A spurt in digital transactions and payments in the wake of demonetisation may have spelt a bonanza to digital wallets and mobile payment companies, but it has also increased threats from hackers. This has prompted many such companies to conduct special audits of their security as recommended by the Reserve Bank of India and add extra layers of security on their platforms.
RBI recently put out a notification urging all prepaid payments instrument players or PPIs to carry out a special audit of their security systems on a priority basis through security auditors empanelled by Indian Computer Emergency Response Team (CERT-In) and take steps to comply with the findings of the audit report.
The government also called for an audit of the financial sector, starting with the National Payment Corporation of India, as well as the review of the IT Act in the light of threats of cyberattacks and hacking by groups such as Legion, which recently claimed to have hacked into several high-profile Twitter accounts.
“The scope of the system audit includes evaluation of the hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, disaster recovery plans, training of personnel managing the systems and applications, documentation,” RBI said in the notice to all prepaid payments companies, including mobile wallet companies.
“We have initiated a thorough audit of our systems as per RBI directive to ensure that the system is fully secure and no vulnerability exists,” said Jitendra Gupta, founder of Citrus Pay. “We will undertake a check into our prepaid systems, access, user authentication, virus scan, external access and server security.”
Rohan Khara, director of products at MobiKwik, said the company has started the process with an RBI-approved company to conduct an audit. “We are about to close the audit process very soon,” he said. RBI has asked payment companies to share the names of auditors by December 21.
“Our platform complies with PCI DSS and other standards and we have initiated the process to conduct the audit as per guidance received from RBI,” said Transerv CEO Anish Williams. “Additionally, we continue to closely monitor customer interactions and strengthen our risk management framework on an ongoing basis.” “While our existing measures provide a watertight security to our systems, we are still on the lookout for unknown threats to address, for which we also invite white-hat hackers to find potential threats in our systems,” a Paytm spokesperson said.
MobiKwik and Paytm have added additional security features to their platforms in recent days, especially to prevent fraudulent transactions in case the user’s phone is misplaced or stolen.
Paytm recently updated its Android mobile app to allow users to enter the phone’s screen-lock password while making payments through the app.
MobiKwik also launched a security pin on its Android app last week wherein the user will have to enter a six-digit pin. “On iOS, we have a biometric authentication, which makes the user himself the password,” Khara said.
The companies said they have not faced any complaints or feedback of frauds or cyberattacks on their platforms so far, even as they scale up rapidly to capitalise on the cash crunch induced by demonetisation.