Experts wary of data security feature of payment gateways

With payment service providers raking in the moolah with the rapid growth in digital payments, policymakers have begun to take a close look at the robustness of the data security features of the digital instruments.

At a high-level meeting between the Ministry of Electronics and IT (MeitY) and the National Cyber Security Coordinator (NCSC) in October, cyber-security experts recommended that the Reserve Bank of India (RBI) should conduct a thorough scrutiny of the agreements inked between the National Payments Corporation of India (NPCI), banks and payment service providers (PSPs) such as Google Pay, Paytm, WhatsApp and Apple.

Jurisdiction hurdle

Although the contracts are signed in India, most PSPs have their offices in overseas jurisdictions like Singapore, sources told

BusinessLine. According to a report by the Data Protection Committee headed by Justice BN Srikrishna, financial data, health data, official identifiers including government-issued identity cards, sex life and sexual orientation, biometric and genetic data, and information on caste or tribe or religion can be categorised as Sensitive Personal Data (SPD) under the data protection law.

‘No specific liability clause’

The NCSC too raised concerns over the collection, use and storage of financial data by PSPs in the high-level review meeting, a senior government official said.

“The NCSC said that in the agreements signed between the NPCI, banks and the PSPs, there is no specific liability clause for the NPCI and the PSPs. Also, there is no provision to protect the interests of consumers against pilferage, leakage and sharing of data, which is of a sensitive nature,” said the officer.

The PSPs must abide by the legal framework of the country as well as regulations prescribed by the regulator i.e., the RBI, he said.

The official said that although there are some liabilities defined for stakeholders in the digital payment ecosystem, the MeitY and cyber-security experts felt that they were not enough. MeitY too supported the recommendations made by the NCSC and suggested that the RBI should lay down regulations that would bind the collection, usage and sharing of data by participants in the payments arena, the official said.

“One of the top officials at the meeting said a lot of contracts are signed between foreign players (PSPs) who have jurisdictions outside India, and that is why we have compliance concerns. Therefore, a thorough review is required on this,” said another senior government official.

The digital payment industry is going to be one of the largest in the country in the future, and therefore, requires a lot of transparency, so that the public is not duped by unscrupulous service providers, the official added.