Major flaw HDFC credit cards (DCB)

[birususama]

Hello everyone,
I was trying to pay through DCB in an international website which asked my card details, Expiry and CVV and transaction went through instantly without second level of authorization which is PIN/OTP.
Called HDFC phone banking immediately and the answer was "Some merchants do not have the PIN/OTP requirement hence the transaction went through". How can this be allowed by the bank?
Do you really think this flaw has to be rectified immediately by HDFC? What is your opinion guys?

 

[bonheur]

My policy is to use card limit settings judiciously for all kinds of spend matrices - (online/pos/contactless) x (domestic/intl) and totally disable ATM except when needing to change PIN offline - and set low enough limits that I expect to meet on a regular basis. If I have a high value expense to make, I increase my limits on the spot and then immediately revert to the low value once it's done.

 

[Gaurav555]

I have ordered from Apple Thailand to my friend's address, billing is in his name.
I used my Credit card (Axis Magnus).
The amount will be deducted at shipping i.e. not deducted yet.
Hopefully Apple Th will process without OTP.
Is there any chance of transaction getting declined coz billing is in my friend's name, but the card has my name. And the transaction is in Thai Baht, not INR.
Is there any way to ensure the bank/apple doesn't flag/hold the payment.

 

[SmartSave]

7 years ago, I had bought a conference ticket in US (online portal) and guess what? Forget OTP, The payment went through without even the CVV and that shocked me at the time. Literally it was just the card number and expiry, that's all it took to charge the card. I even asked the bank and they said some gateways work that way and it's normal -- I even sent a mail to the organizers stating the payment page never asked me for the CVV, they said it's fine. Perhaps it wasn't as strict as it may be now but regardless, it worked and the money had been deducted too. Maybe the payment processor had a limit to a certain extent in which case CVV would become mandatory just like our tap and pay that won't require any PIN but it's the online version and the ticket itself was under $200 at the time.

That is when I learnt, it's not just the card number / cvv that needs to be kept a secret but everything needs to be protected. I've seen people at times don't redact card number properly or never and just share both number and expiry thinking they didn't share the CVV, so it shouldn't be a problem but if some malicious person gets hold of this and if these kinda payment gateways still exist, then they can easily charge the card.

It's best to set a per transaction limit or completely disable international on cards that are not being used for international transactions. Sure you can chargeback and liability coverage will take care but it's far better to do this than going through reporting and dealing with the hassle of recovery.

Edit:
Found their response from the archive, here you go. It appears CVV is merely an added protection for the merchant to confirm the payment came from you only but this payment gateway must've had some really sophisticated fraud protection system to not want the CVV at all. Some crazy level of system.

---

Is there any chance of transaction getting declined coz billing is in my friend's name, but the card has my name. And the transaction is in Thai Baht, not INR.
Is there any way to ensure the bank/apple doesn't flag/hold the payment.

You may get a call to confirm the payment from the risk/fraud monitoring department. So just confirm it was you only who did the transaction and they'll process it. Should be just fine.