The ministry of electronics and information technology (MeitY) has issued a consultation paper (pdf) which calls for developing a framework for security of digital wallets operating in the country. Right now, wallets have no prescribed security standards to adhere to. Section 43 A of the Information Technology Act which deals with data protection is applicable to wallets but it allows corporations to determine what security practices and procedures are adequate.
“With the Government promoting cashless economy and boost being given to various digital payment systems, a need is felt to develop a framework for security of various Prepaid Payment Instruments (PPIs) operating in the country,” the government said.
Comments for the draft rules are open till March 20. Here is a look at what the draft rules entail:
1. Information security policy: Every wallet will have to develop an information security policy of all the payment systems operated by it. The will have to abide by the rules set by the government and any other standards it sets.
- the information collected directly from the customer and information collected otherwise
- uses of the information
- period of retention of information
- purposes for which information can be disclosed and the recipients
- sharing of information with law enforcement agencies
- security practices and procedures
- name and contact details of the Grievance Redressal officer along with mechanism for grievance redressal
- any other details specified by the government
3. Risk assessment and risk control: All wallets will have to review their security measures at least one year and will have to conduct a review after a major security breach.
4. Customer identification and authentication: The Reserve Bank of India will set guidelines to make sure that customers are identified through adequate due diligence. Two points need to be noted on authentication:
- Wallets will have to adopt multiple factor authentication when a customer initiates a payment.
- Although the government may exempt wallet players from multiple factors of authentication “in specified cases depending on the amount, nature of transactions, risk involved and like factors.”
Authentication procedures should include mechanisms to:
- Protect the confidentiality of authentication data.
- Limit the maximum time allowed to the customer to access his payment account online.
- Specify the maximum number of failed authentication attempts that can take place consecutively within a given period of time and after which the access to an online payment account or the initiation of a payment is temporarily blocked.
- Protect communication sessions against capture of data transmitted during the authentication procedure. The government has also asked wallets ensure that end-to-end encryption is applied to safeguard the data exchanged.
- Prevent, detect and block fraudulent payments before final authorisation.
5. Personal information that can be collected by wallet:
a) Name, address, telephone number of customer
b) financial data of the customer, including bank account details, debit card or credit card or other payment instrument details, transaction history
c) authentication data: passwords, patterns, PINs, biometric data etc.
Wallets will contractually require merchants handling any authentication data to have security measures in place to protect such data. Access to confidential information by the employees of the wallet company shall be on a “need-to-know” and “need-to-use” basis.
6. Grievance redressal: Companies will have to publish on its website and its mobile application the name and contact details of the Grievance Officer. It will also include procedures where customers can report violations of privacy and security. The Grievance Officer shall act within 36 hours and shall resolve the complaint within one month from the date of receipt of such complaint.
7. Reporting of cyber incidents: There should be a mechanism for monitoring, handling, and follow-up of cyber incidents, cyber security incidents and cyber security breaches. CERT-In shall notify the categories of incidents and breaches that are required to be reported to it mandatorily. CERT-In may require wallets to notify customers of cyber security incidents or breaches if the incident or breach is likely to result in harm to the customers.
What we liked about the draft rules
First, it is a great step that the government is spelling out what security and privacy measures should be employed by wallets rather than leaving it up to the companies to decide what is an adequate measure. All wallets must participate in this consultation in the interest of customer safety.
Second, the customer identification and authentication rules seem adequate at the moment. It is great to see that the government is specifying time-outs and the number of times a customer can attempt a transaction. Although, it remains to be seen how wallets will prevent, detect and block fraudulent payments before final authorisation. Note that State Bank of India (SBI) has removed the option of loading money on all major wallets through net banking due to rising online frauds. One of the conditions was that the bank put in was that there needs to be a buffer when a wallet transfers money to a bank account. It wil be interesting to see how wallets will enforce this.
Third, CERT-IN will have categorize the types of security incidents that wallets will have to report. Though consumer groups and citizens will have to make sure that all bases are covered.
What is missing
The government hasn’t clarified procedures required for a user to create multiple wallets or what kind of data is required to create them. It also hasn’t prescribed procedures on what kind of financial data can be put in the case of multiple wallets. Can a user use a debit card in multiple wallets or link the same bank account to multiple wallets?
The government has brought up security measures for merchants handling a customer’s data, although one needs to see hw it is implemented.