4 minute read 21 Dec 2022
Digital payments

How to unlock the power of digital payments through security?

By Kartik Shinde

Partner, Cybersecurity Consulting, EY India

Kartik has over 20 years of experience and is a leading voice for cyber in the financial services segment.

4 minute read 21 Dec 2022

Show resources

  • Unlocking the power of digital payments through security

Strong regulatory focus and multiple governmental headways are enabling payment players to have tides flow in their favor.

In brief

  • Security and convenience are two important customer agendas. 
  • Organizations undergoing digital transformation should have a robust and scalable payment infrastructure.

The payments’ function, along with its operations and technology capabilities, is at the heart of any financial system supporting transactions processing payments for individuals, businesses, and governments. The growth of digital payments in India has piggybacked upon demonetization and the advent of the COVID-19 pandemic. 

Over the last decade, the Indian payments environment has become much more dynamic, creating even greater challenges for financial institutions. Complex regulatory requirements, outdated and poorly integrated legacy systems, pandemic-induced urgency and an increasingly competitive marketplace have all pushed traditional financial institutions to evaluate innovative opportunities for payments transformation. Phenomenal growth in the consumer, SME digital credit access and mounting participation of the retail investors in the stock market are testimonials to it being one of the best digital payments ecosystems of the world in terms of value and volume.

However, the rising trend of digital adoption is being surmounted by the mounting charts of payment frauds such as multiple phishing, malware, fake UPI links and OTP linked frauds is making it a situation of flux. Rise in cybercrime is a menace to the global economy, leading to pernicious effects on businesses and communities. Disruptions in the processing of payment flows is additional threat to the payment systems. As organizations innovate and undergo digital transformation, it is imperative for them to have a robust and scalable payment infrastructure.

Keys risks in payment lifecycle

A firm grasp on the payment life cycle, including points of filure and areas prone to attack, and key payment risks and controls is critical in preventing/detecting a payment fraud. The below are the key risks that need to be addresed throughout a payment lifecycle.

Keys Risks in Payments Lifecycle

The pressure on payments players is real, but the times are exciting. The introduction of newer and quirkier payment methods, industry collaborations, tech advancements and regulatory support are making space for a lot of innovation and best practices in two important customer agendas - security and convenience. Winners shall be the ones who are quicker in finding the delicate balance between the two. With a strong regulatory focus and multiple governmental headways into it, payment players have tides flowing in their favor. Some of these critical drivers include:

  • Adoption of PCI DSS 4.0: Developed with a zero-trust philosophy, allowing firms to create their own distinctive, pluggable authentication systems to satisfy the legal requirements for data protection.
  • Introduction of RBI’s digital lending guidelines: Leading to an increase in adoption by Micro, Small & Medium Enterprises (MSMEs). Online lending platforms have gained massive popularity among MSMEs post the pandemic as they could not secure finance through traditional lending institutions and thus had to switch to digital loans.
  • Security layer of tokenization: Credit and debit card tokenization is the procedure of substituting sensitive data with a token, which is randomly generated, one-of-a-kind placeholder, known as a ‘token’.
  • Proposed use of data localization: Data localization may improve India’s governance of payment-related data significantly and is focused on protecting the customer’s interests and data.

Government of India on the personal data protection bill

The Government of India has released a draft of the Digital Personal Data Protection Bill for public consultation in November 2022. This bill is applicable to processing of digital personal data within the territory of India collected online or collected offline and later digitized. Indian payment security’s growth is driven by a bunch of nurturing initiatives undertaken by the government and regulators for a buoyed funding environment. These aim to offer an ecosystem that is geared up for strengthening the security and compliance design, enhance enterprise security, and proactively monitor and predict fraud monitoring. Organizations, on the other hand, need to play their role as well and invest in effective security measures to enhance growth and underpin their trust in the system.

Key recommendations for the industry to up their game in maintaining security and driving customer confidence:

Move security beyond the server room and into the boardroom:

With the growing number of channels for digital payments and the anticipated exponential rise in customer adoption of these products, the challenge of securing them will only continue to get more complex. The diversity in security maturity across the ecosystem participants only compounds the issue. Real-time payments need real-time security and enhanced fraud detection abilities for organizations. Following are some key areas that organizations across the board must prioritize as a part of their business strategies.

  • Proactive testing of cyber maturity

    • Test cyber-attack detection and defense controls
    • Conduct compromise assessments
    • Perform periodic threat modeling to identify and manage current risks
  • Security, privacy, and compliance by design

    • Ensure products and processes consider security, privacy, and compliance requirements throughout the lifecycle
    • Drive engagement of information security architects during product ideation
    • Enable a cultural shift within the organization by adopting strong design principles for security, privacy and compliance
  • Advanced incident and fraud detection

    • Implement proactive fraud and incident detection solutions based on behavioral analytics
    • Develop or keep forensic capabilities on standby
    • Conduct simulation activities and drills periodically, including board and senior executives
  • Enhance stakeholder awareness

    • Have effective communication and engagement with customers
    • Create an ecosystem for knowledge sharing regarding cyber incidents and frauds across the ecosystem
    • Mandate awareness trainings for employees based on their job roles
    • Upskill security teams to manage changes in technology and the business landscape
  • Drive ecosystem security

    • Develop security baselines for all participants in the payments chain
    • Implement controls to manage risks associated with service providers

Show resources

Summary

India has an opportunity to advance the development of its payment system and achieve important national goals, including driving innovation and digitalization, and improving financial inclusion. Digital payments will play a key role in realizing the vision of Digital India and promoting financial inclusion.

About this article

By Kartik Shinde

Partner, Cybersecurity Consulting, EY India

Kartik has over 20 years of experience and is a leading voice for cyber in the financial services segment.