payments in India The approach to security standards for innovative

Transcription

1 The approach to security standards for innovative payments in India Second meeting of the CPSS - World Bank Forum on retail payments February 2012, Miami G. Padmanabhan Reserve Bank of India

2 To ensure that all the payment and settlement systems operating in the country are Safe, Secure, Sound, Efficient, Accessible and Authorised".

3 Payment Systems-security & innovation Large Value Payment Systems (LVPS) Systemically Important Payment systems (SIPS) Global standards Secure, safe and efficient Closed user group- dedicated network Confidence of markets-financial stability Retail Payment Systems- RPS Security and innovation- evolving process Public confidence Move towards less cash society Country specific measures RBI approach System based Product based

4 Retail Payment Systems (RPS) System based (i) Existing systems Business rules and regulations IT/IS audit by system operators and auditors Audit compliance verified by regulators (ii) New systems Pre-authorisation audit of systems and procedures Compliance with product security requirements

5 Product based Retail Payment Systems (RPS) (i) Critical mass already achieved-action points Improve the security standards- new measures Increase public confidence Balance between convenience and security Risk-reward trade off (ii) Innovation resulting in new products- action points Eagerness of consumers- feeling of safety & security Easy to use factor- anytime anywhere - convenience Bank-Non bank interface Associated cost vis-a-vis existing products Emphasis on safety, security and convenience, costing Cash-plus security Encouraging move towards less cash society

6 Retail Payment Systems (RPS) Security of Retail Payment Systems(RPS) Indian Approach Aimed at building customer trust in the payment systems by protecting his funds PSS Act legislation and the System of Authorisation System to ensure that no transaction is effected in a customer account without his knowledge and authorisation Alerts to customer for all transactions in his account irrespective of the size of transaction Presently mandated for card-based transactions May get extended to all account transactions in future Instant response to SMS alerts in case of an unauthorised transaction for blocking further transactions (Being examined)

7 Indian scenario-paper based Average daily cheque volume mn (3 rd largest in the world) Need for enhancing security Safety and security under imaging environment Lack of uniformity in designs and security features of cheque forms Re-engineering and automation. Measures- CTS-2010 Standards Enhancing the integrity of images under CTS Mandatory security features- CTS-INDIA watermark; bank s logo in UV ink; void pantograph (an anti-copying feature); micro-lettering Optional features as per risk perceptions of banks- supplementary watermark embedded fluorescent fibres, tamper proof measures: toner fusing, bleeding ink; use of UV band on sensitive and key areas of interest on a cheque ; hot stamped holograms etc.

8 Indian scenario-electronic Retail Payment Systems National Electronic Funds Transfer (NEFT) Near real-time 11 hourly settlements on weekdays and 5 settlements on Saturdays IT Act 2000 compliant End to end to PKI encryption at transaction level SHA compliant Server to server PKI based handshake Smart card login by operators 4-eye principle; Maker-checker Customer convenience- Positive Confirmation to originator for successful credit to beneficiary s account

9 Indian scenario-card based General principles System to ensure that no card transaction is effected in a customer account without his knowledge and authorisation Alerts to customer for all card transactions in his account irrespective of the size of transaction Aimed at building customer trust in the payment systems by protecting his funds Security measures card not present transactions 2FA for all CNP transactions based on information not available on the card 2FA extended to IVR (Feb 2011) and MOTO transactions(may 2012) Security measures card present transactions Security of CP transactions looked into by a representative Group and a 2FA system mandated

10 Indian scenario-delivery channels Security measures at delivery channel- ATM Need for pin validation for all successive transactions at ATMs. Cash retraction facility being withdrawn Security measures at delivery channel Mobile Minimum security and technology standards Authentication- use of mpin or any higher standard End-to-end encryption - Transaction upto Rs.5000/- (USD100) exempted

11 Innovation & security- continuing agenda Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (Chairman: G.Gopalakrishna) The major recommendations pertain to IT Governance. IT Operations, Information security, IT outsourcing, IS audit, Cyber fraud, Business Continuity Plan, Customer education and legal issues. Setting up of Information security policies Board approved Information security policy Risk assessment is the core competence of information security

12 Innovation & security- continuing agenda Advisory Group on online payments (Chairman Mr. Kiran Karnik) With the spread of the internet and improving connectivity in the country, there would be newer issues emerging that relate to online payments through internet or mobile, hence the following measures are considered necessary- Address technology and security issues of online transactions Exercise due diligence and adoption of best practices by banks Incentivize online adoption with specific programs like those implemented in Korea with the help of the Government Create awareness on safety and security for the online consumer.

13 Innovation & security- continuing agenda Working Group on Securing Card Present Transactions Securing the Technology Infrastructure 1a. Unique Key per Terminal (UKPT) or Derived Unique Key per Transaction (DUKPT) 1b. Terminal Line Encryption (TLE) Improving Fraud Risk Management Practices Strengthening Merchant Sourcing and Monitoring Process Introducing an Additional factor of authentication: Debit Cards. Also includes fully prepaid (Open) Cards Introducing an Additional factor of authentication: Credit Cards Consider Aadhaar (biometric authentication)as additional factor in lieu of PIN along with Magstripe cards, review of scalability of biometric authentication by December 2012 If Aadhaar not scaled up-move to Chip & Pin.

14 Way forward Convergence of channels for accessing payment services- security challenges thereof Increasing number of non-banks and other service providers in the retail payment space (both for prepaid instruments and e-commerce) Wide range of payment instruments to access a single bank account High level of innovations (continuing) in the Retail Payments Space Thin line of distinction between technology service providers and PS operators posing difficulties in imposing security standards, for technology, user experience and handling of funds of users. Defining the responsibility of all the participants in the system including the end-user. Ramifications of innovative product offerings Analysing risk Improving security Periodic IS audits The remoteness of the operators and the lack of transparency in such systems Customer awareness and education Co-ordination with government, security experts, industry bodies

15 Thank You