The Reserve Bank of India moved to close a loophole on Friday, saying that the rules need to be followed with respect to e-commerce credit card transactions "essentially taking place between two residents in India". This means that companies such as Uber will need to follow the two-step authentication process that it was able to circumvent by virtue of having an overseas payment gateway. Its rivals welcomed the move.

The central bank told banks to ensure that payments should be in rupees in instances when the credit card is not presented physically. "It was clarified that the mandate shall apply to all transactions using cards issued in India for payments on merchant sites where no outflow of foreign exchange is contemplated," RBI said in a note to banks on Friday.

The RBI clarification will have an immediate impact on the hotly contested taxi business, especially Uber, which has rapidly gained users in India. The San Francisco company has so far been able to charge credit cards of users without authentication. Uber users are automatically charged at the end of their ride based on card details stored at the time of enrollment. That's because authentication doesn't apply when making purchases from websites overseas. The central bank has now closed that loophole.

This raised the hackles of radio taxi operators who complained to the central bank that Uber, by using a payment gateway overseas and skipping two-factor authentication, had an unfair advantage over those employing domestic gateways. Friday's development will mean Uber will need to adapt to the new rules.

"It has come to our notice that... there are instances of card-not-present transactions being effected without mandated additional authentication/validation even where underlying transactions are essentially taking place between two residents in India," noted RBI.

Aprameya Radhakrishnan, cofounder and director of Taxi for Sure, a Bangalore-based online taxi aggregator and Uber rival, said, "It will impact only foreign companies who are operating in India through an international payment gateway or by storing credit card details." Uber declined to comment.

RBI said the linkage to an overseas website or payment gateway cannot be the basis for permitting relaxations. RBI observed some are evading the mandate of additional authentication by following business and payment models that resulting in foreign exchange outflow.

"Such camouflaging and flouting of extant instructions on card security, which has been made possible by merchant transactions (for underlying sale of goods / services within India) being acquired by banks located overseas resulting in an outflow of foreign exchange in the settlement of transactions, is not acceptable as this is in violation of directives issued under the Payment & Settlement Systems Act 2007 besides the requirements under the Foreign Exchange Management Act, 1999," RBI said.

RBI had made it mandatory for banks to put in place additional authentication based on information not visible on the cards for all online transactions to prevent fraud.

Satyen Kothari, founder and CEO of payment site Citrus Pay, said, "We are not at all surprised with this development. The RBI always wanted to protect the Indian customer and it's shown that it will continue to do so. This is an obvious flaw and had to be corrected. Now all Indian and foreign companies have a level-playing field." (Economic Times)