IntroductionUnion Ministry of Electronics and Information Technology issued draft guidelines for electronic payment transactions through prepaid payment instruments (PPIs) like mobile wallets, smart cards, paper vouchers, etc. under provisions of Information Technology Act, 2000, on March 08, 2017 and has invited comments before the enactment of these rules from the general public and stake holders on the draft guidelines by March 20, 2017 for having wide consultations under the “Draft IT (Security of Prepaid Instruments) Rules, 2017”.
Purpose of the Rule
The purpose behind issuing these draft guidelines is the serious intention of the Union Government to promote cashless economy i.e. electronic payments; and to ensure the confidentiality, integrity, safety, security of the transactions through PPIs, popularly known as e-wallets, involving various digital payment systems of various digital wallet companies. These draft rules when enacted shall be applicable to all digital wallet companies like Paytm, FreeCharge, Mobikwik, etc and those issuing smart cards, paper vouchers, magnetic strip cards, internet wallets, mobile accounts, mobile wallets or any such instrument.
Guidelines of the Draft
Robust Risk Management System
The security measures of these companies must develop a Robust Risk Management System and also make a risk assessment to find out security risks involving data protection as well as safety of funds involved; besides these companies must ensure adequate due diligence before issuing PPIs. These companies must establish a mechanism in order to monitor, handle and follow-up of cyber incidents and breaches that may occur.
Review and Revamp of the security measures
The digital wallet companies shall review and revamp the security measures in the light of the grievances, incidents and breaches or before any major change in their infrastructure or procedural methodology - at least once in a year. These companies shall store the user information such as address and contact number of the customer and financial data, such as bank balance of the customer, for a specific period of time to be decided by the Union Government and this user information they cannot disclose to anyone without prior consent of the Government except in cases where these companies may have to disclose a user’s information to the statutory authorities if it is so required.
These companies must adopt a two-factor authentication for transactions in order to identify the customers at the time of registration. In specific cases, Union Government may “exempt” the two-step authentication.
Overall, these guidelines ensure that although all payment instruments are regulated under RBI rules and regulations yet the rules related to carrying out the PPIs involving electronic transactions shall have to be regulated as per the IT Act, 2000 along with IT (Security of Prepaid Instruments) Rules, 2017.
Smart Prep Kit for Banking Exams by Ramandeep Singh - Download here