As a part of the “Reasonable Security Practices” under Section 43A of ITA 2000/8, Government of India has released draft rules called “Information Technology (Security of Prepaid Payment Instruments) Rules, 2017” for public comments.
(P.S: The draft has since been removed from the website of MeitY. A copy is now available here)
The comments may be sent to Shri Prafulla Kumar. Scientist-G, at email@example.com before 20th March 2017.
Summary of recommendations with our immediate comments :
- The Central Government may further specify by notification security standards to be adopted by e-PPI (electronic Prepaid Instrument) issuers. It is also possible that the Government may also designate some other security standard. (Comment: Will some ISO standards be imported?.. Will a new set of standard based on PCI DSS be developed? …)
- e-PPI issures need to develop an IS policy in tune with these rules and any further IS guidelines that may be issued.(Comment: Will there be an audit? or a Self Declaration?..)
- The e-PPI issuers shall mandate its sub contractors who handle authentication data to have necessary security measures in place to protect such data. (Comment: Always considered as required security policy)
- End to End Encryption needs to be ensured to safeguard the data exchange in the application. (Comment: Some e-PPI issuers might have introduced such encryption. But most have not. Hence this will be one of the key areas of change to be incorporated by the operators. A welcome move)
- Every e-PPI issuer shall have adequate processes to trace the transactions. (Comment: Some e-PPI issuers might have introduced such measures. But most have not. Hence this will be another key areas of change to be incorporated by the operators. A welcome move)
- e-PPI needs to retain the data related to payments for periods as may be specified. (Comment:. This is reiteration of Section 67C of ITA 2000/8. Again, no specific period is mentioned. But the retention period has to be “reasonable”. Considering that there is a law of limitation that provides an option to raise civil disputes within a period of 3 years, the minimum period of retention cannot be less than 3 years. It would be a best practice to retain it for atleast 6 years in such format where it is not dependent on any application. Such information has to be securely archieved. Most 3-PPIs donot have a proper Data Retention Policy and will need to put it in place now. It would be better if the minimum period of 6 years is also designated with the additional words “Six years or as otherwise may be required under law”. This will be another area of compliance that operators need to take a relook.)
- The e-PPI issuers need to adopt an incident management policy that includes a data breach notification policy. This will require reporting of incidents to CERT-IN as per the policy already in place. Some new specific guidelines may be issued by CERT-IN specifically for e-PPI operators in due course.(Comment: Most e-PPI issuers are presently ignoring the current requirements of CERT-IN. They need to take this more seriously now)
- e-PPI issueres are also required to take measures to educate the users of their services to use the services in a secure manner. (Comment:This will require some action and cost which e-PPI issuers need to initiate)
General Comments: Most of the guidelines are reasonable interpretation of the current ITA 2000/8 compliance guidelines though the ignorant operators are better served with a specific notification that they can take notice of. This notification will therefore get into the compliance manuals of the e-PPIs and their advisors who so far had little respect for ITA 2008 compliance.
The notification is therefore a good move.
However, if the operators are to be serious, CERT-IN needs to make it mandatory that the managements file a voluntary disclosure that they are in compliance with the provisions of ITA 2000/8 and the rules made there in. This should be made a statutory mandated clause in all terms and agreements on the lines similar to the declarations that CFOs and CEOs are required to make under corporate Governance requirements in their share holder’s reports.
We donot recommend a “Licensing” or mandated audit from “Accredited auditors” both of which are ineffective and give room for corrupt practices. But a voluntary disclosure of compliance and an indemnity to the customers under Section 79 of ITA 2000/8 should be more effective.
Additionally, the operators should be mandated to secure their customer’s interest by a group insurance scheme under which every user should be covered by a Cyber Insurance plan upto at least an amount of Rs 10000/- per incident.
Also, all e-PPI operators should provide a warranty on their applications to be free from known vulnerabilities and also have a reasonable Bug bounty program to crowd source security knowledge.
Any other comments that readers want to contribute are welcome. Naavi.org will consolidate and send its recommendations to the Ministry in the next few days.