The Ministry of Electronics and Information Technology (MEITY) has issued draft Information Technology (Security of Prepaid Payment Instruments) Rules 2017 for Prepaid Payment Instruments (PPI) company or e wallet firms.
The draft rules seek to ensure integrity, security and confidentiality of electronic payments made through PPIs. It covers an entire spectrum for protecting consumer information, especially financial data.
Key Features of the Rules
- Definition of e-PPI issuer: Person operating a payment system issuing prepaid payment instruments to individuals or organisations under the aegis of Reserve Bank of India (RBI).
- Information security policy: Mandatory for e-PPI issuers to develop an information security policy that ensures that the systems operated by them are secure.
- Risk assessment: Mandatory for e-PPI to carry out risk assessment to spot security risks and also ensure adequate due diligence is done before issuing PPIs.
- Chief grievance officer: e-PPIs should appoint a chief grievance officer with his contact details prominently displayed on website. The officer must act upon any complaint within 36 hours and close it in a month’s time.
- End-to-end encryption e-PPIs shall ensure that end-to-end encryption is applied to safeguard the data exchanged. It shall retain data relating to electronic payments only till necessary.
- CERT-In’s responsibility: CERT-In (Indian Computer Emergency Response Team) shall notify the categories of incidents and breaches that are required to be reported to it mandatorily.
What are Prepaid Payment Instruments (PPIs)?
PPIs are methods that facilitate purchase of goods and services against the value stored on such instruments. The value stored on such instruments represents the value paid for by the holder, by debit, by cash to a bank account or by credit card. These prepaid instruments can be issued as online wallets, mobile accounts, mobile wallets, smart cards, magnetic stripe cards, internet accounts, paper vouchers and any such instruments used to access the prepaid amount.