Report Offers Recommendations on Securing Digital PaymentsCalls for Comprehensive Guidelines, Threat Sharing Platform
To secure India's growing digital payments ecosystem, it's vital to have comprehensive regulatory guidelines as well as a threat sharing platform, according to a new report by the Data Security Council of India and PayPal.
"The ecosystem that enables the digital payment services is a complex one posing various challenges in terms of managing security of enterprises and data protection," the Securing India's Digital Payments Frontiers report notes. "Currently, due to lack of a single agreed standard or guidelines around the finance industry, each payment player can choose the standard/guidelines which suits his payment solutions to create a more secure and trusted solution ecosystem." ( See: Securing Digital Payments)
Apart from European Union's General Data Protection Regulation, which deals with privacy issues, strong privacy laws are lacking around the globe, some experts assert. Because payment systems are linked worldwide, a common minimum standard on security and privacy is essential, they say.
"We are seeing digital payments crimes perpetrated from locations that are poor on legislation and privacy laws," says U.K.-based Steve Marshall, founder of Risk-X, an audit and risk assessment consulting firm. "Though globally we are getting closer with our ability to do business together, the fact is we are getting apart legislatively."
The Report's Recommendations
The report recommends the following steps to help ensure the security of cashless payments in India:
- Establish a long-term strategy for managing the dynamic global cybersecurity environment and controlling cybercrime;
- Standardize data protection laws and cybersecurity frameworks for digital payments;
- Develop comprehensive regulatory guidelines on risk management technologies, payment security management and business continuity management;
- Encourage threat intelligence sharing across the ecosystem;
- Build a regulatory sandbox environment for cybersecurity testing;
- Incentivize companies to make cybersecurity and data protection a priority for boards and C-suites.
While India has been successful in spurring a move to cashless transactions, including the use of mobile wallets, it has not yet launched a consolidated effort to secure these transactions.
"The government needs to recognize that by not mandating a minimum security framework, it is actually damaging the growth in the payments space and causing the concern of citizens; and if widespread disruption occurs, it could be catastrophic," says a security practitioner at a mobile wallet provider, who did not wish to be named.
"Only if the legislature works with the interested parties and mandates that there is an implementation of standards can there be any real protection to the consumer," he says. "This needs to be backed by stiff penalties, not for those that get it wrong, but those that deliberately flout the rules."
But security practitioners caution that a security framework has to be carefully designed so it does not stifle innovation.
"This was the case with PCI DSS, and the fact that there are now 25 standards that cover the gambit of payment technology that is in use as someone comes up with something new that does not fit with the current frameworks, so a new one has to be developed," Marshall says.
Threat Intelligence Sharing
The report emphasizes building a strong public/ private partnership for trust, transparency and information sharing around threat intelligence, incident reporting, best practices assessments and responsible disclosures, such as bug bounties.
"We need to encourage active participation and partnerships with industry and government in research, standard building, threat intelligence sharing and development of frameworks, etc., to help secure the overall ecosystem for enhanced consumer trust," the report states.
The lack of threat intelligence sharing makes it more difficult to prevent breaches. But organizations cite a multitude of reasons for holding back from sharing intelligence, ranging from worries about revealing too much to competitors to trust questions and, ultimately, fear of embarrassment, some security practitioners say.
One solution, some experts say, would be to have the Indian government establish a cyber threat sharing centers in various cities, along with an online threat intelligence portal.
In the meantime, security experts say organizations can take steps toward improving payment security. For example, they urge merchants to avoid storing payment data.
"The only ones with a need to store the data is the cardholder/ consumer and the financial institution that issues the payment method," Marshall says. "There is no need for others to store this data, as it only increases the risk of the data being stolen or compromised along its journey. Therefore, the ideal method is encryption at the point of inception and only reversal of the information for authentication, verification and authorization at the financial institution."
Only the information needed to be able to prove, defend or verify that a transaction has occurred should be retained, security experts advise. Using unique transaction numbers, so that payment information doesn't have to be retained, also is important, they say.