By:- Rakesh Raghuvanshi, Founder & CEO, Sekel Tech
For years, card payments have been treated as the safest way to pay digitally. The reason behind this is more behavioural than anything else. Consumers learned to trust the familiar ritual of entering a card number, an expiry date, and a security code, now followed by a one-time password. There was also the general feeling of “my card is useless to a thief without my PIN”.
That trust, however, was built in a very different era of the internet. As digital commerce expanded, so did the attack surfaces or the threat landscape around card payments. An ‘attack surface’ is the way or medium through which a hacker or cybercriminal can try to steal your money or data or both, while the threat landscape simply means the sheer number of threats you encounter as you navigate the world of digital payments.
Today, many of the most common forms of online fraud are rooted in how card systems are designed.
This is where Pay by Bank, also known as account-to-account or A2A payments becomes significant, in the way it is quietly changing the security equation.
In a typical card transaction, sensitive payment details are either shared with the merchant or stored with intermediaries involved in processing the payment. Even when encryption and security standards are followed, these details remain reusable, meaning that the same PIN or card details can be used to steal the customer’s money in the event of a breach. This is known as “card-not-present” fraud, where the card itself is not needed to steal money from the account it is connected to.
A2A payments work differently. When a customer chooses the Pay by Bank option at checkout, they are redirected to their own bank’s application or website. As a result, authentication of the payment happens using the same safeguards customers rely on for everyday banking, like one time passwords, device IDs or biometrics.
The customer approves a specific transaction amount, and the bank transfers funds directly to the merchant’s account. At no point does the merchant receive the customer’s bank credentials or any reusable payment information.
In other words, A2A payments remove the need to share sensitive payment data with multiple parties. The merchant receives confirmation that payment has been made, nothing more. From a security standpoint, this eliminates the entire phenomenon of card details being stored and all the threats that come with it.
UPI payments, for instance, require two-factor authentication and are initiated by the user, which means money is actively pushed from the payer’s account. Because there are no card numbers involved, large-scale theft of reusable payment credentials is far more difficult. Despite handling enormous transaction volumes, UPI has demonstrated relatively low levels of systemic fraud compared to card-based systems, particularly in online environments.
This does not mean A2A payments are immune to fraud. It is just that in this case, the risk shifts from credential theft to social engineering. This, in simple words, is when cybercriminals cheat the user and not the system, through means like impersonation, spoofed websites and intricately made up stories designed to lure or fool them into making payments.
Recognising this, many A2A systems are introducing additional safeguards. Some banks use recipient name verification, which checks whether the name entered by the payer matches the recipient account. Others apply behavioural analytics to flag unusual transactions.
There is also a data protection dimension that is becoming increasingly important. Regulations such as India’s Digital Personal Data Protection Act emphasise collecting and processing only what is necessary. Card payments by definition involve the handling of sensitive financial identifiers. A2A payments are more closely aligned with data minimisation, which is a crucial requirement under the Act.
For consumers, the shift requires a change in mindset. Paying by bank feels different from using a card because it involves conscious approval through a banking app. Users see the exact amount, the recipient, and the authorisation request, all within a trusted environment.
What is emerging is a more balanced definition of payment security. Card payments remain useful and will continue to play a role, particularly where credit is involved. At the same time, A2A payments are proving that security can be improved by reducing complexity and data sharing rather than adding more layers on top of an already exposed system.
