Fintech Security for India’s Digital Payments Future
Imagine handing over your debit card for a transaction only to discover that it’s been blocked. Then, picture learning your bank has blocked your card because it was used in a country you’ve never visited.
This scenario happened last fall in India, when banks began receiving reports of customer debit cards being used for transactions in China. Fearing a fintech security breach, banks and government agencies investigated. A total of 641 customers of 19 banks were victims of fraudulent transactions totaling 13 million rupees ($194,612), according to Reuters. By October, banks disclosed that as many as 3.25 million customer cards may have been stolen when attackers breached the systems of a payment services provider.
Citing tax collection challenges, India’s government has taken big steps toward banking and finance digitization. About a month after acknowledging the debit card breach, India’s government removed 500 and 1,000 rupee notes from circulation and capped bank account withdrawals, according to NPR. The change rocked India’s cash-dependent business community and sent customers scrambling in a country where relatively few people have debit cards.
To boost its economy, India needs increased customer confidence in debit cards and digital payment options. According to the BBC, only 10 digital transactions per person are carried out in India, compared with 163 in Brazil and 429 in Sweden. As reported by News18, in February 2017, India announced a Computer Emergency Response Team for the financial sector (CERT-Fin) to improve banking cybersecurity. While anticipating what CERT-Fin will accomplish, enterprises should start preparing for India’s digital payments future.
Fintech Security for India’s Businesses
Emerging markets like India provide major growth opportunities, but betting on growth also means accepting risk. Most developing countries lack security infrastructure, concrete regulations and programs to educate citizens about cybersecurity. By communicating with regulating authorities, like India’s Finance Ministry or the Reserve Bank of India (RIB), you can stay on top of banking and fintech security regulations. However, remember that India is in the earliest stages of developing policy around fintech security, and existing guidelines can be confusing.
As Lexology explains, there are no specified requirements for disclosing a breach to Indian customers, although you must disclose to RIB, the existing CERT team or the Institute for Development and Research in Banking Technology. Laws may contain vague language, and specifics haven’t been established by agencies, legislators or courts. In the U.S., for example, the Fair Credit Billing and the Electronic Fund Transfer Acts govern fraud reporting deadlines and maximum cardholder liability for all banks and payment services providers. In India, each bank and payment services provider has its own unique policy — there are no unified federal rules that govern all businesses.
ISO reports that Section 43A of India’s Information Technology Act lists ISO 27001, a universally recognized security standard, as a reasonable practice. Therefore, it’s prudent to maintain ISO 27001 compliance to minimize payment fraud liability. Likewise, use PCI DSS guidelines for payments processing, something your organization is probably already doing in other parts of the world. As India develops its cybersecurity laws, the government will most likely imitate what already works in other countries.
Because of low debit card penetration in India, many consumers and vendors will prefer mobile payments solutions. Unfortunately, security varies widely between mobile payment providers; for example, some encrypt transaction information, while others don’t. Accept mobile payments from trusted providers, and only work with emerging providers who’ve developed their systems with expert help. A local mobile payment provider that has developed systems in partnership with MasterCard or Visa presents less risk to your business.
Get Ahead of the Rules
If you’re in banking in India, don’t wait for the government to decide what to do. Establish common-sense banking solutions that protect you from debit card fraud losses. Additionally, talk to your risk management department about purchasing additional cybersecurity insurance coverage. This protection helps you get the benefits of doing business in India with less worry about fintech security risks.
Only time will tell what CERT-Fin and demonetization will mean for India’s digital payments future. Stay competitive by hardening your systems, managing risk and establishing safeguards to protect your customers — all while providing plenty of digital payment options to grow your business.