Payments Security: Assessing the ChallengesPanel Discusses How to Secure New Form Factors
Over the past two years, the Indian financial sector has witnessed the dawn of a new age of payments, with many changes in the mobile realm. The industry and customers were accustomed to traditional forms of payment (credit and debit cards, checks and cash) with little to no changes for how transactions were processed.
See Also: 2016 State of Threat Intelligence Study
However, things are changing, say experts at the SISA Summit 2016 held recently in Mumbai, who discussed the topic "New Age in Payments," the new payment form factors impacting Indian and inherent security challenges.
The panelists included moderator Dharshan Shanthamurthy, CEO, SISA Information Security; Bharat Panchal, head of Risk Management & CISO, NPCI; Vishwas Patel, CEO, Avenues India Pvt. Ltd.; Joel Divekar, GM-Dev Ops, BookMyShow; Rana Sinha Ray, Sr, VP & Head of Technology, Times Money; and Amrish Jain, Head of Technology, Innoviti. The panel says there are more ways than ever to pay for your next transaction or bill, as consumers start adopting to leverage the innovation for ease of payment.
These new options range from Near Field Communication, Radio Frequency Identification technology to mobile wallets (Apple/Android/Samsung Pay, or Google Wallet) or even social payments such as the 'Pay with Amazon' button. Payments innovation has only increased challenges for security practitioners.
"In the last two years, the industry has witnessed a new age in payment with new form factors, even as the financial services industry faces disruption," says SISA's Shanthamurthy. "The rise of smartphones, payment bank licenses to private players, Unified Payment Interface from National Payment Corporation of India (NPCI) and other innovations will lead to disruption," he says.
Analysing New Age Payment Forms
Security leaders agree that the new form factors have been embraced by the people and enterprises at large, resulting in this disruption.
Innoviti's Jain points out the perceived changes in the e-commerce industry, which witnessed a 40 percent increase in mobile transaction. "However, the mobile payment gateway also increased security risks," he says.
Promising technologies such as unified payment architecture cuts across the cash-on-delivery model Indians traditionally embrace, and virtual cards are gaining momentum, he says.
However, the biggest challenge is to have contingency plans owing to the increase in the new form of payments. "CISOs must establish the balance between ease of use and data security as new technologies roll in," says Jain.
The challenges will multiply in the future, as the Reserve Bank of India says the number of mobile transactions surged to 94 million in 2013-14, compared with 53 million in 2012-13. This will only soar, given the 900 million Indian mobile phone users.
BookMyShow's Divekar sees an increased use of mobile wallet and virtual cards and m-banking, with over 90 percent of the scheduled commercial Indian banks now adopting m-banking.
"Practitioners must prepare for future trends as enterprises start transacting in bitcoins and crypto currency and work at the backend as per the market demand," says Divekar.
Experts say that although mobile wallet is in an infancy stage in India (estimated market at $144 million in 2012), it will grow more than 50 percent in the next two years.
Avenues's Vishwas Patel agrees, saying that the widespread use of chip cards and mobile payments has transformed the way transactions are made, while the new platform such as Immediate Payment Service (IMPS) and UPI have encouraged all small and large businesses to move online and address a broader market base.
"The only challenge is to make room for new EMV cards and latest technologies which are safe and secure," he says.
"We bank on disruptive technologies to make the country a cashless society," says NPCI's Panchal, adding that UPI is definitely a game-changer, given the IMPS is a well-established secured gateway.
Times Money's Ray sees two trends from an e-commerce standpoint. "Cash on delivery and mobile wallet is making an impact, and virtual cards are slightly cumbersome when it comes to establishing security," he says.
What About Security?
While bitcoins, virtual cards and crypto currency are still not a legal mode of payment in the country, m-payments, m-banking, prepaid cards, mobile wallet, mobile Point of Sale, IMPS, ATM, payment gateways, etc., have increased security challenges.
RBI says while the number of fraud cases declined from 24,791 in 2009-10 to 13,293 in 2012-13, the amount involved increased substantially from $ 250,000 to $1.5 million.
The RBI report says 65 percent of the total cases reported by banks were technology-related fraud incidents (committed through/at an internet banking channel, ATMs and credit/debit/prepaid cards), whereas advance-related frauds accounted for a major proportion (64 percent) of the total amount involved in fraud.
These trends only add to the security challenges.
Security leaders argue that a well-established two-factor authentication approach is recommended for all new payment forms.
Panchal argues, for instance, that UPI is a standardized, adoptable, secure and cost-effective interface. "Once formulated, the standardized API, designed for enabling different forms of payment beneficial for mobile application and other channels, can be integrated into the NPCI infrastructure," he says.
Darshan says whether UPI or IMPS, security is ensured as account holders can send and receive money from their smartphones with a single identifier - Aadhaar number (a 12-digit individual identification number issued by the Unique Identification Authority of India on behalf of the GoI).
"This serves as proof of identity and address anywhere in India, mobile number, virtual payments address - without entering any bank account information. It's essentially a single-factor authentication process," he says.
Some security controls experts recommend to ensure secure transactions include:
- 256-bit encryption for communication between client and server;
- All transfers requiring a one-time password validation sent to the customer's registered mobile number/email ID;
- Recipients must register to receive the funds within a specific time period. Otherwise, the transaction expires (funds are transferred back to the payer);
- Every enterprise's website needs to be monitored for phishing by a 24x7 security operations center
"Security is addressed proactively and not as an afterthought," says SISA's Shantamurthy. "Centralized cybersecurity vision on how to implement security at every step is discussed at the top level by regulators."