The Ministry of Electronics and IT has sought suggestions from the stakeholders by March 30, 2017 on draft Information Technology (Security of Prepaid Payment Instruments) Rules 2017 aimed at securing digital transactions and addressing customer and privacy protection issues.
According to the draft rules, issuers of prepaid payment instruments (PPIs) such as mobile wallets will have to disclose their privacy policies on their websites, including on the use and sharing of information collected from customers as well as how long this information is stored.
Personal information such as addresses, telephone numbers and financial details of customers cannot be disclosed without their prior consent, according to the draft.
PPIs, which are issued as smartcards, magnetic strip cards, internet wallets, mobile accounts, mobile wallets or any such instrument, can be used to access prepaid amounts.
The rules require issuers to ensure end-to-end encryption of data exchanged and emphasize electronic transactions conducted by customers should be traceable by issuers. They also mandate every e-PPI issuer should set up a mechanism to monitor, handle and follow-up cyber security incidents and breaches.
PPI issuers will have to report cybersecurity breaches to CERT-IN, the nodal agency dealing with cber threats. The rules come in the wake of a surge in phone banking and electronic payments as India moves towards a less-cash economy following the invalidation of old high-value currency notes on 8 November.
The financial data of the customer shall be deemed to be sensitive personal data or information for the purposes of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and every e-PPI issuer shall maintain and implement the practices and procedures prescribed in those rules, says the draft rule.
Every e-PPI issuer shall have adequate processes in place to ensure that all interactions with customers or other service providers in relation to accessing payment accounts or initiating payments can be appropriately traced.
Further, every e-PPI issuer shall retain data relating to electronic payments only for such period as may be specified by the Central Government.
The draft rules also says that E-PPI issuers shall assist customers with regard to secure use of prepaid payment instruments and they shall provide customer with all requisite information relating to security of prepaid payment instruments.
On Security Standards, the draft rule says, ‘The Central Government may, by notification, specify the security standards to be adopted by e-PPI issuers for compliance with any or all these rules.
Also, if no standards are specified, the Central Government may make any other security standards applicable to e-PPI issuers for security of the payment systems operated by them.
By Baishakhi Dutta
