The draft rules underline security parameters that digital wallet companies, such as Paytm, FreeCharge and Mobikwik, will have to follow
The Centre has released a set of draft guidelines for digital wallet companies as part of its efforts to promote electronic payments while ensuring the security of transactions.
The Ministry of Electronics and Information Technology issued on Wednesday the draft Information Technology (Security of Prepaid Payment Instruments) Rules 2017 for public consultation, and will take suggestions until March 20.
The draft rules underline security parameters that digital wallet companies, such as Paytm, FreeCharge and Mobikwik, will have to follow. They also stipulate standards for data protection and customer grievance redressal.
Every prepaid payment instrument (PPI), or digital wallet, has been asked to develop a security policy based on the rules and standards set by the government.
“Every e-PPI issuer shall review the security measures at least once a year, and after any major security incident or breach or before a major change to its infrastructure or procedures,” read the draft rules.
Besides, the rules also mandate that digital wallets identify and authenticate every customer at the time of issuance, and adopt two-factor authentication for transactions.
The government may by notification “exempt” digital wallets from requiring two-factor authentication in specific use cases.
The regulations could hurt wallet companies, as one of their biggest advantages over traditional credit and debit cards is the seamlessness of transactions in the absence of multiple-factor authentication.
However, like the Reserve Bank of India rules for exempting small-value card transactions from multiple-factor authentication, digital wallets could enjoy the same treatment.
Moreover, wallets will now have to disclose the kind of information they are collecting from customers and with whom they are sharing such information, and will be allowed to store it only for a period specified by the government.
This data will also have to be encrypted end-to-end in order to safeguard customer data, especially financial data, such as bank balances.
“Every e-PPI issuer shall adopt security measures to protect the security, confidentiality and integrity of the personal information…(and) shall contractually require merchants handling any authentication data to have security measures in place to protect such data,” the rules say.
While the draft rules have been long awaited by digital wallet companies, experts say the guidelines could put extra pressure on such firms which have so far enjoyed a free run.
If the final government rules are heavy handed, it could take away some of the advantage these firms have had over traditional banks.
Photograph: Jitendra Prakash/Reuters