Reportedly, the Ministry of Electronics and Information Technology issued the draft Information Technology (Security of Prepaid Payment Instruments) Rules 2017 recently for public consultation, and will take suggestions until March 20.
The draft rules mention the security parameters that digital wallet companies, such as Paytm, FreeCharge and Mobikwik, will have to follow. They also specify standards for data protection and customer grievance redressal, reported the Business Standard.
According to the draft rules every prepaid payment instrument (PPI), or digital wallet, has been asked to develop a security policy based on the rules and standards set by the government.
“Every e-PPI issuer shall review the security measures at least once a year, and after any major security incident or breach or before a major change to its infrastructure or procedures,” read the draft rules.
Furthermore, the rules also issues mandate to the digital wallets identify and authenticate every customer at the time of issuance, and adopt two-factor authentication for transactions. The government may by notification “exempt” digital wallets from requiring two-factor authentication in specific use cases.
The regulations will affect the wallet companies, as one of their biggest advantages over traditional credit and debit cards is the seamlessness of transactions in the absence of multiple-factor authentication.
In addition to this, wallets will now have to disclose the kind of information they are collecting from customers and with whom they are sharing such information, and will be allowed to store it only for a period specified by the government. This data will also have to be encrypted end-to-end in order to safeguard customer data, especially financial data, such as bank balances.
“Every e-PPI issuer shall adopt security measures to protect the security, confidentiality and integrity of the personal information…(and) shall contractually require merchants handling any authentication data to have security measures in place to protect such data,” the rules say.