Govt issues draft rules for digital transactions made through prepaid instruments
New Delhi: Issuers of prepaid payment instruments (PPIs) such as mobile wallets will have to disclose their privacy policies on their websites, including on the use and sharing of information collected from customers as well as how long this information is stored, as per draft rules issued by the government for transactions done via PPIs.
Personal information such as addresses, telephone numbers and financial details of customers cannot be disclosed without their prior consent, say the draft Security of Prepaid Payment Instruments Rules 2017, issued on Wednesday by the ministry of electronics and IT. The government has sought public comments until 20 March on rules aimed at securing digital transactions and addressing customer and privacy protection issues.
The rules seek to put the onus on PPI issuers to safeguard data available with them through robust risk management and clear norms on encryption, security and retention of data. To be sure, many of the PPI issuers follow some of these rules but the draft rules aim to standardize these processes for the entire industry.
“All the payment instruments are regulated by RBI (Reserve Bank of India) but the rules on transactions through PPIs have been laid down by the IT (information technology) ministry. This will lead to confusion as an entity might be complying with RBI rules but may violate rules set by IT ministry,” Rahul Matthan, partner at law firm Trilegal.
PPIs, which are issued as smartcards, magnetic strip cards, internet wallets, mobile accounts, mobile wallets or any such instrument, can be used to access prepaid amounts.
The rules require issuers to ensure end-to-end encryption of data exchanged and emphasize electronic transactions conducted by customers should be traceable by issuers. They also mandate every e-PPI issuer should set up a mechanism to monitor, handle and follow-up cybersecurity incidents and breaches.
PPI issuers will have to report cybersecurity breaches to CERT-IN, the nodal agency dealing with cyber threats. The rules come in the wake of a surge in phone banking and electronic payments as India moves towards a less-cash economy following the invalidation of old high-value currency notes on 8 November.
“Key areas like adequate due diligence for e-PPI issuance as well as authentication of e-PPI will need to be sketched properly so that customer convenience doesn’t go away while addressing security concerns,” said Dewang Neralla, CEO of Atom Technologies Ltd, a payment service provider, adding that there could be confusion for PPIs on whether dispute management should be handled under the IT Act or as per PPI guidelines of RBI.