9-Mar-2017: Centre issues draft rules on e-wallet payments

The Centre has issued draft rules to ensure integrity, security and confidentiality of electronic payments made through prepaid payment instruments (PPIs), popularly called e-wallets. The draft rules, on which the Ministry of Electronics and Information Technology has sought public comments, make it mandatory for e-PPI (electronic pre-payment instrument) issuers to develop an information security policy that ensures that the systems operated by them are secure.

The Information Technology (Security of Prepaid Instruments) Rules, 2017, define an e-PPI issuer as a “person operating a payment system issuing prepaid payment instruments to individuals/organisations” under the aegis of Reserve Bank of India.

The Rules mandate that each Prepaid Payment Instruments (PPI) company or wallet firm will have a privacy policy posted on its website. The policy should include details such as consumer information collected, its uses, period of retention of information, purposes for which information can be disclosed and to whom especially with law enforcement agencies. It should also have details on security practices and procedures, name and contact details of the grievance redressal officer along with mechanism for grievance redressal.

It will also have to appoint a chief grievance officer, the contact details of whom will have to be prominently displayed on the website. The grievance officer will have to “act upon” any complaint within 36 hours and “close” it in a month’s time.

The draft also mandate that companies have enough safeguards in place to avoid any hacking attacks and if there is one, it is to be swiftly reported to the government agencies.

The guidelines say that the personal information of the customers will be treated under Section 72A of the Information Technology Act, and the financial data of the customer shall be deemed to be sensitive personal data under the “Information Technology (Reasonable Security Practices and Procedures and Sensitive.

Every wallet has to ensure that end-to-end encryption is applied to safeguard the data exchanged and shall retain data relating to electronic payments only till necessary.

The guideline also mandate that CERT-In (Indian Computer Emergency Response Team) shall notify the categories of incidents and breaches that are required to be reported to it mandatorily. CERT-In may require e-PPI issuers to notify customers of cyber security incidents or breaches if the incident or breach is likely to result in harm to the customers.