Introduction
Union Ministry of Electronics and Information Technology issued draft guidelines for electronic payment transactions through prepaid payment instruments (PPIs) like mobile wallets, smart cards, paper vouchers, etc. under provisions of Information Technology Act, 2000, on March 08, 2017 and has invited comments before the enactment of these rules from the general public and stake holders on the draft guidelines by March 20, 2017 for having wide consultations under the “Draft IT (Security of Prepaid Instruments) Rules, 2017”.Purpose of the Rule
The purpose behind issuing these draft guidelines is the serious intention of the Union Government to promote cashless economy i.e. electronic payments; and to ensure the confidentiality, integrity, safety, security of the transactions through PPIs, popularly known as e-wallets, involving various digital payment systems of various digital wallet companies. These draft rules when enacted shall be applicable to all digital wallet companies like Paytm, FreeCharge, Mobikwik, etc and those issuing smart cards, paper vouchers, magnetic strip cards, internet wallets, mobile accounts, mobile wallets or any such instrument.
Guidelines of the Draft
End-to-End Encryption
These draft guidelines have proposed that PPI issuer companies must ensure end-to-end encryption of the data exchanged and emphasized that these companies must assist their user customers for safe and secure use of PPIs in simple language – that could be understood by a reasonable person; besides explaining their privacy and security policy – framed according to the rules and regulatory standards set by the Union Government; and terms of use of their payment system on the company’s website ensuring that the system used by them is secured; appointment of Chief Grievance Officer (CGO) with contact numbers to whom the customer could contact in case of redressal of his/her complaint with respect to the transaction. The CGO must initiate action within 36 hours of the complaint lodged and the complaint must be resolved within one month of the receipt of such complaint.
Robust Risk Management System
The security measures of these companies must develop a Robust Risk Management System and also make a risk assessment to find out security risks involving data protection as well as safety of funds involved; besides these companies must ensure adequate due diligence before issuing PPIs. These companies must establish a mechanism in order to monitor, handle and follow-up of cyber incidents and breaches that may occur.
Review and Revamp of the security measures
The digital wallet companies shall review and revamp the security measures in the light of the grievances, incidents and breaches or before any major change in their infrastructure or procedural methodology - at least once in a year. These companies shall store the user information such as address and contact number of the customer and financial data, such as bank balance of the customer, for a specific period of time to be decided by the Union Government and this user information they cannot disclose to anyone without prior consent of the Government except in cases where these companies may have to disclose a user’s information to the statutory authorities if it is so required.
Two-factor authentication
These companies must adopt a two-factor authentication for transactions in order to identify the customers at the time of registration. In specific cases, Union Government may “exempt” the two-step authentication.
Conclusion
Overall, these guidelines ensure that although all payment instruments are regulated under RBI rules and regulations yet the rules related to carrying out the PPIs involving electronic transactions shall have to be regulated as per the IT Act, 2000 along with IT (Security of Prepaid Instruments) Rules, 2017.