NPCI's UPI Service to go Live April 8What Are the Security Challenges that Come with Mobile Funds Transfers?
The National Payments Corporation of India, the umbrella organization for all retail payments systems in India, says its unified payments interface service for smart phone users to simplify mobile fund transfers, will go live starting April 8.
As part of its rollout strategy, NPCI has partnered with 29 banks in the country and is supporting them with necessary APIs to facilitate mobile fund transfers using UPI service.
To begin with, NPCI is testing the interface with Axis Bank and ICICI Bank and will expand it to other banks.
To facilitate this service, the NPCI has provided a platform for start-ups/developers to accelerate innovations by launching the UPI Hackathon in association with the Indian Software Product Industry Round Table.
"NPCI would support banks and solution providers to develop solutions based on the application programming interface (APIs) made available", says A P Hota, MD & CEO, NPCI.
N D Kundu, CISO of Bank of Baroda, says, "As per my understanding, NPCI is providing an open source based architecture through a shared model as part of the UPI service. This will be interfaced with our existing payment platform and for authentication purposes."
NPCI Sets the Stage for Fund Transfer
With UPI, multiple bank accounts can be linked to a single mobile banking application, and money can be received and requested through this interface.
According to Hota, the product will eliminate the need to exchange sensitive information such as bank account numbers, one-time passwords or phone numbers.
"This unified layer, which offers next-generation, peer-to-peer immediate payment just by using a personal phone, uses existing systems such as IMPS, AEPS, to ensure settlement across accounts," Hota says. "This ensures reliability of payment transactions."
Since the platform is Aadhaar-enabled (Aadhaar is a 12-digit individual identification number issued by the Unique Identification Authority of India on behalf of the Government of India), it allows Aadhaar biometric authentication-based transactions. Bengaluru-based Nitin Bhatnagar, Cyber Security Researcher and Head- Business Development, SISA Information Security, considers this a plus.
According to Bhatnagar, UPI has simplified the process with its provision for PSP-provided mobile applications that allow paying from any account using any number of virtual addresses, and using credentials such as passwords, PINs, or biometrics (on phone). "The key benefit would be to enable the use of a fully interoperable system across all payment system players without having silos and closed systems," Bhatnagar says.
To help banks use the platform, UPI will offer architecture and a set of APIs. NPCI is organising the UPI hackathon primarily for two categories - software-based problem solving and a workshop format to solve a real-life problem.
Over 300 participants from banks, payments banks and payment solution developer organisations nominated themselves for the event. Participants shall use the API provided in the sandbox (set of rules that programmers need to use) to develop products/services to generate multiple solution options for each of the perspectives. A jury from iSPIRT and NPCI will preside.
ICICI Bank partnered with NPCI to launch the "ICICI Appathon," aimed at attracting developers, technology companies, startups, technopreneurs and students to create the next generation of banking applications.
Hosted on the IBM Bluemix cloud-based platform, "ICICI Appathon" will offer over 50 payment APIs from Visa and the Unified Payment Interface.
"Using these APIs, participants will have to create innovative working prototypes of mobile applications that provide a superior customer experience," says Chanda Kochhar, MD & CEO, ICICI Bank.
Nandan Nilekani, co-founder of Infosys Ltd and former chairman of Unique Identification Authority of India, is available in an advisory capacity for the UPI service.
The biggest UPI challenge for banking CISOs is ensuring security while enabling convenient transactions. Increased encryption due to heavy data traffic will emerge as a challenge.
"Given the multiple OS platforms and applications that the banks use, there would be a challenge to interface with different APIs that NPCI would provide as the new-age payment platforms also bring in equal amount of risks," says Kundu.
"Since the service is just to be launched, we as practitioners need to have a deeper understanding of how it works securely."
Security leaders say that banks need to leverage people, processes and technology effectively, sufficiently backed by effective monitoring security tools, or else the rollout will be a disaster.
Bhatnagar argues that the challenges will be balancing between the current payment channels offered (i.e. web, POS retail and mobile wallets) and upcoming innovative modes of payments (i.e. UPI) with respect to the inclusion of new modes of payment in the current infrastructure, network, various application involved and technical skill set to manage the execution for implementation within the stipulated timeframe.
"Staying compliant to the regulatory requirements such as RBI audits, IT security audits and other international standards like PCI-DSS etc. would be key challenges," he maintains.
Simplified Secure Transaction
Hota says UPI is a standardized, adaptable, secure and cost-effective interface. "Once formulated, the standardized API can be integrated into the NPCI infrastructure."
The use of standards such as PCI-DSS and ISO 27001-2013 is recommended for organizations involved in the processing of payment transactions.
Bhatnagar says that while transactions through a UPI platform appear to be secure, it all depends on how securely developers have been able to implement at the payment system end.
"It is important for CISOs to get their mobile application/platform assessed by the security professionals before deployment, says Bhatnagar. Some of those assessments would include conducting application security validation, secure code review by following payment application standard such as PA-DSS, infrastructure and network level security audits and quarterly security health checks.
"Besides conducting a thorough risk assessment it is critical to impart training and create user awareness about secured transactions," he says.
Security leaders recommend that the UPI platform has to keep enhancing security features to prevent phishing attacks. They suggest setting up a cap on the transaction amount that could help as a check. According to Hota, there is a limit on the transaction amount of Rs. 25,000.
"We are working with E-commerce vendors, payment vendors and Telecom Regulation Authority of India to develop an authentication mechanism for secure transactions," says Hota.