The regulator has asked lenders to have a board-approved policy in place and to conduct regular audits of the system. Banks and non-bank financial companies will need to perform regular vulnerability testing of their systems to provide a secure experience for their customers.
The banking regulator has asked lenders to adopt the highest security standards available to prevent data breaches on their servers. For card payments, lenders must adopt standards that go beyond the data security standards of the payment card industry. This would include specific standards for the transmission of the personal identification number to the cardholder, security standards for the hardware used to read cards, among others.
“The guidelines do not mention UPI transactions or payment gateways which are major vectors of data breaches and fraud. However, the guidelines for credit cards are very prescriptive, which is positive, ”said Sandeep Srinivasa, founder and head of products and technology at RedCarpet, a credit card company.
Some of the requirements specified by the RBI include:
- For mobile apps, where service and authentication tools like one-time password are received on the same device, lenders should come up with better alternatives for authenticating a transaction.
- The transaction reconciliation process should follow a near real-time framework that would ensure that all stakeholders receive the necessary information about a transaction within 24 hours.
- The RBI has asked lenders to ensure that their web pages offering digital payment products and services do not store sensitive customer information in HTML fields, cookies, or other client-side storage.
- For the authentication of customers using web pages to access digital payments, banks and NBFCs will need to have stronger authentication tools using strong CAPTCHA codes with server-side authentication.
- Banks and NBFCs should have a specific section on their digital payment products and services that specifies how customers can file complaints in the event of a claim.
- Lenders may also consider sneaking a code into their apps, which can help them check customer devices for any security concerns. Applications or web pages provided by lenders must have a mechanism to mark a transaction as fraudulent for transparent and immediate notification to lenders.
The RBI has also asked banks and NBFCs to put in place a policy of regularly upgrading their IT systems, based on growing customer demand for digital payments.
Over the past two years, large banks such as HDFC Bank have faced service disruptions due to rapidly increasing demand and the inability of their systems to handle the crisis. In November 2019, HDFC Bank also faced a power outage to its data servers in Mumbai, which prompted the regulator to impose heavy penalties at the bank. Currently a external audit of the bank’s systems is underway.
According to Nitin Bhatnagar, associate director for India at the PCI Security Standard Council, the country has become an attractive target for cybercriminals and the security of cardholder data must be a top priority.
“The path to stronger payment security is through global collaboration, and organizations should start prioritizing data security as an important part of their day-to-day business operations,” said Bhatnagar.