Securing Prepaid Payment Instruments under the IT ActMeitY Issues Draft Rules to Develop a Security Framework for PPI
Following the cashless drive by India's Ministry of Electronic and Information Technology, MeitY is emphasizing the need to develop a framework for security of prepaid payment instruments, or PPIs.
The rules - formulated under the Information Technology Act 2000 - would ensure adequate integrity, security and confidentiality of electronic payments through PPIs through various authentication standards. Once implemented, they're likely to be known as the Information Technology (Security of Prepaid Payment Instruments) Rules, 2017.
MeitY refers to PPI as a payment instrument that facilitates purchase of goods and services, including funds transfer, against the value stored on such instruments. The value stored on such instruments represents the value paid for by holders by cash, by debit to a bank account or by credit card. The prepaid instruments can be issued as smart cards, magnetic stripe cards, internet accounts, internet wallets, mobile accounts, mobile wallets, paper vouchers or other instrumenst used to access the prepaid amount.
While MeitY has prescribed guidelines, security practitioners have offered other ideas. "The current authentication methods are highly OTP-dependent - whether passwords, aadhaar or e-sign - and don't ensure complete secured transactions, as they are vulnerable," says cyber law expert Naavi Vijayashankar of Cyber Law College and Ujvala Consultants. "New authentication systems must be built that circumvent risks with the current form of aadhaar-based authentication."
Information Security, Privacy Policies
MeitY's urges PPI issuers such as banks and payment firms to develop an information security policy for security of payment systems operated in accordance with these rules and any standards specified by the central government.
MeitY says the policy should include:
- Information collected directly from the customer;
- Period of retention of information;
- Purposes for which information can be disclosed and the recipients;
- Sharing of information with law enforcement agencies; and
- Security practices and procedures.
Security practitioners say MeitY's draft touches the tip of the iceberg, and banks and other institutions should comply with data protection rules under the IT Act as well as pick up nuances of the European Union's general data protection policy.
Naavi says that while common security measures include passwords and multifactor authentication, issuers must remember the focus of any business, and therefore its information security policy, is protecting the user from consequences of unauthorized access or denial of access.
MeitY's draft framework emphasizes that bank customers are identified through due diligence procedures when issuing a prepaid payment instrument, following Reserve Bank of India guidelines.
It says e-PPI issuers must apply appropriate procedures for authentication where customers access their payment account online, and adopt multifactor authentication when customers initiate a payment against the value stored on the prepaid payment instrument.
However, the central government may, by notification, exempt issuers from multifactor authentication in specified cases considering the amount, nature of transaction and risk involved.
The draft says authentication procedure shall include mechanisms to:
- Protect the confidentiality of authentication data;
- Limit the maximum time allowed to the customer to access his payment account online;
- Specify the maximum number of failed authentication attempts that can take place consecutively within a given period of time and after which the access or initiation of a payment is temporarily blocked;
- Protect communication sessions against capture of data transmitted during the authentication procedure or manipulation of unauthorised parties; and
- Prevent, detect and block fraudulent payments before the issuer's final authorisation.
Experts agree with MeitY's recommendations but expect organizations to evolve new authentic methods that are not onetime password dependent. Naavi says onetime password authentication is dependent on the SIM issued, based on Know Your Customer (KYC) by the mobile service provider, which again depends on the security of the mobile against Trojans which automatically read onetime passwords or other malicious codes that may act as a "man in the middle."
Narayan Neelakantan, chief executive of next-generation technology solutions provider Block Armour, says authentication standards should include, besides passwords, one more factor of authentication like SMS-based two-factor authentication or biometric authentication. "The institution can take a call on additional factors based on transaction value," he says.
Nadkarni says the mechanisms MeitY outlined are good recommendations, but should be considered floor level as organizations must build in the extras for their specific context.
Risk Assessment and Control
MeitY suggests every issuer assess risks associated with the security of the payment systems operated by it.
The draft notes that every e-PPI issuer should review security measures at least once a year, and after any major security incident or breach or before a major change to its infrastructure or procedures.
Nadkarni recommends that issuers build specific security and privacy risks into their risk registers. "Ensure that existing risk assessment and control processes incorporate each of these identified risks to manage risks better," she says.
Neelakantan says while organizations must adopt risk frameworks like ISO 31000, ISACA's Risk IT and risk assessment guidelines from the U.S. National Institute of Standards and Technology, "it's essential to adopt a risk management process allowing institutions to identify and mitigate risks continuously, not periodically."
Naavi recommends that practitioners consider risk assessment from multiple perspectives, including securing information from unauthorized access, data integrity and denial of access; protecting organizations from liabilities due to a security breach that could result corporate executives being charged civil and criminal liabilities; and protecting users from adverse consequences of a breach via cyber insurance .
Data Breach Notification
The rules emphasize that organizations establish mechanisms for monitoring, handling and following up of cyber incidents and breaches. While CERT-In should notify in its compliance guidelines/advisories the categories of incidents and breaches to be reported to it mandatorily, issuers should report them to CERT-In, along with a report on measures taken to mitigate impact. CERT-In also may require e-PPI issuers to notify customers of cybersecurity incidents or breaches if these may result in harming them.
Naavi says breach reporting is important and the central monitoring authority should possess such information to understand industry-wide risks.
Nadkarni says such a law establishes discipline, but Indian organizations must follow classifying the nature and severity of breaches and action to be taken as a priority.
MeitY's argument on reporting breaches confers three major benefits:
- Organizations start considering cybersecurity seriously, resulting in management support, allocation of budgets, etc.
- Customer awareness levels improve; there's more visibility on the institution's level of cyber preparedness; and
- Agencies possess a more holistic view of cyberattacks, can identify trends and targeted attacks leading to better coordinated response, and in some cases, issue alerts to institutions which may be targeted.