We are at the cusp of a digital payments revolution in India ushered in by the government's demonetisation exercise late last year, and once again, mobile phones are at the centre of this revolution.
This, of course, involves personal data of millions of users that is sacrosanct. To ensure that this data is not compromised in any way while people use different digital payment modes, robust security across devices is absolutely necessary.
The Government estimates around 2,500 crore digital transactions will occur in 2017-18 via different payment modes such as Unified Payment Interface (UPI), Immediate Payment Service (IMPS), Aadhaar-enabled Payment System (AEPS) and credit cards as well as debit cards, swiped at point-of-sale terminals.
While these tools seek to create a digitally-empowered society, one important element will decide how successful they are: cyber security.
With multitude of digital transactions happening via mobile phones, the chances of a security breach exist, particularly when many mobile wallets and banking applications are not deploying hardware-level security to make online transactions more secure.
Security issues include multiple fake accounts, psychological manipulation (known as phishing), weak device authentication, hacking of servers, and stealing of data.
The red-flag on security is not without reason. Globally, numerous events of hacking occurred, of email accounts, databases, Twitter handles of celebrities, as well as on Facebook, and other social media. In such cases, the financial-, privacy-, and security-related implications for individuals, institutions, and nations can be enormous. As digital transactions soar, cyber crimes will also rise.
After the severe cash crunch created by the November demonetisation drive, Indians have scrambled to undertake digital transactions. Given this scenario, cyber analysts have warned about serious vulnerabilities in the payment systems used across India. To address the threat, it’s necessary to have security features embedded in the hardware and software, as design and not as add-on features, as the latter will be susceptible to hacks.
Nonetheless, the benefits of digital and card payments are decidedly greater than those of cash. To minimise (if not eliminate) the risk in digital transactions, simplicity, security and ubiquity are the watchwords for any payment system or gateway to succeed. To safeguard the details of users, such a system should have the ability to tokenise, encrypt and authenticate data before use.
Boosting cyber security
There are several methods adopted to boost cyber security. In the tokenisation method, the system or device does not store any account or card number details on the device, but relies on tokens to undertake transactions.
When any transaction takes place, the device will transmit two sets of data to the payment terminal. The first set will be a 16-digit token representing the credit or debit card number. The second set will be a one-time cryptogram or code generated by the encryption key of the smartphone. The third safety element, authentication, is self-explanatory, with the user being identified by the user ID, fingerprint, or other code.
Today, SFA (Single-Factor Authentication) is clearly not as safe as TFA (Two-Factor Authentication). Password-based authentication is the most common form of SFA. In TFA, an extra layer of security is added to the standard log-in procedure, whereby the person accessing an account verifies their identity through a second question, or check-in procedure.
Another benefit of such security systems is that even if a person’s smartphone is stolen, payments cannot be made from the device unless authorised through a fingerprint or the specific PIN put down during the setup procedure.
The diverse range of payment technologies makes robust security critical. Two of these payment technologies are NFC (Near Field Communication), and MST (Magnetic Secure Transmission) and for both, users need to upload credit card details into the mobile payment app on their smartphone. Purchases can then be made in physical retail stores.
Since the card data is encrypted on the phone, one-time authorisation tokens are provided for every separate purchase. As NFC and MST are contactless payment solutions, the mobile phone typically does not need manual interaction with the PoS terminal. Only physical proximity and the customer’s approval are needed to permit a transaction.
Although the demonetisation drive has fast-forwarded India’s digital transition, issues of payment safety and security have not kept pace with these developments. If repeated security breaches occur, apprehension in people’s mind will slow down the pace of digital transactions in India.
It is therefore, critical that the issue of security is given due importance by all stakeholders. It is important that the digital payments industry also upgrades its systems to ensure the security of its customers. If that happens, everyone will benefit – including the Government, the digital payments industry, and customers.
The proliferation of mobile devices (smartphone, tablets) gives consumers more choice. Current digital card-based systems - be it credit or debit payment - assume that physical cards are available and card virtualisations are done. The traditional role of banks in issuing physical cards that are dispatched to users could be substituted by new forms of intermediaries, such as Trusted Service Managers, that make mobile devices capable of over-the-air provisioning. The time is now ripe to drive digital payments across India using financial instruments that are backed by robust security solutions.
Aloknath De is Chief Technology Officer, Samsung R&D Institute, Bangalore