The Ministry of Electronics and Information Technology has issued a draft rule titled Information Technology (Security of Prepaid Payment Instruments) Rules 2017 on March 8, 2017 for digital wallet firms like Paytm, FreeCharge and Mobikwik.
- The MeitY has formulated the draft rules for security of Prepaid Payment Instruments (PPIs) under provisions of IT Act 2000.
- The Rules mentions various security parameters that digital wallet companies will have to follow as well as specifies the standards for data protection and customer grievance redressal.
- The need to develop a framework for security of various PPIs like mobile wallets, smart cards and paper vouchers operating in the country was felt with the increased government’s effort to promote cashless economy and boost various digital payment systems.
- Aim: To ensure adequate integrity, security and confidentiality of electronic payments made via digital wallet and strengthen the grievance redressal mechanism for consumers
- Government has also sought feedback from various stakeholders. The draft is open for public consultation and will close on March 20, 2017.
Salient Features of the IT (Security of Prepaid Payment Instruments) Rules 2017
The Rules mandate that each Prepaid Payment Instruments (PPI) company or wallet firm will have in place and publish on its website and mobile applications the privacy policy and the terms and conditions for use of the payment systems operated by it in simple language, capable of being understood by a reasonable person.
- Companies will also have to appoint a chief grievance officer whose contact details will have to be displayed on the website.
- The grievance officer will be required to address any complaint within 36 hours and close it in a month’s time.
- Companies should also have enough technological safeguards to avoid any hacking attacks of their platform and in case of any such event, it is to be swiftly reported to the government agencies like CERT-In.Â
- The draft rule also specifies that the e-PPI issuers should also follow adequate due diligence procedures and identification of users prior to on boarding them on their respective platforms.
- The companies will also have to establish a mechanism for monitoring, handling and follow-up of cyber incidents and breaches.
- The security policies should also be reviewed once a year by the firms and in case of any breach, the company will have to revamp its policies.
- The companies will also have to adopt a two-factor authentication process for transactions. The government may by notification exempt digital wallets from requiring two-factor authentication in specific use cases.
- Besides, the wallets companies will now also have to disclose the kind of information they are collecting from customers and with whom they are sharing such information, and will be allowed to store it only for a period specified by the government.
- This data will also have to be encrypted end-to-end in order to safeguard customer data, especially financial data, such as bank balances.
- The guideline also mandate that CERT-In (Indian Computer Emergency Response Team) shall notify the categories of incidents and breaches that are required to be reported to it mandatorily.
- The personal information of the customers will be treated under Section 72A of the Information Technology Act, and the financial data of the customer under the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Some of the Digital Wallet Companies in India
PayTM, Momoe, PayUMoney, MobiKwik, State Bank Buddy, Citi MasterPass,  ICICI Pockets, HDFC Chillr, LIME