Cyber Security Essentials for Safe and Secure Digital Payments
Jose Thattil, CEO of Phi Commerce says, “Digital payment transactions in the country crossed the 1 billion mark in Dec 2017. This upward trend is going to continue with more and more cash dominated sectors opening up for digital payments. As such, adoption of above recommended practises will definitely go a long way in fostering safe and secure digital transactions”.
Transactions, including digital payments, using IMPS, UPI, Debit and Credit cards, Wallets, and Mobile Banking have seen a tremendous increase especially in the last year. Following are the volumes (in Millions) and values (in INR Billions) processed across the various channels and instruments in the last 12-14 months:
Adoption of these instruments and channels is more prevalent amongst the younger generation and upwardly mobile sections of the demographic groups across India. And the use of mobile in initiating digital transactions especially payments has seen an explosive growth. But this explosive growth brings into fore certain practises, guidelines and caution that should be exercised while transacting over the net or mobile networks.
Here is a list some of the key cybersecurity essentials with the aim of promoting safe and secure digital transactions:
· Secure Networks – it is essential to transact using netbanking, mobile banking and other mobile payment apps only over secure wi-fi and or local area networks. Free wifis and unsecured LANs are potential points of intrusion into customers’ devices (laptops, notepads, smartphones).
· Download apps from secure app stores – apps that allow transacting digitally should only be downloaded from trusted app stores e.g. those supported by Google, Apple and the like. These app stores have a process of verifying that applications originate from trusted sources.
· Preference for two (or more) factor authentication (2 FA) - is seriously encouraged when transferring money or making payments. Most bank’s net banking systems, mobile banking systems support passwords/PINs. And provide an additional layer of security by way of One Time Passwords (OTP) or biometric authentication. Applications that automatically capture and use One Time Passwords (OTPs) should be avoided. Use of PINs or biometrics to unlock smartphones is strongly encouraged.
· Storage of card details – for automatic debits/ payments should be avoided unless the site where such details are requested and stored is trusted. Many ecommerce, taxi hailing and ewallet sites and/or apps request such data. These must be shared with care. It is worthwhile to determine if such sites comply with various standards laid out by the RBI and/or the Payment Card Industry.
· Use of emails and text message – to verify that transactions were originated by the customer is encouraged as is calling customer care centres of banks and payment companies in case any discrepancy or potential fraud is noticed. Early contact with call centres also protects customer from any potential liability.
· Tokens – apps that support tokenization of critical data are strongly recommended. Samsung Pay, Android Pay are example of applications that tokenize payment card data and replace it with a token or number that is completely different from the payment card number of the customers. Payment card details cannot be derived, or reverse engineered from these tokens. The recent announcement by UIDAI enabling tokens of Aadhaar number is a welcome step and of much benefit in e KYC as well as AEPS enabled transactions.
· Use of Alias– Instant payment technologies such as UPI (Universal Payment Interface) wherein only virtual addresses, and not actual account details, are used to push fund transfers or to request payments, is a great way of securing account details of transacting parties. Customers are thus encouraged to use such Alias based payment mechanism
· Data protection and privacy: With the release of the draft data protection framework MeITY will go a long way in providing confidence to customers that confidential and private information can only be used by consent and that customers have recourse to ensuring that such information cannot be used if not agreed to.
Around The World