Explained: Why your online subscription payments are failing

Early this month, users in India with subscriptions to online services and recurring billing were bombarded with emails and notifications informing them that their payments had failed. This was triggered by the new Reserve Bank of India (RBI) rules mandating an additional factor of authentication (AFA) for all recurring credit or debit card payments. The new rule was expected to be enforced from March 31 this year, but was extended till September 30.

Users across India couldn’t access services like Apple services, Netflix and more until they re-authenticated the payment credentials. According to social media posts, many are still facing these issues. For recurring payments above Rs 5,000, banks are also required to send a one-time password to users for re-authentication. 

Who has been impacted most?

Users who were billed every month for utility payments and subscription services were more likely to be affected than those who were billed annually. Most users rely on credit or debit cards for subscription payments, as many online services, especially those domiciled in other countries, do not support other modes of payments, like the unified payment interface (UPI) or payment wallets. 

According to industry experts, many of the online service companies had anticipated disruption of this sort and had added an annual billing payment option to avoid it. They even offered heavy discounts on annual plans to entice users to switch to them. Though the RBI had warned about the new rules in advance, many of the companies didn’t take proper measures to apprise users of it. The sudden disruption of services and having to update card credentials on each of them manually can be frustrating. 

How did it impact businesses?

Despite prior warnings from the RBI, many service providers were unprepared for the new rules and subsequent re-authentication process. As a result, many users trying to feed their card credentials to re-authenticate payments struggled due to technical issues. They were asked to do it later or pick a different mechanism, like Paypal, especially if the service provider was global. 

Experts believe the failure to re-authenticate on the part of users will impact the revenue streams for many for a month or two. This will have a major impact on the bottom line of smaller apps and service providers as compared to their larger or global counterparts. According to the Internet Freedom Foundation (IFF), a privacy watchdog, following the RBI regulations, 70% of their membership base was wiped out, leading to a shortage of funds required for their operations including salary payments. 

How does it impact India’s image globally? 

The recent disruption enforces the fact that recurring payments have never been smooth in India. Both Indian and foreign developers have struggled time and again because of the regulatory complexities. While experts feel that the move to re-authenticate payments 

India is a positive one and will enhance their security, they said that the manner of the rollout shows the indifference of regulators towards startups and the challenges they face. Many believe the regulatory inconsistencies like this would force many Indian startups to domicile to other markets. 

How can disruption of this sort increases the risk of exploitation by attackers

Though there have been no reports of phishing emails trying to take advantage of the disruption of services, cybercriminals are known to exploit any large-scale events impacting millions of users. For instance, right after the pandemic began, cybercriminals launched phishing email campaigns in the name of the World Health Organization (WHO) and the US Centers for Disease Control (CDC), offering tips on avoiding infection. Likewise, during the premiere of the finale season of the popular HBO series Game of Thrones, attackers had launched a massive campaign with malicious websites offering merchandise and tickets to events to fans. So, it’s important to ensure that an email about subscription payments is coming from a legitimate email address and website.