New Delhi: Laws to protect the privacy and financial details of people using electronic payments are on the cards, a top government official said, as India attempts to move to a cashless economy.
The government is working on a legal framework that will define the liabilities and obligations of payment companies, Aruna Sundararajan, secretary in the ministry of electronics and information technology, said in an interview.
The framework will cover e-wallets, payment gateways, prepaid cards and other payment platforms. It will also cover services of banks and the use of credit cards for online transactions.
The move, aimed at preventing data theft, comes in the wake of a surge in phone banking and electronic payments as the nation of 1.25 billion people moves towards a cashless economy following the invalidation of old high-value currency bills last month. In October, about 3.2 million debit cards were reported to have been compromised in a massive cyber-attack.
Sundararajan said the government was examining if the IT Act, 2000 needs to be amended to address five key issues.
“First, what should be the security framework for any kind of digital payments? Two, the standards and liabilities of the service provider. Third, data privacy and confidentiality. Fourth, storage and access of data. And if someone fails to comply, what penalty should apply, especially where details of millions of citizens (are involved),” said Sundararajan.
There will be graded levels of security in the proposed framework, depending on the number of customers. Security levels to be observed by a company with a closed network and limited number of customers will be different from that of one with millions of customers.
One key concern for the government is to balance the ease of using digital payment options with security requirements, as complicated processes will discourage people from adopting these options.
According to Amit Jaju, executive director of fraud investigation and dispute services at EY, e-wallets, which are easier to use than debit or credit cards, are more prevalent in India than in developed economies, where cards enable transactions without a second level of authentication such as a ‘one-time password’. Jaju said fraudsters usually trick one employee in an organization who handles sensitive information before using his identity to steal large amounts of data. He said businesses have to sensitize their employees as they are the weakest links in the security ecosystem.
This is a function of storage (where the data is stored) and who is allowed to access it and how.
Sunil Kulkarni, deputy managing director, Oxigen Services (India) Pvt. Ltd, a payment company, said customer data is stored in a separate secured environment with only privileged access on a “need-to-access” basis.
“For most requirements, manual access is only given for audit or regulatory purpose. Consent for use of data is taken explicitly,” he said.
According to the Reserve Bank of India, in 2015-16 up to December, 11,997 cases of fraud relating to ATM, credit and debit cards and net banking were reported.