The recent move by the Indian Government, which jolted the trade and business in India from obviousness and obliviousness, brought the focus on digital payment platforms. In absence of cash, Urban India lapped up the convenience of digital paymentand street hawkers were seen accepting payment through Paytm and other such platforms.Sight of Seniors making payments through digital wallets at local grocery shop or milk booth started losing its novelty.
Even in developed countries, multiple cases of online frauds and security breach are reported wherein people lose their money, securities or even crypto currencies like Bit Coin. Sadly the regulations and legislations don’t move as fast as the fraudsters making legislative process reactive rather than being proactive. Since Internet knows no specific jurisdiction, application of laws of land has always been debatable and Governments are still grappling to find a workable solution.
Given the background, it is pertinent to look at and understand what are the legislative or other provisions available in India to keep the data and money safe.
If we look at the regulatory scenario in India, the main legislation around the Information Technology aspects is the Information Technology Act, 2000 (IT Act). Further considering that the digital payment platforms deal with money, Reserve Bank of India, being the regulatory authority for currency movement was also given teeth to regulate such transactions in form of power to regulate digital wallet transactions by approval. Further, there are no minimum acceptable standards prescribed nor is there any definition of liability for loss due to breach/fraud except PCI-DSS and PA-DSS.
The Information Technology Act, 2000
Though the Act came in a decade ago, its use and powers have been evolving and have made little impact. Under IT Act, fintechCompanies are mandated only to maintain ‘reasonable security practices and procedures’.
The IT Sensitive Personal Data Rules, 2011 issued under Section 43A, require such Companies to:
- Have security practices proportionate to the data in their possession;
- Such practices are required to be documented.
In the event of any loss due to inadequate practices or procedures or their compliance, the customer is liable to be compensated without any upper ceiling.
However, the pitfall is that the legislators failed to recognize the need for continuity of compliances. The provisions of the IT Act only require one time compliance and no liability in case the enterprise fails to update the security standards.
It would not be wrong to assume that in absence of any check, the compliance with provisions will be fairly low.
Since the law does not specifically address the matter, the contractual terms and conditions as signed by a customer become binding. What this means is that even if the payment portal has reasonable but inadequate security checks, customers cant hold them liable under the provisions of the IT Act. This also allows such portals to disclaim liability on account of lax security or any bugs.
Though Section 43A allows the government to issue such rules in consultation with proper professional bodies but nothing concrete has been worked up as yet. The Ministry of Electronics and IT (MeitY) plans to issue advisory and make reporting of unusual activities noted on platforms to Indian Computer Emergency Response Team (CERT-IN) to ensure quick action and resolution of cyber security related
Reserve Bank of India
Unlike the powers exercised by RBI for banks, no such specific instructions or circulars have been issued for security for such digital payment platforms. RBI issued directions to banks and authorized card payment networks in February 2013 to initiate additional measures required in the wake of cyber-attacks becoming more unpredictable and electronic payment systems becoming vulnerable to new types of misuse. The directions required stakeholders to introduce certain minimum checks and balances to minimise the impact of such attacks and to arrest/minimise the damage. Accordingly, banks were required to put in place security and risk control measures for card payment transactions and electronic payments as well.
Payment Cards Industry-Data Security Standard
A welcome move in the said directive though was recognition of PCI-DSS (Payment Card Industry-Data Security Standards) and PA-DSS (Payment Applications – Data Security Standards). The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. Whereas Payment Application Data Security Standard (PA-DSS) is a set of requirements that are intended to help software vendors develop secure payment applications that support PCI DSS compliance.
Even though the recognition was limited to usage for card capturing terminals and merchant site, it helped provide statutory credibility to a private body standard. In the world of online payments, acceptance of such international standard would only help meet the global standards of security helping the Indian payment portals stay secure and relevant in international parlance.
The regulatory ecosystem around digital payments is still at a nascent stage and calls for a cautious approach on part of users in their own interest. Government can only do as much and create rules and regulations based on historical experiences mixed with limited foresight but in view of the rapid development of information technology, newer challenges will keep on surfacing making it pertinent for users of technology to be more cautious to protect money and belongings.