Prepaid payment instruments: First step towards better wallet safety

In November, the Indian Computer Emergency Response Team (CERT-In), considering the increasing threats to electronic payment instruments, had issued an advisory for users to refer to ensure safe use of electronic wallets. Some of those include using strong passwords on devices where these wallets are installed, avoid usage of public Wi-Fi networks to access the applications, creating unique passwords for wallets, and identifying points of contact in case of fraudulent use of wallets.

To prevent any security breach of wallets, in which inherently people store money for ease of use, the draft rules issued by the Ministry of Electronics and Information Technology specify that every wallet issuer should review its security measures at least once a year, and after any major security incident or breach, or before a major change to its infrastructure or procedures. Furthermore, the issuer would also need to establish a mechanism for monitoring, handling and follow-up of any cyber incidents.

A grievance officer is also proposed to be set up with every wallet issuing company in India, who would be responsible for receiving complaints from customers. “The e-PPI issuer shall publish on its website and its mobile application the name and contact details of the Grievance Officer, and procedure by which customers or any other person who suffers as a result of violation of these rules can make complaints to the Grievance Officer,” the draft rules document said. “The Grievance Officer shall act within 36 hours and shall resolve the complaint within one month from the date of receipt of such complaint,” it added.

Notwithstanding the topical preparedness put in place by the government and the private sector players, to counter cyber threats, experts have indicated potential risks based on lack of awareness among individuals and organisations concerning security of their information technology infrastructure. One the one hand, during the past year, 70 per cent of organisations were compromised in some way or the other by a successful cyber attack, other the other hand, nearly one-third do not have a written information security policy.

The recently reported breaches in the Aadhaar infrastructure also buttress the need to have a strict data protection policy in place. Through these draft rules for wallets, comments for which can be sent to the government by March 20, the Centre has proposed mandating end-to-end encryption by wallet issuers to ensure safeguarding of data exchanged through such systems. Furthermore, access to confidential information by the employees of the issuing company must be on a “need-to-know” and “need-to-use” basis, the rules propose. “The process of maintaining confidentiality of information shall be included in the information security policy,” the document notes.

IT minister Ravi Shankar Prasad on Thursday asked the global community to work on protection of data privacy while emphasising on innovations using data analytics. “In India, 1.08 billion mobile phones, 60 million smartphones are a source of data, 112 billion Aadhaar is are a source of data but on the other side, it is an equally important issue that data is mine. I am the individual. Why should my data be made public,” Prasad said at the International Conference on Theory and Practice of Electronic Governance (ICEGOV).

While the draft rules for PPIs propose a number of security measures to prevent any untoward incident, they do not detail any redressal mechanism in case of theft of money from a wallet. Earlier the government was in conversation with wallet issuers to have in place an insurance system for wallets, which would place the onus on issuers in case money is stolen from wallets, and the issuers would be in turn insured against such incidents.