HDFC's PayZapp Payment Platform DebutsSecure Development and Framework to be Key Differentiators
HDFC Bank, one of India's leading private sector banks,has released its one-click payment platform called PayZapp, which is expected to be positioned as an all-in-one mobile payments platform as part of HDFC's 'GoDigital' strategy.
PayZapp is one in a long line of payments-related mobile apps hitting the Indian market today - from banks and other providers [ See: Kotak Launches New Payments Service] .
However, the PayZapp platform may be a game changer, adopting the unique approach of providing a payments channel that authenticates users directly with the bank's systems, seeking to eliminate the multiple steps required to authorize a transaction in mobile e-commerce today.
"Indian mobile e-commerce merchants are facing high dropouts on mobile payments because of the multiple hops involved in closing any transaction, which is the norm today," says Parag Rao, Business Head, Cards, Payment Products and Merchant Acquiring Services at HDFC Bank.
This traditional process also opens up the possibility of compromise of sensitive information such as card data, at each step of the payment process, he says.
At a press conference held in Mumbai on 16 June, Rao announced that the platform intends to leverage HDFC's huge merchant partner-base and its strong position in the market as merchant acquirer to secure traction for the platform. HDFC acquires over 40 percent of all merchant transactions physically, and 50 percent of all online e-commerce transactions in India.
PayZapp has been designed as a unified payments platform that offers an alternative to existing third-party payment gateways and the pre-paid wallet eco-system in use by merchants. With PayZapp, mobile e-commerce merchants partnering with HDFC will no longer need to depend on third-party gateways to acquire and authenticate such transactions, eliminating middlemen, Rao says.
Moreover, this system overcomes the existing need for two-factor authentication without compromising security, only needing a single PIN in addition to having the PayZapp app installed, he says. PayZapp is compliant with RBI's two-factor authentication requirements. The platform has been developed in a modular fashion to accommodate new services going forward.
Beyond just providing a transaction channel, PayZapp also provides a built-in storefront aggregating goods and services from all partners existing on its 'SmartBuy' platform, an online marketplace, which comes integrated into PayZapp, and others, Rao says. The PayZapp platform can also be used to transfer money to anybody, using a mobile number or an email address. PayZapp also provides for the creation of NetSafe Virtual Cards with limits defined by the user.
Security is the Priority
Rao says security has been built in at the development level, with the platform employing security features such as dynamic linkages, device mapping and end-to-end ACH data encryption. He says that tokenization and host card emulation are also expected in later versions. Moreover, no data is stored on the device, being instead saved on the banks own secure servers, Rao informs.
PayZapp will leverage the bank's core IT infrastructure, which adheres to stringent guidelines, policies, audits and compliance, as prescribed by the RBI and the best practices followed by HDFC Bank, he says. The platform's built-in security, coupled with HDFC's robust security track record, will prove a compelling argument to prospective users, Rao believes.
A security thought leader at a leading government entity in the financial space, endorses the view that a system that leverages a bank's validated know-your-customer or KYC database, will eliminate many of the issues plaguing mobile payment systems today in addition to providing reliability.
"To a merchant leveraging a mobile payment platform provided directly by a bank, authentication is implied in principle, as is accountability and security, as compared to an open-ended platform" he says.
As the bank has direct control over the payments platform, checks and balances are in place, and application security is taken care of, he says. He is bullish on the idea overall. However, given that it is early days for such platforms, the security challenges are yet to be fully articulated, he cautions. "We will have to wait and watch how the platform and usage matures," he says.
Sources at HDFC say that while most of the bank's apps are not developed in-house, the bank employs a stringent audit and testing mechanism for its apps, which are custom built by third-parties. Each iteration of an app is sent to the information security team for testing before release. The CISO's team then employs independent AppSec companies to conduct audits of these apps before the go-ahead for release is given by management.
Sameer Ratolikar, CISO at HDFC bank says that PayZapp has gone through the bank's noted Information Security Framework - a body of policies HDFC bank has developed in-house, drawn from global best practices and standards. "The risks have been mitigated to a reasonable level," he says.
The CISO's team scrutinizes each app release to ensure it fulfils the bank's existing compliance and standards, the source says, and a sign-off from InfoSec is essential. The team is not directly involved in the development, although it provides close support and guidance. Even though there are no RBI guidelines for mobile payments - given no bank at present provides such services - the platform adheres to exiting guidelines and security standards for protecting customer information and infrastructure, Rao says.
Rao says that in its initial phase, the app will be pushed to HDFC's 30 million customers in India. He expects a lot of integrations and features to be announced going forward. There are plans to roll this out to non-HDFC users as well, however no timeline has been shared. PayZapp v1.1 is only available for device-based transactions at present and has only been released for the Android platform. An iOS version is expected shortly, Rao informs. HDFC also operates an account-to-account transfer platform called 'Chillar'.