Securing NPCI's Unified Payment Service Against Online FraudBanking CISOs Have a Huge Task Ahead in Ensuring Seamless Secure Transactions
The National Payments Corporation of India, the umbrella organization for all retail payments systems, went live recently with its unified payments interface service for smartphone users (see: NPCI's UPI Service To Go Live April 8).
The new UPI service enables account holders of any bank to send and receive money from their smartphones with a single identifier. The options include the Aadhaar number, a 12-digit individual identification number issued by the Unique Identification Authority of India on behalf of the Government of India, serving as proof of identity and address anywhere in India; a mobile number; or a virtual payments address.
Many CISOs consider the UPI a leap forward in driving cashless transactions and boosting financial inclusion, but they acknowledge that it also will increase challenges in ensuring seamless, secure transactions.
A CISO of a leading multinational bank, requesting anonymity, notes, "The channel is definitely a disruptive technology, but it's a big challenge to spot the weakest link owing to increase in volumes."
Integration with UPI Platform
The new UPI service is an advanced version of NPCI's Immediate Payment Service, a 24/7/365 funds transfer service. The service enables identifying a bank customer with an email-like virtual address.
Using an application that customers download on their mobile phones, the new UPI service is designed to handle banking transactions - third-party payments, sending and receiving money - below Rs 1 lakh with minimum clicks. All that's needed is a unique identification number.
Dr. A. Rajendran, CTO at NPCI, says about 13 banks are using the new system, including Punjab National Bank, Axis Bank, Oriental Bank of Commerce, ICICI, HDFC, SBI, Catholic Service Bank and Union Bank of India.
"We're confident the number will multiply," says A. P. Hota, MD and CEO at NPCI. "This is in line with RBI's vision of migrating toward a 'less-cash' and more digital society."
At the back end, Rajendran says, banks must connect to NPCI's UPI using their payment service provider system, which will interface with banks' core banking systems, banks' end users (customers), authentication systems and fraud and risk management systems. Banks can integrate UPI with their mobile banking system, if they have one.
The biggest benefit for banks are single-click two-factor authentication for subsequent transactions along with a universal application for transactions as they leverage existing infrastructure.
"Since the mobile number will be the key identity token for several applications, it will help banks expand their delivery channels beyond their own infrastructure," Rajendran says.
To help banks use the platform, the UPI service offered an architecture and a set of APIs. NPCI organized a UPI hackathon two months ago, focusing on software-based problem solving and a workshop format to solve a real-life problem. Participants used the API provided in the sandbox - a set of rules that programmers must use - to develop products/services and generate multiple solution options for each of the perspectives.
NPCI hopes many banks will use the new UPI service to facilitate next-generation online immediate payments, leveraging trends that include increasing smartphone adoption, Indian Language Interface and universal access to the internet, says Milind Rajhans, assistant general manager-IT and CISO at Andhra Pradesh Co-operative Urban Bank Ltd. The UPI service was launched with a four-language interface.
The India bank CISO who asked to remain anonymous says the UPI service has technological challenges owing to the velocity of transactions. This requires an effective monitoring mechanism to watch for online fraud. "If there's a discrepancy in one of the bank systems due to which a fraud takes place, the entire ecosystem or the bank where the transaction originated is blamed," the CISO says.
Dr. Raghuram Rajan, governor at Reserve Bank of India, a regulatory body, cautions: "Along the UPI payment chain, transactions can go wrong. There's a need for a system handling customer complaints, grievance redressal and protecting the system from security breaches and fraudulent transactions."
Multiple layers of security checks are implemented when any transaction occurs on a bank's mobile application using the UPI service - not just between the user and the app but also between banks, merchants and the UPI engine.
Mali says integration across various services, especially legacy systems, can be a challenge.
And Rajendran notes: "NPCI systems are secured with state-of-the-art security infrastructure with continuous monitoring and best practices. NPCI follows an integrated approach to protect various NPCI product's infrastructures, engaging with external information security industries for building secured products."
Securing the Service Against Threats
The bank CISO who asked to remain unnamed, says, "Every bank must realize there's a systemic risk; that traditional risk controls won't meet new age platform challenges. NPCI and partner banks must bring new standards in setting up processes beyond API to identify the weakest link."
Rajendran suggests that security practitioners focus on the security of mobile apps and APIs and says they can use NPCI's library to securely capture user credentials.
To leverage UPI payment service, he says, banks must implement changes in their core banking systems, reconciliation systems and authentication system, plus develop interfaces with fraud and risk management systems, customer grievance and mobile application functions.
"While banks also may develop the interface for large merchants for on-boarding them, the communication between NPCI and PSPs are through secured NPCINET [NPCI's intranet]," Rajendran says. "Banks can handle the security while communicating with their customers and storing customer information at their end."
In addition to implementing controls, banks must educate top management and build user awareness of security issues, experts says.
Although Mali believes two-factor authentication is hackable, Rajendran notes: "The UPI service multifactor authentication mechanism also supports password, OTP [one time password], mobile PIN and biometrics, for a secured transaction."