Infographic of the Month

Major Highlights from Master Direction on Digital Payment Security Controls

-Ashutosh Dubey- lead Business Analytics, NPCI

Section Area Key Highlights
1 General Controls
  1. Governance and Management of Security
    Risks Governance and risk management programs for identifying, analysing, monitoring and managing the compliance risk and fraud risk, associated with the portfolio of digital payment products
  2. Generic Security controls
    Web applications providing the digital payment products and services should not store sensitive information in HTML hidden fields, cookies, or any other client-side storage to avoid any compromise in the integrity of the data.
  3. Application security Life cycle
    The security controls for digital payment applications must focus on how these applications handle, store and protect payment data. Reference to standards such as OWASP-MASVS, OWASP-ASVS and other relevant OWASP standards, security and data protection guidelines in ISO 12812, threat catalogues and guides developed by NIST (including for Bluetooth and LTE security) is suggested during Application development
  4. Authentication framework
    Should promote Multifactor Authentication and at least one of the authentication methodologies should be generally dynamic or non-replicable. [e.g., Use of One Time Password, mobile devices (device binding and SIM), biometric/ PKI/ hardware tokens, EMV chip card (for Card Present Transactions) with server-side verification could be termed either in dynamic or non-replicable methodologies.]
  5. Fraud risk ManagementSystem alerts shall be parameterised and monitored in terms of various applicable parameters. Such parameters, as applicable could be:
    • Transaction velocity (e.g., fund transfers, cash withdrawals, payments through electronic modes, adding new beneficiaries, etc.) in a short period
    • More so in the accounts of customers who’ve never used mobile app/ internet banking/ card ever (depending upon the type of payment channel),
    • High risk merchant category codes (MCC) parameters, counterfeit card parameters (String of Invalid CVV/ PINs indicates an account generation attack)
    • New account parameters (excessive activity on a new account)
    • Time zones and geo-locations
    • IP address origin (in respect of unusual patterns, prohibited zones/ rogue IPs)
    • Behavioural biometrics
    • Transaction origination from point of compromise
    • Transactions to mobile wallets/ mobile numbers/ VPAs on whom vishing fraud or other types of fraud is/are registered/ recorded
    • Declined transactions, transactions with no approval code, etc.
  6. Reconciliation mechanism
    A real time/ near-real time (not later than 24 hours from the time of receipt of settlement file(s)) reconciliation framework for all digital payment transactions
  7. Customer protection and Grievance Redressal A section on the digital payment application clearly specifying the process and procedure (with forms/ contact information, etc.) to lodge consumer grievances.
2 Internet Banking Security Control Implement additional levels of authentication to internet banking website such as adaptive authentication, strong CAPTCHA (preferably with anti-bot features) with server-side validation, etc., in order to plug this vulnerability and prevent its exploitation
3 Mobile Payment Application Security Control

Considering that the additional factor of authentication and mobile application may reside on the same mobile device in the case of mobile banking, mobile payments, Regulated Entities may consider implementing alternatives to SMS-based OTP authentication mechanisms.

The mobile application should not store/ retain sensitive personal/ consumer authentication information such as user IDs, passwords, keys, hashes, hard coded references on the device and the application should securely wipe any sensitive customer information from memory when the customer/ user exits the application
4 Card payment Security Card details of the customers are not stored in plain text at the Regulated Entity and its vendor(s) locations, systems and applications.

Article of the Month

ROLE OF REGULATORS IN THE GROWTH OF FINTECH INDUSTRY

-SHWETA SRIVASTAVA, GROUP CTO – PAUL MERCHANTS LIMITED

Fintech Newsletter February 2021 fintech highlights of the month 007

Where there is growth, there arises the need for Regulation. With the government’s vision of Digital India, India has seen a boom in this field. With the focus of government towards digital economy, initiatives like GST, UPI based payments etc. has triggered the change.

Currently there are around 1500 fintech start-ups along with thousands of well established companies which are catering to the technology development in financial domain.

We all have witnessed the revolution and tremendous amount of evolution in financial sector in the direction of digitization in past few years which has opened the doors of opportunity for Fintechs. A considerable no of technology companies have brought path-breaking ideas in the field of financial services, outspreading the reach of financial products and services to people in all segments of society. Fund transfer, Investments, Lending, Payments, Savings, Cross-border remittances all have been made available through digital platforms. With the advent of Technology solutions facilitating digitization like Digital Banking, eWallets, Mobile banking, WhatsApp banking etc. it has become extremely convenient for common man to access financial services by just few clicks.

With such a strong influence of these fintech companies, it is imperative for regulators to ensure uniformity in operations and to establish the dos and don’ts for the industry. It has been observed that there is a significant surge in the no. of cybersecurity incidents and frauds. In the wake of cyber security threats and attacks, it is imperative to setup the best-in-class and robust cyber security framework.

Though, these fintechs currently come under the purview of multiple regulators like RBI, SEBI, IRDA and TRAI, there is still a need of a uniform regulatory framework. Digital Payment Security Controls (DPSC) guidelines from RBI is a step towards this direction which shall ensure adherance to the necessary cyber security controls and infrastructure to cover the risks associated with digital platforms. Another important step from regulators is the PDPB which shall help safeguard customer’s data privacy and security