wordpress blog stats
Connect with us

Hi, what are you looking for?

Govt has put out a consultation on security and privacy measures for wallets

The ministry of electronics and information technology (MeitY) has issued a consultation paper (pdf) which calls for developing a framework for security of digital wallets operating in the country. Right now, wallets have no prescribed security standards to adhere to. Section 43 A of the Information Technology Act which deals with data protection is applicable to wallets but it allows corporations to determine what security practices and procedures are adequate. 

“With the Government promoting cashless economy and boost being given to various digital payment systems, a need is felt to develop a framework for security of various Prepaid Payment Instruments (PPIs) operating in the country,” the government said.

Comments for the draft rules are open till March 20. Here is a look at what the draft rules entail:

1. Information security policy: Every wallet will have to develop an information security policy of all the payment systems operated by it. The will have to abide by the rules set by the government and any other standards it sets.

2. Privacy policy: All wallets will have to publish on their website and mobile app the privacy policy but the crucial part is that the government wants it to be in “in simple language, capable of being understood by a reasonable person.” The privacy policy will include the following details:

Advertisement. Scroll to continue reading.
  • the information collected directly from the customer and information collected otherwise
  • uses of the information
  • period of retention of information
  • purposes for which information can be disclosed and the recipients
  • sharing of information with law enforcement agencies
  • security practices and procedures
  • name and contact details of the Grievance Redressal officer along with mechanism for grievance redressal
  • any other details specified by the government

3. Risk assessment and risk control: All wallets will have to review their security measures at least one year and will have to conduct a review after a major security breach.

4. Customer identification and authentication: The Reserve Bank of India will set guidelines to make sure that customers are identified through adequate due diligence. Two points need to be noted on authentication:

  • Wallets will have to adopt multiple factor authentication when a customer initiates a payment.
  • Although the government may exempt wallet players from multiple factors of authentication “in specified cases depending on the amount, nature of transactions, risk involved and like factors.”

Authentication procedures should include mechanisms to:

  • Protect the confidentiality of authentication data.
  • Limit the maximum time allowed to the customer to access his payment account online.
  • Specify the maximum number of failed authentication attempts that can take place consecutively within a given period of time and after which the access to an online payment account or the initiation of a payment is temporarily blocked.
  • Protect communication sessions against capture of data transmitted during the authentication procedure. The government has also asked wallets ensure that end-to-end encryption is applied to safeguard the data exchanged.
  • Prevent, detect and block fraudulent payments before final authorisation.

5. Personal information that can be collected by wallet: 

a) Name, address, telephone number of customer
b) financial data of the customer, including bank account details, debit card or credit card or other payment instrument details, transaction history
c) authentication data: passwords, patterns, PINs, biometric data etc.

Wallets will contractually require merchants handling any authentication data to have security measures in place to protect such data. Access to confidential information by the employees of the wallet company shall be on a “need-to-know” and “need-to-use” basis.

6. Grievance redressal:  Companies will have to publish on its website and its mobile application the name and contact details of the Grievance Officer. It will also include procedures where customers can report violations of privacy and security. The Grievance Officer shall act within 36 hours and shall resolve the complaint within one month from the date of receipt of such complaint.

7. Reporting of cyber incidents: There should be a mechanism for monitoring, handling, and follow-up of cyber incidents, cyber security incidents and cyber security breaches. CERT-In shall notify the categories of incidents and breaches that are required to be reported to it mandatorily. CERT-In may require wallets to notify customers of cyber security incidents or breaches if the incident or breach is likely to result in harm to the customers.


Advertisement. Scroll to continue reading.

What we liked about the draft rules

First, it is a great step that the government is spelling out what security and privacy measures should be employed by wallets rather than leaving it up to the companies to decide what is an adequate measure. All wallets must participate in this consultation in the interest of customer safety.

Second, the customer identification and authentication rules seem adequate at the moment. It is great to see that the government is specifying time-outs and the number of times a customer can attempt a transaction. Although, it remains to be seen how wallets will prevent, detect and block fraudulent payments before final authorisation. Note that State Bank of  India (SBI) has removed the option of loading money on all major wallets through net banking due to rising online frauds. One of the conditions was that the bank put in was that there needs to be a buffer when a wallet transfers money to a bank account. It wil be interesting to see how wallets will enforce this.

Third, CERT-IN will have categorize the types of security incidents that wallets will have to report. Though consumer groups and citizens will have to make sure that all bases are covered.

What is missing

The government hasn’t clarified procedures required for a user to create multiple wallets or what kind of data is required to create them. It also hasn’t prescribed procedures on what kind of financial data can be put in the case of multiple wallets. Can a user use a debit card in multiple wallets or link the same bank account to multiple wallets?

Advertisement. Scroll to continue reading.

The government has brought up security measures for merchants handling a customer’s data, although one needs to see hw it is implemented.

Also read: On Indian Mobile wallet apps and the sensitive user data they collect – Part 1

On Indian mobile banking apps and the sensitive user data they collect – Part 2

On UPI apps and the sensitive user data they collect – Part 3

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



While the market reality of popular crypto-assets like Bitcoin may undergo little change, the same can't be said for stablecoins.


Bringing transactions related to crypto-assets within the tax net could make matters less fuzzy.


Loopholes in FEMA and the decentralised nature of crypto-assets point to a need for effective regulations.


The need of the hour is for lawmakers to understand the systems that are amplifying harmful content.


For drone delivery to become a reality, a permissive regulatory regime is a prerequisite.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ