It is no news that online payment solutions in Nigeria remain in the dark ages. I have seen numerous calls for Paypal, Google and more recently Stripe to save Nigeria from the likes of Interswitch (ISW). Interswitch’s OTP (One Time Password) is one of such concerns featured in many conversations lately.
OTP or SAFETOKEN according to ISW is “a system that generates a 6-8 digit One-Time-Password (OTP) whenever a transaction is initiated via the Interswitch Web Payment Platform”.
Notice the emphasis on “…via the Interswitch Web Payment Platform”.
It goes on — “…this is needed to permit your transaction that is above the bank set limit go through provided the merchant site is integrated to the Interswitch payment gateway”.
So I had this rather fascinating conversation on Twitter about OTP and how Interswitch ought to follow international best practices with regards to card not present transactions and not create additional loops in managing inherent risks with such transactions.
Celestine who as far as I know works for ISW attempted to educate the audience on OTP but failed to articulate why ISW’s introduction of OTP is the way forward towards a safer environment for promoting card not present transactions.
In his words…
@niyoma I‘m quite sure that d folks runnin ISW knw more abt intnl best practices than u do @dikachim @editieffiong @iaboyeji @seyitaylor
— Celestine Ezeokoye (@celestocalculus) January 25, 2014
To be fair to Celestine, he would not be privy to the fact that my background is banking amongst other things I try to dabble into hence his rather dismissive chatter.
So why introduce OTP?
OTP is about an attitude towards risk management and mitigation. Let’s put aside the technical rigmarole of implementing OTP for a bit. Card not present transactions by their very nature carry a much higher fraud risk compared to face-to-face transactions hence the need for additional security checks to validate that a cardholder has indeed authorised a transaction.
I don’t have any issues with OTP per se, what I have an issue with is a convoluted and ill-thought-out process introduced by ISW. Risk management is about risk reduction in addition to identifying and accepting some level of risk. It is clearly not about shut-the-door-we-are-too-scared-of-fraud. It is also not meant to introduce unnecessary inconveniences and additional costs to the cardholder. However, I imagine a key driver for OTP is a wider CBN initiative to introduce second level authentication for card not present transactions. But surely this should be the role of the banks and not ISW?
There are a number of things worth considering.
- A risk management strategy must be balanced against the nature and probability of such risk. Nigeria isn’t even ranked in the top 10 percentile for card fraud according to this Forbes article. I mean why would you use bazooka to kill a mosquito?
- There should be no reason to reinvent the wheel. Rather, ISW and banks need to adopt international best practice where available. VISA and MasterCard already have 3D Secure under the umbrella of Verified by VISA and MasterCard SecureCode. Reinventing the wheel introduces new risks to the whole payment process.
- A risk management process must be seamless to the end-user and should ideally not create additional loops and costs to the cardholder
- The onus on risk mitigation must go beyond the cardholder. Merchants (store owners etc.) and banks have a huge role to play in risk mitigation. I mean why as an end-user should I have to pay (SMS costs etc.) to validate that I am indeed Mr. Sule? This is rather ridiculous to say the least.
So why the fuss?
I reckon part of the problem is that there isn’t a clear definition of what role ISW plays or should play in the Nigerian payment industry. As far as I am aware ISW is a payment processor and not a bank. They should have no business introducing any new layers of authentication to the payment process. However taking a closer look, it would appear Nigerian banks have outsourced a shed load of responsibilities and infrastructure to ISW hence the mess we find with payments and OTP.
Is OTP’s introduction purposeful or obtrusive?
Banks worldwide rely on rather complex risk algorithms to whittle out potentially fraudulent card transactions. The rather strange thing though is that Interswitch’s OTP appears to be local and does not protect a Nigerian MasterCard from fraudulent use abroad. For example, if a Nigerian MasterCard is fraudulently used to buy Skype credits online, OTP won’t be triggered as OTP is specific to the ISW payment gateway. Ridiculous if you ask me.
Put in another way, OTP punishes a user with a Nigerian debit/credit card on a Nigerian store yet allows a fraudster in another country free access to the same card without OTP.
My recommendations
It would be unfair to whine about ISW’s OTP without proffering any solutions.
So here they are…
- Interswitch should stick to what they do best – payment processing. They have no business creating additional authentication loops
- Scrap OTP and work with banks/card issuers to introduce internationally recognised card and user authentication standards such as 3D secure by MasterCard and VISA
- Greater onus needs to be placed on store merchants with regards to risk profiling payments they receive
- Introduce better risk management metrics (CVV match, AVS, IP, risk scoring etc.) to help store merchants make informed decisions
- Work with banks on robust policies on chargebacks and fraud
This post first appeared on Peter’s blog.
