Ministry of Electronics and Information Technology issues the Draft Information Technology (Security of Prepaid Payment Instruments) Rules, 2017
The Ministry of Electronics and Information Technology (“Ministry”) has recently issued the Draft Information Technology (Security of Prepaid Payment Instruments) Rules, 2017 (“Draft Rule”) in exercise of the powers conferred under Section 87 of the Information Technology Act, 2000.
The Draft Rule has been issued with a view to ensure adequate integrity, security and confidentiality of electronic payments effected through prepaid payment instruments.
The Draft Rule has defined pre-paid payment instrument (“PPI”) as a payment instrument which facilitates purchase of goods and services, including funds transfer, against the value stored on such instruments.
The pre-paid instruments can be issued as smart cards, magnetic stripe cards, internet accounts, internet wallets, mobile accounts, mobile wallets, paper vouchers and any such instrument which can be used to access the pre-paid amount.
The Draft Rule has further defined the electronic pre-paid payment instrument issuer (“e-PPI issuer”) as a person operating a payment system issuing pre-paid payment instruments to individuals/ organizations under authorization from the RBI under the Payment and Settlement Systems Act 2007, where the payment account is accessed through electronic means.
The Draft Rule has imposed various obligations on part for the e-PPI issuer in order to boost security and confidentiality of electronic payments effected through prepaid payment instruments.
The key highlights of the Draft Rule are as follows:
- Every e-PPI issuer must develop an information security policy for security of the payment systems operated by it in accordance with standards specified by the Central Government for this purpose.
(a) the information collected directly from the customer and information collected otherwise;
(b) uses of the information;
(c) period of retention of information;
(d) purposes for which information can be disclosed and the recipients;
(e) sharing of information with law enforcement agencies;
(f) security practices and procedures.
- Every e-PPI issuer must carry out risk assessment to identify and assess the risks associated with the security of the payment systems operated by it and must also review the security measures at least once a year.
- Every e-PPI issuer must ensure that customers are identified through adequate due diligence procedures at the time of issuance of a pre-paid payment instrument.
- Every e-PPI issuer must adopt multiple factor authentication where a customer initiates a payment against the value stored on the pre-paid payment instrument.
- The financial data of the customer will be deemed to be sensitive personal data or information for the purposes of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and every e-PPI issuer must maintain and implement the practices and procedures prescribed in those rules.