Quick Summary
What This Is About
Since March 2020, the RBI requires every new or reissued Indian card to ship with international transactions switched off. You have to deliberately turn them on. So why is this still a risk worth your attention?
Because most people switch international usage on once for a trip, a foreign hotel booking, or a subscription like Netflix or Spotify and never switch it back off. It quietly stays enabled for months or years. Older cards issued before the 2020 rule may also still have it on. Either way, leaving the channel open when you don’t need it is a real risk you can close with a 30-second toggle in your banking app.
TL;DR
- International card payments often have no OTP and a card number, expiry date, and CVV can be enough to transact
- RBI mandates 3D Secure (OTP) for domestic online card payments; it does not apply to a foreign merchant’s checkout
- International usage is off by default on cards issued since March 2020, but it stays on once you enable it, so disable it when you’re not actively using it abroad or on foreign sites
Understanding the Problem
Why International Payments Often Skip the OTP
When you shop on an Indian website; say Amazon.in or Zomato you enter your card details and then wait for an OTP on your registered mobile. Without that OTP, the payment doesn’t go through. Full stop. That friction is the core fraud safeguard for domestic transactions.
International payments often work on completely different rules. When a merchant is based outside India whether it’s a foreign e-commerce site, a streaming service, or a hotel booking portal with servers abroad the OTP step frequently doesn’t apply. In many cases the payment clears with just:
| Card number + Expiry date + CVV. That’s it. No OTP. No 2FA. No confirmation push. |
If someone gets hold of those three details through a data breach, a phishing form, a skimmer, or even a screenshot you forgot you shared, they can attempt purchases on foreign websites with little or no additional verification.
RBI’s 3D Secure Mandate: What It Covers and What It Doesn’t
The OTP protection you see on domestic payments exists because the RBI mandates it. The framework is called 3D Secure (3DS), and its scope is very specific:
| RBI requires an Additional Factor of Authentication (AFA), typically an OTP sent to your registered mobile, for online card-not-present transactions processed through Indian payment gateways. |
The key phrase is “processed through Indian payment gateways.” The moment a merchant is foreign and the transaction routes through an international processor, Indian AFA rules don’t govern their checkout.
| Transaction Type | OTP Required? | Who Controls This |
| Indian website (Amazon.in, Swiggy, Myntra) | Yes, mandatory | RBI AFA circular |
| International website (Amazon US, Spotify, Netflix US) | Usually not | Foreign merchant’s gateway |
| Card swipe at overseas POS terminal | No | Local payment network rules |
| Indian site routed through a foreign gateway | May vary | Depends on gateway setup |
3D Secure is a Visa/Mastercard protocol that adds an authentication layer at checkout. India adopted it early and made it mandatory domestically, which is why Indian cardholders are unusually well protected for domestic online payments compared to most countries. The gap is that this protection doesn’t reliably travel internationally.
2.3 How Fraud Actually Happens with Leaked Card Details
Card data leaks constantly. Databases get breached, phishing pages harvest card numbers, skimmers get installed at fuel stations. This isn’t hypothetical and the card data is actively bought and sold.
What stops a fraudster from using your leaked Indian card for domestic purchases? The OTP. They have your card number, expiry, and CVV, but not your phone. Transaction blocked.
What stops them on a foreign site? Often very little, if international usage is enabled on your card.
The typical fraud pattern goes like this: card details get leaked, the fraudster runs a small test charge on a foreign site, if it clears they go bigger, and you notice days later when you check your statement. By then chargeback timelines have already started running.
Foreign merchants don’t verify whether the person typing in the card details actually owns the card. They rely on the card network’s fraud detection, which is probabilistic. It catches patterns. It’s not a guarantee.
The Risk Explained
Domestic vs International: The Risk Picture
| Scenario | Fraud Protection | Risk if Card Details Leak |
| Domestic online, international disabled | OTP mandatory (RBI AFA) | Very low |
| Domestic online, international enabled | OTP mandatory (RBI AFA) | Low – domestic protection still applies |
| International online, international disabled | Issuer blocks the transaction | Minimal – won’t go through |
| International online, international enabled | No OTP; network fraud model only | High – card details can be enough |
The last row is the problem. International enabled means the OTP safety net disappears for those transactions.
Protecting Yourself
4.1 How to Toggle International Usage on Your Card
Almost every major Indian bank lets you do this from their app, and changes are usually instant.
- Open your bank’s mobile app and go to the credit card section
- Look for “Card controls”, “Manage card”, or “Card settings”
- Find “International transactions” or “International usage”
- Turn it off if you’re not actively using it abroad or on foreign sites
- When you need it, say for booking a foreign hotel or an international subscription you can turn it on, transact, then turn it off again
Where to look, bank by bank (menus change, so treat these as a starting point):
- HDFC: NetBanking or app → Cards → Card settings → International usage
- SBI Card: SBI Card app → Manage card → Card controls
- Axis: Mobile banking → Cards → Card controls
- ICICI: iMobile Pay → Cards → Manage card controls
One thing worth knowing: some issuers, including HDFC and Axis, let you set “Online only” separately from “Swipe + Online.” If you occasionally buy from foreign sites but don’t travel, “Online only” is a sensible middle ground. You’re still blocking physical international swipes while keeping online purchases open.
The One Habit That Fixes This
Treat international usage like your car’s ignition. Off when not in use.
It costs nothing, takes seconds, and closes a real attack surface that many cardholders don’t think about. The OTP system protecting your domestic purchases works because the RBI forced it to. International payments run on different rules that India’s regulators don’t control, and the most reliable safeguard on your end is disabling the channel when you don’t need it.
Quick checklist before you move on:
- Check whether international usage is currently on for all your cards
- Disable it on any card you haven’t used internationally in the past six months
- When you do need it, enable it, use it, then disable it again
- Set up transaction alerts (SMS and app notifications both) so any charge shows up on your phone immediately
What to Do If Fraud Happens
Immediate Steps
If you spot an unauthorised charge, the most important thing to know is that the RBI gives you zero liability if you report it within 3 working days of receiving the transaction alert. The clock starts the moment your bank sends you that SMS or email, not when the transaction actually happened.
Block your card immediately through the app, then file a formal dispute with your bank in writing. For fraud cases you’ll also want to file on cybercrime.gov.in and register a police FIR — both strengthen your chargeback case significantly.
We’ve put together a complete guide on exactly how to do all of this: How to Dispute a Credit Card Transaction in India covers the full process, bank-wise steps, the documents you need, and how to escalate to the RBI Ombudsman if your bank doesn’t cooperate.
Frequently Asked Questions
Will Disabling International Transactions Affect My Existing Subscriptions?
Yes, it can. Recurring international payments like Netflix, Spotify, or Adobe will fail if international usage is disabled when the next billing cycle hits. Before disabling, check which foreign subscriptions are charged to that card. Either switch them to a different card or a UPI autopay or keep one specific card with international enabled just for those.
Does Disabling International Transactions Protect Me from All Fraud?
No, but it closes a major gap. Domestic fraud is much harder to pull off because of the mandatory OTP. Disabling international usage removes the risk of your card being used on foreign sites or terminals without your knowledge. It doesn’t protect against SIM-swap attacks or cases where a fraudster also has access to your mobile number.
Does This Setting Apply to Debit Cards Too?
Yes. The same toggle exists for debit cards on most banking apps, and the same risk applies. Debit cards are arguably more dangerous because a fraudulent charge hits your bank account directly there’s no credit card buffer. The habit of disabling international usage when not needed applies to debit cards equally.
What’s the Difference Between “Online Only” and “Swipe + Online” for International Usage?
“Online only” allows international card-not-present transactions (foreign websites, subscriptions, app purchases) but blocks physical card swipes at overseas POS terminals and ATMs. “Swipe + Online” enables both. If you’re not travelling, “Online only” is the right choice it keeps your card usable for foreign digital purchases while blocking physical misuse if your card is lost or stolen abroad.
My Card Was Used Fraudulently Internationally. What Do I Do First?
Block the card immediately through your banking app don’t wait to call customer care. Then report the fraud to your bank in writing within 3 working days to keep zero liability under RBI guidelines. File a complaint at cybercrime.gov.in and get a police FIR if the amount is significant. Our detailed guide on disputing fraudulent transactions covers the full step-by-step process.
Will International Usage Get Re-Enabled Automatically?
No. Once you disable it, it stays off until you manually turn it back on. Don’t assume the setting carries over to a brand-new or replacement card, though. Under RBI’s rules a freshly issued or reissued card defaults to domestic use only, so check the settings on any new card and switch on only what you actually need.
Small control. Real protection. The fraud that hurts most is the kind you don’t see coming.
Beat My Card helps you get more from your credit cards i.e. comparisons, rewards math, and no-BS takes on the Indian credit card market.