[Aloknath De, 18 March 2017 (http://gadgets.ndtv.com/internet/features/security-of-digital-payments-is-crucial-for-a-cashless-india-1670845)]
HIGHLIGHTS
· The Government projects 2,500 crore digital transactions in 2017-18
· Many wallets and banking apps are not deploying hardware-level security
· Better security will improve usability and adoption of digital payments
We are at the cusp of a digital payments revolution in India ushered in by the government’s demonetisation exercise late last year, and once again, mobile phones are at the centre of this revolution.
This, of course, involves personal data of millions of users that is sacrosanct. To ensure that this data is not compromised in any way while people use different digital payment modes, robust security across devices is absolutely necessary.
The Government estimates around 2,500 crore digital transactions will occur in 2017-18 via different payment modes such as Unified Payment Interface (UPI), Immediate Payment Service (IMPS), Aadhaar-enabled Payment System (AEPS) and credit cards as well as debit cards, swiped at point-of-sale terminals.
While these tools seek to create a digitally-empowered society, one important element will decide how successful they are: cyber security.
Security threats
With multitude of digital transactions happening via mobile phones, the chances of a security breach exist, particularly when many mobile wallets and banking applications are not deploying hardware-level security to make online transactions more secure.
Security issues include multiple fake accounts, psychological manipulation (known as phishing), weak device authentication, hacking of servers, and stealing of data.
The red-flag on security is not without reason. Globally, numerous events of hacking occurred, of email accounts, databases, Twitter handles of celebrities, as well as on Facebook, and other social media. In such cases, the financial-, privacy-, and security-related implications for individuals, institutions, and nations can be enormous. As digital transactions soar, cyber crimes will also rise.
After the severe cash crunch created by the November demonetisation drive, Indians have scrambled to undertake digital transactions. Given this scenario, cyber analysts have warned about serious vulnerabilities in the payment systems used across India. To address the threat, it’s necessary to have security features embedded in the hardware and software, as design and not as add-on features, as the latter will be susceptible to hacks.
Nonetheless, the benefits of digital and card payments are decidedly greater than those of cash. To minimise (if not eliminate) the risk in digital transactions, simplicity, security and ubiquity are the watchwords for any payment system or gateway to succeed. To safeguard the details of users, such a system should have the ability to tokenise, encrypt and authenticate data before use.
Boosting cyber security
There are several methods adopted to boost cyber security. In the tokenisation method, the system or device does not store any account or card number details on the device, but relies on tokens to undertake transactions.
When any transaction takes place, the device will transmit two sets of data to the payment terminal. The first set will be a 16-digit token representing the credit or debit card number. The second set will be a one-time cryptogram or code generated by the encryption key of the smartphone. The third safety element, authentication, is self-explanatory, with the user being identified by the user ID, fingerprint, or other code.
Today, SFA (Single-Factor Authentication) is clearly not as safe as TFA (Two-Factor Authentication). Password-based authentication is the most common form of SFA. In TFA, an extra layer of security is added to the standard log-in procedure, whereby the person accessing an account verifies their identity through a second question, or check-in procedure.
Another benefit of such security systems is that even if a person’s smartphone is stolen, payments cannot be made from the device unless authorised through a fingerprint or the specific PIN put down during the setup procedure.
The diverse range of payment technologies makes robust security critical. Two of these payment technologies are NFC (Near Field Communication), and MST (Magnetic Secure Transmission) and for both, users need to upload credit card details into the mobile payment app on their smartphone. Purchases can then be made in physical retail stores.
Since the card data is encrypted on the phone, one-time authorisation tokens are provided for every separate purchase. As NFC and MST are contactless payment solutions, the mobile phone typically does not need manual interaction with the PoS terminal. Only physical proximity and the customer’s approval are needed to permit a transaction.
Although the demonetisation drive has fast-forwarded India’s digital transition, issues of payment safety and security have not kept pace with these developments. If repeated security breaches occur, apprehension in people’s mind will slow down the pace of digital transactions in India.
It is therefore, critical that the issue of security is given due importance by all stakeholders. It is important that the digital payments industry also upgrades its systems to ensure the security of its customers. If that happens, everyone will benefit – including the Government, the digital payments industry, and customers.
The proliferation of mobile devices (smartphone, tablets) gives consumers more choice. Current digital card-based systems – be it credit or debit payment – assume that physical cards are available and card virtualisations are done. The traditional role of banks in issuing physical cards that are dispatched to users could be substituted by new forms of intermediaries, such as Trusted Service Managers, that make mobile devices capable of over-the-air provisioning. The time is now ripe to drive digital payments across India using financial instruments that are backed by robust security solutions.
Aloknath De is Chief Technology Officer, Samsung R&D Institute, Bangalore
Tags: Samsung, Digital Payments, Security, Fintech, NFC, POS
**Launch of Samsung Pay in India:
Samsung Pay launched in India: Here’s how it works
TECH Updated: Mar 23, 2017 11:26 IST
Hindustan Times, New Delhi
The Samsung Pay service will be available on Visa, Mastercard and Rupay payment cards; and for ICICI, HDFC, Standard Chartered, SBI, Axis banks(Anirban Ghoshal, Hindustan Times)
Samsung today launched a new digital payments service in the country, called Samsung Pay, that hopes to bring debit cards, credit cards and wallets under one umbrella.
Samsung Pay, a service that users of Samsung S7 Edge, S7, S6 Edge Plus, A series 2016 and 2017, and Note 5 users will get via a service update, will be available on Visa, Mastercard and Rupay payment cards. ICICI, HDFC, Standard Chartered, SBI, Axis bank cards will be supported, along with Paytm and Amex cards. UPI and CitiBank card support is also expected to become available soon.
The Samsung Pay service is also supported on Samsung Gear S3.
So, how does this work?
After updating their Samsung phones to the latest software, users can open the Samsung Pay app and link their bank or Paytm or credit/debit card accounts.
First, a user must first link their card or wallet to the Samsung Pay account.
For phones, the user can then make a transaction by swiping the pay service from the bottom of the screen. The screen will offer options of cards or accounts to pay from. The user selects the card and brings it close to the POS (point of sale) machine. Once the merchant has entered the amount for the transaction, the machine connects to the payment gateway and asks the user for the bank/ATM pin. Entering the PIN completes the transaction.
In case of the Gear S3, the user can open the service by swiping up and then selecting the card or account to pay from. Once the selection is made, a ‘pay’ button appears on the screen. Tapping the button and bringing the device close to the POS machine will complete the transaction in the same way as in the case of a phone.
Consumers can use the Gear S3 with any other Android phone to make transactions with Samsung Pay. To add cards to the Gear S3, users need to add them on the Samsung Gear Manager app.
Nearly 90% of all POS machines in India work on magnetic technology for payments with cards. The Samsung Pay service uses a similar technology. The service creates a magnetic field between the POS machine and the phone to replicate a card transaction.
The Samsung Pay app also offers promotions from banks on reward points. It shows offers from Paytm as well. The app also comes with built-in customer support.
