR) code – BQR is an interoperable QR code which does away with the need to
have different QR codes at a merchant location for each of the card payment network. The QR
 Page 7 of 14

6.6 Use of SET in Online Payment System

code-based payment is initiated by the card holder using his / her mobile phone. Bharat QR
includes common specifications for not just card transactions but also for BHIM UPI.

National Unified USSD Platform (NUUP) or *99# - With growing mobile usage, banks
commenced delivery of mobile banking services to their customers using the USSD channel of
the telecom providers.98 A common platform offering USSD-based mobile payments services
was set up. NPCI has introduces the USSD 2.0 version, which integrates BHIM UPI-based
transactions for USSD users through any type of handset.
6.6.7 From Conventional Banking to Internet Banking

In the last few decades banking has undergone a revolution in the manner in which the banks
and payments systems function. With easy accessibility of internet, popularity of computers,
ipads, convenience of phone banking, use of ATM machines, internet banking has captured a
major proportion of banking activity. In earlier times, the internet banking was only popular in the
US and Europe which gradually gained acceptance even in the developing countries including
India. An account holder can easily access his bank account statements online by entering his
personal account number and personal identification number, commonly known as the I-PIN.
The banks verify users’ identity allowing access to the services available online such as
recharge of mobile phone, payment to utility service providers such as electricity department,
telephone department, online trade mark search, online renewal of licenses and registrations.99

Most banks offer special e-services and in certain countries even virtual banks exist. The
websites of banks not only provide static information about the services it provides to its
customers, it also receives complaints or feed backs from its customers through e-mails, blogs,
twitter, chat rooms or other means. Banks also accept online requests of its customers to
transfer money to make payments for sale and purchase of securities, book air tickets, theatre
shows or purchase other products and services online. Most conventional nationalized banks
have also transformed their functioning by adding internet banking facility to the range of
services they offer.100 At present, most banks such as ICICI, Citibank, HDFC, Axis Bank and
PNB offer internet banking services. ICICI allowed users to make online purchases through
shopping websites and even HDFC bank provides B2C services. The shift from paper based
transactions to e-transactions in banking is due to the fact that a large number of operations are
now more or less automated. This means a large part of its activities is performed electronically,
 Page 8 of 14

6.6 Use of SET in Online Payment System

inter alia, Real Time Gross Settlement (RTGS), National Electronic Fund Transfer (NEFT) and
Electronic Fund Transfer. After the introduction of the RTGS system in 2004, money can be
transferred instantaneously across several branches. Its connectivity has grown remarkably.
The NEFT, National Electronic Fund Transfer is meant for low value transactions and was set
up on 1 November 2005. The Check Truncation System (CTS) was launched by RBI to further
support the electronic payment systems.101 Since 2006, the e-payment systems have doubled
and more than 26 banks operating in India offer internet banking facilities. Later, RBI allowed
sharing of ATM by banks by introducing an ATM switch operated by IDRBT, Hyderabad.102 The
banks are constantly improving their business process and security parameters such as
installing PKI system to enhance security protection. On the legislative front, the Negotiable
Instruments Act, 1881 was amended to facilitate check truncation and making e-checks legally
valid and admissible in India.103 The Negotiable Instruments Act, 1881 which is the main
legislation governing cheque based payment mechanism in India includes “electronic image of a
truncated cheque” and a cheque in the electronic form104 within the definition of cheque. There
were amendments in the Information Technology Act, 2000 introducing amendments in the
Reserve Bank of India Act, 1934 that conferred legal recognition and validity to use of electronic
payment systems in India. For electronic payment system such as ECS and EFT a contract is
signed between the participants and the manager of a system. The netting of payables and
receivables is used in all payment systems excluding the RTGS where settlement is effected on
gross basis. The Payment and Settlement Systems Act, 2007, was recently passed to explain
the terms “netting and finality of settlement”. The Payment and Settlement Systems Act, 2007
defines “payment obligation”, “payment instruction”, “payment system” and “gross settlement
system”, “netting”, “settlement” in section 2(1) of the Payment Settlement System Act, 2007.
“Settlement” is defined as

settlement of payment instructions received and this includes settlement of securities, foreign exchange or derivatives or
other transactions.

The settlement can be effected either on net basis or on a gross basis.

The Reserve Bank of India’s Report of the High Level Committee on the Deepening of Digital
payments, provides recommendations to increase the digitisation of online payments. According
to the Committee Report, in order to strengthen consumer confidence in online payments, real
time fraud detection systems could be deployed to rate the risk of fraud for users and relevant
 Page 9 of 14

6.6 Use of SET in Online Payment System

volume, velocity limits be placed on high risk users. To increase customer protection, all users
and accounts are ought to be evaluated for vulnerability to fraud.

The Committee recommended payment schemes may be allowed to reject high risk
transactions, or to use additional factors of authentication before processing the payment
instructions. The Committee also recommended legal framework of dispute resolution and
grievance redressal system should be made more customer friendly. As per RBI records,
1,74,805 complaints were handled by ombudsman in 2017–18.105 The Committee
recommended that in case of an unauthorised transaction such as fraudulent debit, the victim
must be compensated in a timely manner, while investigating the complaint.

The RBI needs to ensure that once fraud is traced to the source — the legal recourse and
prosecution must follow. These cases must be publicised through media to deter criminals from
committing these crimes.

All intermediaries in the transaction must cooperate with law enforcement to provide logs
relevant to the reported fraud immediately, and through an automated system to act with
efficiency.

The Committee also recommended the use of insurance by payment service providers to protect
customers and service providers from loss.

The Committee recommended:

that the RBI and the Government plan for digital transactions volume to grow by a factor of 10 in three years. This would
result in per capita digital transactions to reach 220 in three years from current level of 22. The corresponding increase in
value relative to GDP would be 2 times. This growth may be accompanied by a corresponding increase in the number of
users of digital transactions by a factor of three, from approximately 100M to 300M.106

6.6.8 Rise in Popularity of Cyber Insurance

Many internet service providers and IT based companies are opting for cyber insurance policies
to protect their data and businesses from hacking and intrusion attacks. Risks of this nature are
either not covered by general insurance policies or in some cases specially excluded. At least
one of the earliest, cyber liability policies was developed for the Lloyd’s of London market in
2000. Such policies cover first party coverage against losses due to hacking, data theft, phishing
 Page 10 of 14

6.6 Use of SET in Online Payment System

attacks, man in the middle attacks and denial of service attacks. It covers losses caused by acts
or omissions of negligence caused by an employee of a company and insures even directors
against exposure to vicarious or other kinds of liability, in contract, tort, in equity or otherwise. It
could cover costs of litigation, security audit. Insurance policies are being bought along with
other IT security services. The underwriting criteria is fairly nascent and is under developing
stages. Insurance coverage from cyber-attacks helps mitigate losses, build resilience in
companies that suffer from large scale attacks. With cost of premiums proportionate with the
size of expected loss from such risks, many companies have begun taking cyber insurances.
With an 86% increase in cyber-attacks during covid lockdown itself, cyber insurance holds an
attractive future in India and across the world. This is particularly because in spite of encryption
and other technologies cyber security remains vulnerable to attacks and new ways of breaking
the seemingly fool proof systems with robust security. As an additional measure cyber insurance
helps protect the security infrastructure and framework of any organisation. Cyber insurance
premiums are expected to grow from around $2 billion in 2015 to an estimated $20 billion or
more by 2025, insurers are continuing to develop underwriting requirements.107 A DSCI report
showed that 350 cyber insurance policies were bought by Indian corporates in 2018 as against
250 in 2017 with a 40% increase in the sale of these products. The average cost of data breach
in India has risen by 7.9% to Rs12 crore in 2017–18.108

With more crimes shifting from offline to online media, insurance companies are carefully
tweaking their policies to cover cyber defamation, cyber-attack and cyber war from malware
attacks to denial of service attacks to ransom ware. The insurance companies leave lacunae to
minimise their risk too, and that is where a policy holder must be careful to understand what is
covered and what is excluded in a cyber-insurance policy.
6.6.9 International Electronic Fund Transfers

The banking systems have undergone a sea change since the inception of the banking industry
and developed new services and network for transferring funds across different jurisdictions
such as EFT that can be used to transfer funds between financial institutions. An apt example in
this category is the SWIFT that stands for Societies for World Wide Inter Bank Financial
Telecommunications. Its headquarters are situated at Brussels and it provides communication
facilities between banks across borders. It is used for transmitting payments, settlement of
securities and transferring business messages. With the establishment of real time systems in
 Page 11 of 14

6.6 Use of SET in Online Payment System

fund transfer mechanism such as retail EFT there has been a revolution in internet banking. This
technique employs a cash management system whereby customers give payment instructions
to their bank through dedicated point of sale terminals or personal computers on internet. In U K,
SWITCH is a popular payment mechanism. In the last decade the EFT POS system was used in
conjunction with Visa and Mastercard and gained phenomenal acceptance across different
countries. A seamless standardisation has been achieved as regards the content of the
messages in fund transfer. Simplification of EDI and electronic payment processes has been the
output of constant efforts being made by American National Standard Institute, the UNCITRAL
for the Model Law of e-commerce,109 1996, ICC and its role in forming General Uses For
International Digitally Ensured Commerce Guidelines110 and European Union and its role in
drafting Electronic Signature Directive,111 Directive On E-Money112 and the Money Laundering
Directive and efforts of OECD in framing the Cryptography Policy, 1997113 which led to a
seamless standardisation to facilitate e-payment systems and promote e-commerce.114

The World Wide Web Consortium (W3C) has also contributed to the growth of e-commerce. It
pays emphasis on installing the right infrastructure to propagate e-payment systems for
transacting online business and sale and purchase of products and services online. It created
the W3C XML signature, a method to sign documents and for authentication purpose. The W3C
XML encryption allows information to be transmitted without tampering of its contents and the
W3C XML protocol is used to create techniques where P2P sharing is possible. It also creates
systems for automation and use or reuse of data in software applications. Its P3P i.e. the
Platform for Privacy Preference Project ensures data protection in B2C transactions. The W3C’s
micro payment initiative (which is now reported to be closed on their website) described
methods to transmit relevant data to facilitate micro payment transfers.115

Currently, instant payments are far more popular. The Euro Retail Payments Board (ERPB) has
provided a widely accepted definition of instant payments that are:

Electronic retail payment solutions available 24/7/365 and resulting in the immediate or close-to-immediate interbank
clearing of the transaction and crediting of the payee’s account with confirmation to the payer (within seconds of payment
initiation).116
 Page 12 of 14

6.6 Use of SET in Online Payment System

91 Stephen York, Ken Chia, Hammond Suddards (Firm), E-Commerce: A Guide to the Law of Electronic Business, Lexis
Nexis Butterworths, 1999, p 70. Keith Lamond, “Credit card Transactions Real World and Online” Available at :
http://www.virtualschool.edu/mon/ElectronicProperty/klamond/credit_card.htm (last accessed in September 2021), see
SET: “Steps in Making a Credit Card Purchase using SET Protocol” at (SET verifies the party’s identity through
certificates issued by a Certifying Authority. These certificates are verified by a buyer, merchant and seller’s payment
gateway software to verify their identities.

92 “Tech Tools to Track your Investments” in The Times of India, 29 November 2011.

93 See RBI website Available at : http://www.rbi.org.in/scripts/bs_viewcontent.aspx?id=2180 (last accessed in September

2021).

94 RBI, “Overview of Payment System in India”, Available at : http://www.rbi.org.in/scripts/PaymentSystems_ UM.aspx

(RBI reports “NECS (Credit) facilitates multiple credits to beneficiary accounts with destination branches across the
country against a single debit of the account of the sponsor bank”) (last accessed in September 2021).

95 RBI, “Overview of Payment System in India”, Available at : http://www.rbi.org.in/scripts/PaymentSystems_UM. aspx

(RBI reports “RECS has been launched during the year 2009. RECS, a miniature of the NECS is confined to the bank
branches within the jurisdiction of a Regional office of RBI. Under the system, the sponsor bank will upload the
validated data through the Secured Web Server of RBI containing credit/debit instructions to the customers of CBS
enabled bank branches spread across the Jurisdiction of the Regional office of RBI. The RECS centre will process the
data, arrive at the settlement, generate destination bank wise data/reports and make available the data/reports through
secured web-server to facilitate the destination bank branches to afford credit/debit to the accounts of beneficiaries by
leveraging the CBS technology put in place by the bank. Presently RECS is available in Ahmedabad, Bengaluru,
Chennai and Kolkata”) (last accessed in September 2021).

96 See “Payment Systems-Current Status”, RBI website Available at : http://www.rbi.org.in/scripts/bs_viewcontent.

aspx?id=2180 (last accessed in September 2021).

97 RBI, “Overview of Payment Systems in India”, Available at : http://www.rbi.org.in/scripts/PaymentSystems_ UM.aspx

(last accessed in September 2021). RBI states that “NPCI has taken over National Financial Switch (NFS) from Institute
for Development and Research in Banking Technology (IDRBT)”.

98 Available at :
https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/CDDP03062019634B0EEF3F7144C3B65_360B280E420AC.PD
F (last accessed in September 2021).

99 Abdullah S AL – Mudimigh, “E-Business Strategy in an Online Banking Services: A Case Study”, Journal of Internet
Banking and Commerce, April 2007, No. 1 Available at : www.arraydev.com/commerce/jibc/2007-
04/abdullahfinal_pdfversion.pdf (last accessed in September 2021). (This paper discusses the e-business model
adopted by Citibank in UAE offering retail banking services to its customer base, see “The Indian Internet Banking
Journey”, Available at : http://www.scribd.com/doc/18643180/ (last accessed in September 2021).

100 In 2001, the Reserve Bank of India conducted a survey that declared around 50% of the banks in India offered
net banking services. Around 2001, internet users were approximately 9 lacs and by 2003, it was estimated to be
around 90 lacs. By the year 2000, the internet users which were 1% in 1998 escalated to 16.7%. Reserve Bank of
India, Report on Internet Banking, Available at : http://www.rbi.org.in/scripts/publicationReport Details.aspx?ID=243
(last accessed in September 2021).
 Page 13 of 14

6.6 Use of SET in Online Payment System

101 Available at : RBI website www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=2179 (last accessed in September

2021).

102 Ibid.

103 See section 6 of the Negotiable Instruments Act, 1881 (substituted by Act 55 of 2002, section 2 for section 6
(w.e.f. 6-2-2003). According to section 6, a cheque is defined as a Bill of Exchange drawn on a specified banker and
not expressed to be payable except on demand. It includes an electronic image of a truncated and cheque in electronic
form. “A cheque in electronic form” means a cheque containing mirror image of a paper cheque which is digitally signed
(with or without biometric signatures) and asymmetric crypto system. “A truncated cheque” is defined as a cheque
which is truncated during clearing cycle by the clearing house or the bank which pays or repays the payment when the
electronic image is transmitted in place of the physical delivery of a cheque in writing.

104 See section 6 (a) and 6(b) of the Negotiable Instruments Act, 1881.

105 Annual Report of the RBI Banking Ombudsman 2017-18, Available at : https://m.rbi.org.in/Scripts/Publication
sView.aspx?id=18948.

106 Available at : https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/CDDP03062019634B0EEF3F7144C3B

65360B280E420AC.PDF (last accessed in September 2021).

107 Big Companies Thought Insurance Covered A Cyber-attack. They May Be Wrong, Available at :
https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html (last accessed in September
2021).

108 Read more Available at : https://economictimes.indiatimes.com/industry/banking/finance/insure/indian-cyber-

insurance-market-grows-
40/articleshow/69099850.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst (last accessed
in September 2021).

109 “UNCITRAL Model Law on E-commerce” Available at : https://www.uncitral.org/pdf/english/texts/electcom/05-

89450_Ebook.pdf (last accessed in September 2021).

110 ICC, GUIDEC, Available at : http://www.iccwbo.org/policy/ebitt/id2340/index.html (last accessed in September

2021) and Available at : http://cryptome.org/jya/guidec2.htm (last accessed in September 2021).

111 E-signature Directive, Available at : http://europa.eu/legislation_summaries/information_society/l24118_en.htm

(last accessed in September 2021).

112 See E-Money Directive 2009/110/EC, Available at : http://eur-lex.europa.eu/legal-content/EN/TXT/ ?uri=celex:

32009L0110 (last accessed in September 2021).

113 OECD Guidelines Cryptography Policy, 1997, Available at : http://www.oecd.org/document/34/0,

3746,en_2649_34255_1814690_1_1_1_1, 00.html (last accessed in September 2021).

114 Chissick, Michael, Kelman, Alistair “Electronic Commerce Law and Practice”, Sweet & Maxell, 1999, pp 124–
127.

115 Available at : www.w3.org/ecommerce/ (last accessed in September 2021).

116 Available at : https://www.ecb.europa.eu/paym/integration/retail/instant_payments/html/index.en.html (last

accessed in September 2021).
 Page 14 of 14

6.6 Use of SET in Online Payment System

End of Document
 6.7 Conclusion
Computers, Internet and New Technology Laws, 3rd Edn

Dr Karnika Seth

Computers, Internet and New Technology Laws, 3rd Edn > Dr Karnika Seth: Computers, Internet and
New Technology Laws, 3rd Edn > CHAPTER 6 ELECTRONIC MONEY

CHAPTER 6 ELECTRONIC MONEY

6.7 Conclusion

The popularity of net banking and e-payment systems have revolutionised the banking industry
and made the world small as a fist! It is so easy to store, rotate and transfer money across far
jurisdictions on the click of a mouse. In the micropayments segment, “electronic money” has
substituted the “paper money” to a large extent. Adequate legislative measures and
technological tools are being developed to create seamless electronic payment systems to
further the interests of e-commerce, build safety and trust in electronic payment mechanisms
India has developed a sound regulatory framework to promote internet banking, regulate
payment gateways and prepaid electronic money instruments that are supervised by the
Reserve Bank of India that issues appropriate guidelines from time to time. Most micro
payments are being processed through secure electronic payment gateways. With increasing
deployment of technological tools to ensure security, even macro e-money transactions may be
carried out using electronic money methods in the near future.

End of Document