Mobile payments aren't as safe as you may think
f 2016 was considered the year of demonetization, 2017 would be remembered as the start of the era of payment breaches in India. As a payment forensic investigator, what concerns me is that many of these compromises could have been avoided if basic security essentials were administered.
Payment ecosystem
Global digital payments ecosystem have witnessed massive amount of innovation in the last decade. From time-intensive, laborious cheque-based system to digital payments that are completed in a fraction of a second, we have come a long way. This trend is going to continue and the industry is going to witness further disruption.
Digital payments are believed to help in reducing corruption, boosting GDP and help enhance tax compliance in various developed countries. India will also benefit by going cash-less in the years to come.
Today, India has a number of cashless methods—banking cards, mobile wallets, AEPS, UPI, BHIM, Micro-ATMS, internet banking, etc. Banking cards are our popular debit/credit/pre-paid cards. They have been in the system for quite long and continue to grow with increased number of shops and establishments accepting them.
Mobile wallets are used to make payment based on mobile number of the other party or a QR code. UPI/BHIM and mobile wallets ride on the cell phone. The success or failure of mobile-based payments in India is something that we should keenly watch as we operate on different constraints and opportunities.
Understanding payment security
While it is heartening to note the progress India has made on digital payments, it is also equally important to realize that security of data is the backbone of this new way of life. Without security, digital payments have the risk of breaking the very foundation of trust on which it exists. Securing key data elements that are stored, processed or transmitted in the entire payment lifecycle is important as these elements can be misused to commit fraud. For all its positives, digitisation of payments, also creates the specter of compromise of the data of millions of people if they are not properly protected.
Payment data can be broken into two parts. One is identification data and the other is the authentication data. Identification data is to identify the individual—unique l card number, Aadhaar number, etc.—while authentication data is a PIN or a fingerprint that helps establish the person is who he claims he is. Both these types of data are used for payment processing and pass through number of entities/devices before the transaction getting completed. Both types of data (namely identification and authentication data) are required to be protected at all points in time with the latter being highly sensitive and having stricter requirements.
Breaches around you
While digital payments have grown organically and inorganically (with demonetisation) over the last several years, India has begun to witness its share of payment security breaches. Some of the breaches like the debit card breach, UPI compromise, inter bank transfers hack or the hack of a leading mobile wallet company are all publically known. But away from these, there are a number of payment breaches that go unreported due to lack of public disclosure norms in the country.
Recent breaches like Equifax that happened in the US have proven that payment data are not just with processors but also with third parties like credit-rating agencies, and a compromise can happen to any entity in the eco-system. We, as payment security specialists, see an alarming increase in the number of breaches in the country. Unless immediate actions are taken, we are going to see these breaches continue unabated.
The responses to these breaches and concerns so far have been mixed. We have had few organisations take this on themselves to secure their infrastructure while we have most in the ecosystem say, "This is a someone else's problem—we are secure".
On the regulatory side there is some action but there is lack of effective enforcement. For example, a 2013 RBI guideline says that banks are required to adhere to payment security standards (PCI-DSS) but the compliance rates amongst banks are still in single digits. Even the banks that comply end up with restricting the scope undermining their very compliance.
For mobile wallets, RBI has issued a few guidelines for getting a security audit conducted but without a benchmarking payment security standard for each of the cashless methods. This allows each of the players to define "what is secure", making the exercise ineffective.
Payment breaches are borderless, and we in India need to learn from all the breaches that have happened globally apart from our own set of breaches.
The need for standards
So what is required urgently is an iron-fisted enforcement of payment security standards such as adopting international payment security standards across cashless systems. For cashless methods that are unique to India like UPI, BHIM, AEPS, there is a need for an expert committee to study the current set of international payment security standards and see how the same can adopted with few modifications.
It is heartening to note that government is mulling a Digital Payments Act with inter-ministry representatives, and we hope that it constitutes a panel of digital payment security experts who can help them devise with standards to address this issue.
A simple mandate that organisations need to secure the payment data is not going to work, unless we clearly define the standards that are required to be followed by every entity in the eco-system. The expert committee should review the international payment security best practices, open up for public opinion and come out with a clear and decisive mandate that will help foster payment innovation in a secure environment.
We also see a growing trend of innovation that is happening by lowering security posture. This has to be discouraged and the only way to do this is by laying down some ground rules of security that cannot be compromised by way of enforcing security standards.
Timely enforcement of payment security standards will help us not only build a secure digital payment ecosystem but also achieve the country's dream of going cashless. If we fail to harness security as part of our digital payments mission, we would be only setting our clock backwards rather than forward.
(Dharshan Shanthamurthy is a payment security specialist and works as the Chief Executive Officer of SISA. The views expressed are personal. This article is from our Cyber crime special series '
Payment ecosystem
Global digital payments ecosystem have witnessed massive amount of innovation in the last decade. From time-intensive, laborious cheque-based system to digital payments that are completed in a fraction of a second, we have come a long way. This trend is going to continue and the industry is going to witness further disruption.
Digital payments are believed to help in reducing corruption, boosting GDP and help enhance tax compliance in various developed countries. India will also benefit by going cash-less in the years to come.
Today, India has a number of cashless methods—banking cards, mobile wallets, AEPS, UPI, BHIM, Micro-ATMS, internet banking, etc. Banking cards are our popular debit/credit/pre-paid cards. They have been in the system for quite long and continue to grow with increased number of shops and establishments accepting them.
Mobile wallets are used to make payment based on mobile number of the other party or a QR code. UPI/BHIM and mobile wallets ride on the cell phone. The success or failure of mobile-based payments in India is something that we should keenly watch as we operate on different constraints and opportunities.
Understanding payment security
While it is heartening to note the progress India has made on digital payments, it is also equally important to realize that security of data is the backbone of this new way of life. Without security, digital payments have the risk of breaking the very foundation of trust on which it exists. Securing key data elements that are stored, processed or transmitted in the entire payment lifecycle is important as these elements can be misused to commit fraud. For all its positives, digitisation of payments, also creates the specter of compromise of the data of millions of people if they are not properly protected.
Payment data can be broken into two parts. One is identification data and the other is the authentication data. Identification data is to identify the individual—unique l card number, Aadhaar number, etc.—while authentication data is a PIN or a fingerprint that helps establish the person is who he claims he is. Both these types of data are used for payment processing and pass through number of entities/devices before the transaction getting completed. Both types of data (namely identification and authentication data) are required to be protected at all points in time with the latter being highly sensitive and having stricter requirements.
Breaches around you
While digital payments have grown organically and inorganically (with demonetisation) over the last several years, India has begun to witness its share of payment security breaches. Some of the breaches like the debit card breach, UPI compromise, inter bank transfers hack or the hack of a leading mobile wallet company are all publically known. But away from these, there are a number of payment breaches that go unreported due to lack of public disclosure norms in the country.
Recent breaches like Equifax that happened in the US have proven that payment data are not just with processors but also with third parties like credit-rating agencies, and a compromise can happen to any entity in the eco-system. We, as payment security specialists, see an alarming increase in the number of breaches in the country. Unless immediate actions are taken, we are going to see these breaches continue unabated.
The responses to these breaches and concerns so far have been mixed. We have had few organisations take this on themselves to secure their infrastructure while we have most in the ecosystem say, "This is a someone else's problem—we are secure".
On the regulatory side there is some action but there is lack of effective enforcement. For example, a 2013 RBI guideline says that banks are required to adhere to payment security standards (PCI-DSS) but the compliance rates amongst banks are still in single digits. Even the banks that comply end up with restricting the scope undermining their very compliance.
For mobile wallets, RBI has issued a few guidelines for getting a security audit conducted but without a benchmarking payment security standard for each of the cashless methods. This allows each of the players to define "what is secure", making the exercise ineffective.
Payment breaches are borderless, and we in India need to learn from all the breaches that have happened globally apart from our own set of breaches.
The need for standards
So what is required urgently is an iron-fisted enforcement of payment security standards such as adopting international payment security standards across cashless systems. For cashless methods that are unique to India like UPI, BHIM, AEPS, there is a need for an expert committee to study the current set of international payment security standards and see how the same can adopted with few modifications.
It is heartening to note that government is mulling a Digital Payments Act with inter-ministry representatives, and we hope that it constitutes a panel of digital payment security experts who can help them devise with standards to address this issue.
A simple mandate that organisations need to secure the payment data is not going to work, unless we clearly define the standards that are required to be followed by every entity in the eco-system. The expert committee should review the international payment security best practices, open up for public opinion and come out with a clear and decisive mandate that will help foster payment innovation in a secure environment.
We also see a growing trend of innovation that is happening by lowering security posture. This has to be discouraged and the only way to do this is by laying down some ground rules of security that cannot be compromised by way of enforcing security standards.
Timely enforcement of payment security standards will help us not only build a secure digital payment ecosystem but also achieve the country's dream of going cashless. If we fail to harness security as part of our digital payments mission, we would be only setting our clock backwards rather than forward.
(Dharshan Shanthamurthy is a payment security specialist and works as the Chief Executive Officer of SISA. The views expressed are personal. This article is from our Cyber crime special series '