Bank customers may soon have the option to authenticate online banking transactions through digital signatures. A report by a Reserve Bank of India committee, Enabling Public Key Infrastructure (PKI) in Payment System Applications, has given a phase-wise implementation timeline proposal for this.
The report stresses on the need to have a two-stage verification process in view of the increasing instances of fraud. In the first two phases, to be implemented in 12 months, corporate authorizers will be given the option of digital signatures. In another six months, the service will be extended to individual customers. Individuals need to apply for a digital signature at an entity certified by Controller of Certifying Authorities.
There will be a know-your-customer process, after which an alphanumeric key will be allocated. “If an electronic document needs to be authenticated online, digital signature is the best bet as it takes a long time to break it,” said Pavan Duggal, a Supreme Court lawyer and a cyber law expert.
If implemented, a customer can transact, say, transfer funds, by authenticating the transaction with a private key, i.e the digital signature. Once the bank receives the instruction, it will open the message using a public key, which can be downloaded from the certifying authority’s website. “This will ensure that the transaction is genuine as it will minimize the chances of the request being changed in transit and repudiation cases will go down,” added Duggal.
Some concerns remain regarding use of mobile phones. Though the 2008 amendment in the Information Technology Act, 2000, includes “communication devices”, under its ambit (earlier restricted to computers), “all activities done with the communication device may not be included,” said Duggal, adding that eventually the law will have to change to include mobile devices as well.
The roll out of digital signatures will also depend on how quickly customers adapt to it. “There is a recommendation to make it easy for customers to get a digital signature. That’s why possibly a period of 18 months is given,” said Deepak Sharma, executive vice-president and head-digital initiatives, Kotak Mahindra Bank Ltd. He added that the move will be good for customers, as they will feel more confident of online transactions, and for banks, as they will face fewer repudiation cases.
The RBI committee has also recommended that once the system is in place, it should be reviewed to make digital signatures mandatory for all big-ticket transactions.