RBI released draft Report on Enabling PKI in Payment System Applications
The Reserve Bank of India (RBI) released draft report on enabling Public Key Infrastructure (PKI) in payment system applications. Public Key Infrastructure enabled electronic payment systems that has been introduced by the RBI are – RTGS, NEFT, CBLO, FOREX Clearing, Government Securities Clearing and Cheque Truncation System (CTS).
Objective: To ensure a safe, secure, efficient, robust and sound payment system in the country.
Highlights of the draft Report on Enabling Public Key Infrastructure (PKI) in Payment System Applications
- The various PKI-enabled electronic payments systems introduced by RBI viz. RTGS, NEFT, CBLO, Forex Clearing, Government Securities Clearing, and Cheque Truncation System (CTS), etc.
- In volume terms, PKI-enabled electronic payments systems contributed 25.1% whereas these systems contributed 93.7% share to the total number of payment transactions carried out in the year 2012-13.
- Non-PKI enabled payment systems contributed 75% in volume terms but only 6.3 % in value terms in the year 2012-13.
- Of the non-PKI enabled payment systems, MICR Clearing and non-MICR clearing contributed 37% and 10% in volume terms and 69% and 25% in value terms.
- In order to ensure a safe, secure payment system in the country and to ensure legal compliance, digital technology, such as PKI may be used.
- The banks may carry out in phases PKI implementation for authentication and transaction verification. (Payment systems are subjected to various financial risks, viz. credit risk, liquidity risk, systemic risk, operational risk, legal risk).
- The issuing bank will need to convert the older credit or debit cards with the magstrip into EMV chip and pin enabled ones.
- With reference to internet banking applications, the report recommends that customers should be informed of risks, existing security measures and also given a choice of different methods of authentication to be able to select a system that matches their security requirements.
- “All Banks” Internet banking applications should mandatory create authentication environment for password-based two-factor authentication as well as PKI-based system for authentication and transaction verification in online banking transaction.
- The validity period for the certificates may be increased from 3 to 5 years for the digital signature certificate (DSCs).
RBI has kept suggestions in the report open for public comment till February 28, 2014.
Note: The Public Key Infrastructure (PKI) is a set of hardware and software that enables users of internet to securely and privately exchange data and money by using a pair of public and private cryptographic passwords.