Changes Suggested to Draft rules for Security of Prepaid Payment Instruments under provisions of IT Act 2000: Indian Govt Rules for Digital Wallets

Date: 20/03/2017

To, Shri Prafulla Kumar, Scientist-G, MeitY, Government of India

Dear Sir, As per the comments invited on Draft rules for Security of Prepaid Payment Instruments under provisions of IT Act 2000 Posted on 8 Mar 2017.

I am proposing following comments, I have kept my comments underlined.

Two things I want to emphasis and contribute, the first one being usage of vernacular languages and the other being having robust “online Grievance handling mechanism” by e-PPI operators

Draft Information Technology (Security of Prepaid Payment Instruments) Rules, 2017-

2. Definitions.—

(c) “authentication data” means any information submitted by a customer at the time of authentication, the data submitted is matched with data provided during registration, with e-PPI’s, and includes passwords, OTPs, Aadhaar numbers, biometric attributes, authentication on call, security questions, USB tokens, Digital/Electronic Signature or any other data that may be used for authentication purposes; ?If left open i.e using ‘any other data’ then authentication may lose the value.

(c1) “registration” means first time enrollment of a customer in e-PPI’s. Customer needs to maintain a password which can be updated on need basis.

(g)   “cyber security breach” Can we write DATA Breach or else we also need to define What is “Cyber Security “. Please note that definition of “cyber security” under Section 2 (nb) of The IT Act, 2000 word “DATA” is not mentioned.

(n) “pre-paid payment instrument” or “PPI” barring crypto currencies means a payment instrument that uses legally tendered Currency for facilitating facilitates purchase of goods and services, including funds transfer, against the value stored on such instruments. The value stored on such instruments represents the value paid for by the holders by cash, by debit to a bank account, or by credit card. The pre-paid instruments can be issued as smart cards, magnetic stripe cards, internet accounts, internet wallets, mobile accounts, mobile wallets, paper vouchers and any such instrument which can be used to access the pre-paid amount; ?we need to explicitly exclude crypto currency and use word Legally tendered currency or even gaming sites in exchange of tokens would start dealing in PPI;

4. Privacy policy.—

(g) name and contact details of the Grievance Redressal officer along with mechanism for grievance redressal; ?[ Lets specify this that they should have online grievance redressal mechanism, which could be appeal to an online arbitrator (this could be agreed upon when the customer signs for the service). Arbitrator fees to fixed and beared by loosing parties. Arbitrator award should be final, this would reduce litigation in courts too].

5. Risk assessment and risk control.—

(4) Every e-PPI issuer should insure itself from known Risks, which are known as the result of clause (1).

6. Customer identification and authentication.—

(2) The e-PPI issuer shall apply appropriate procedures for registration and authentication where a customer accesses his payment account online.

(5) The procedure for registration and authentication shall include mechanisms to:

(a) protect the confidentiality of registration and authentication data;

(d) protect communication sessions against capture of data transmitted during the authentication procedure or manipulation by unauthorised parties; and

[f] identify and block fraudulent registration.

12. Traceability.—

Every e-PPI issuer shall have adequate processes in place to ensure that all interactions with customers or other service providers in relation to accessing payment accounts, initiating payments or the payments’ destination can be appropriately traced.

14. Reporting of cyber incidents.-

(1) Every e-PPI issuer shall establish a mechanism for monitoring, handling and follow-up of cyber incidents, cyber security incidents and cyber security breaches / Data Breaches. Can we use ‘mechanisms for identification of cyber incidents, detection and protection from security breaches and mechanisms of recovery from the breach’ instead of ‘’monitoring, handling and follow-up of cyber incidents, cyber security incidents and cyber security breaches’’ to be more explicit.

15. Customer awareness and education.—

(1) E-PPI issuers shall assist customers in all vernacular languages with regard to secure use of prepaid payment instruments.

(2) E-PPI issuers shall provide customer with all requisite information in vernacular languages relating to security of prepaid payment instruments, including the following information:

Note: As the grievance handling mechanism proposed is almost failed under The IT Act, 2000. I propose the following ODR mechanism, given a chance I can make a full scale presentation before the authorities on the implementation of the same

16. Grievance redressal. —

(1) Every e-PPI issuer shall designate a Grievance Officer for receiving complaints from customers. An ODR (Online Dispute Resolution) Menu should be made in the main menu of mobile or web based application. This menu should also be made in vernacular languages including Hindi.

(3) The Grievance Officer shall act within 36 hours and shall resolve the complaint within one month from the date of receipt of such complaint or after the complaint is logged into the ODR by the customer.

(4) The customer if aggrieved by the result of complaint handled by the Grievance officer, should access the Appeal menu, where he submits the case to one of the empanelled Online Third party arbitrator. Arbitration award is final, can be agreed upon by the customer while signing of online service agreement.

(5) The Customer wants physical should have option to physically remain present during arbitration proceedings, he can choose so, then the fees of the arbitrator can be shared equally by the two parties. The e-PPI should empanel arbitrators across all states and major cities to facilitate this.

(6) The selected empanelled Online arbitrator once receives the appeal online, has to decide within one month from the date of receipt of such complaint. The award of arbitrator would be hosted on e-PPI website and can be final.

Adv. Prashant Mali [M.Sc.(Computer Science),LLB, LLM, Ph.D.(Persu.)] Chairman - Cyber & Law Foundation [ NGO] High Court Lawyer, Author & Speaker Chevening Cyber Security Fellow (UK)