India has a population of 1.3 billion people spread across the length and breadth of the country, with majority living in rural and semi-urban areas. This provides with an untapped market of over 300 million Indians that are currently outside the purview of the formal lending system, due to interrupted flows of capital. 

This segment includes MSMEs, gig economy workers, small shop owners, farmers, and other such individuals of unorganized sector. They are struggling to adopt new technology/innovations, invest in R&D and hire skilled workforce due to absence of timely and affordable credit. The situation has further aggravated due to current Covid-19 pandemic, with several such businesses being temporarily or permanently getting shut down due to unavailability to secure liquidity for running their operations.

The traditional lenders are unable to provide credit to such businesses/individuals, that need the most. Due to the lack of adequate credit history, these lenders ask for collaterals, which such businesses cannot provide. This hinders the loan disbursal at the right cost of capital, and which meets the requirement of businesses.

With several technological/fintech innovations in recent times, it can bring this unorganized sector within the financial loop and bridge the financial divide in India. The recent efforts to promote Digital India, this sector is increasingly generating digital transaction history that can be utilized for providing relevant information and building trust with financial institutions. Using this data along with shifting to cash-based lending (based on future cash flows) from asset-based lending, will help channelizing the credit flow towards this sector.

However, there is still lack of appropriately customized, priced, and timed credit facilities in this segment. 

Here, Open Credit Enablement Network (“OCEN”) will act as a common language, collaborating lenders and marketplaces to create innovative financial/credit products to scale.

OCEN Framework – Developing New Lending Ecosystem

Open Credit Enablement Network (“OCEN”), launched in July 2020, by IndiaStack, is an open protocol infrastructure designed to standardize and modify the lending process by introducing additional touchpoints (for ex: Digital Platforms) in the lending value chain. 

There are primarily four stakeholders involved in OCEN ecosystem. These are:

1. Loan Service Providers (LSPs): Any digital platform that has an existing customer base and wants to bundle enabling credit with their existing offerings
2. Technology Service Providers (TSPs): Fintechs that work with LSPs/Lenders, for onboarding onto OCEN infrastructure and provide customized credit solutions
3. Lenders: Banks/NBFCs
4. Borrowers: MSMEs or Retail Customers

OCEN will act as a mediator for interaction between LSPs and traditional lenders, resulting in providing quick, seamless access to capital to the deserving sector.

It will be able to address the below issues in the current lending system: 

• Identifying the credit worthiness of the borrower
• Reducing the high cost of borrower acquisition
• Reducing the turnaround time of loan disbursal
• Disbursement of loans to small businesses/unorganized sector

As said earlier, OCEN is just a protocol. The same must be adopted by LSPs and Lenders in the system to put into practice. This is where Embedded Finance comes into picture and solves this. Embedded Finance is a game changing opportunity for new entrants and Fintechs alike. 

OCEN and Embedded Finance will lead to democratization of credit, that will allow other players/digital platforms in the lending value chain to offer credit services by providing low-cost tailored credit solutions.

This will evolve and ease lending to MSME sector. The entities closest to borrowers can provide financial services. By leveraging Embedded Finance, they can innovate and provide tailored credit solutions to MSMEs, leading to the growth of the sector.

Currently, Lending has very limited application in Embedded Finance, due to the complexity involved in such services. However, with new digital business models having tie up with various Embedded service providers, it has allowed them to provide superior & complex lending products, within OCEN protocol.

In brief, the adoption of OCEN in the Embedded Finance structure, will help in driving financial inclusion and the digital lending market that is expected to grow to $100 billion by 2023 (as per Joint Study by Omidyar Network and BCG). 

“Just like UPI created a common language between debit and credit and so on, and allowed us to create this huge ecosystem, OCEN protocol also enables that. This is something that is going to have a big impact. For the first time, we can truly democratize credit, and make sure credit reaches all the small companies and street vendors and so on.”

Nandan Nilekani, Global FinTech Festival, 2020

Launched in August 2021 by Prime Minister Narendra Modi, e-RUPI is a new digital payment solution for seamless transfer of funds, without the need for any card, digital payments app, internet access or even a bank account. 

e-RUPI is a cashless and contactless payment method done through an e-voucher sent to beneficiaries via QR Codes or SMS strings, which can be redeemed/used for specific purpose only, at the service providers. It connects the sponsors of the services with the users and service providers digitally, with no physical interface required.

These vouchers will be both person and purpose/end-use specific, for ex: If they are issued by government for availing any medical service at a particular hospital, then they can be redeemed only for that. In other words, it will work as a closed system PPI.

How e-RUPI works?

e-RUPI is developed by NPCI on its UPI platform, with onboarded banks as the issuers. The government or any private corporate will approach the partner banks with the details of specific beneficiaries to whom the payments have to be made and the purpose of such payments.

Each beneficiary will be uniquely identified basis their mobile number and voucher will then be issued and delivered (in the form of QR Code/SMS) in the name of that beneficiary only. 

Objective of e-RUPI

e-RUPI is expected to serve the following objectives:

• The long-term vision of e-RUPI is to reach the unbanked population, include them into a formal financial system and reduce the digital gap in the country
• To provide an equal access to various healthcare, education, and other benefits to each citizen of the country
• Transparency in transactions, as the end-use of the funds can be easily tracked
• Will guarantee that the money is used for the purpose for which it was intended, unlike traditional bank account transfer where it is possible that the funds are used for other purposes

Further, with the government in the process of establishing a digital currency for the Central Bank, e-RUPI can be used to emphasize the flaws in the current digital payment infrastructure which is crucial for the development of digital currencies in future. 

Application of e-RUPI

Currently, this is a platform launched as a government initiative for leak-proof distribution of welfare benefits to eligible beneficiaries. It aims to provide services under various schemes of the government including Ayushman Bharat Pradhan Mantri Jan Arogya Yojana and other subsidy programs, etc. 

However, in future even private entities can use this voucher-based payment method for providing services to their employees for travel, healthcare, and other such purpose-specific expenses.

It can also be used to provide credit to first-time borrowers, where the end-use of funds is specific and thereby evolving the digital lending landscape in the country.

A move towards digitalization and introduction of Digital Currency

While e-RUPI is in itself not a digital currency, as it is still backed by Indian Rupee as the underlying asset and is purpose specific, it is definitely a move towards introducing digital currency/cryptocurrency in India.

Both e-RUPI and cryptocurrency work on similar principle of enabling end to end digital transactions and removing physical intermediaries thereby ensuring transparency, data security and overall reduction in operating costs. 

What lies ahead?

With the introduction of e-RUPI, it is clear that the government is in support of new digital initiatives, as they expect that India has tremendous potential to change the way they transact and pay for different services. This is supported by increasing adoption of digital payments for small-value transactions, especially by the non-digital customer segment in the country.

This backed by India’s high currency to GDP ratio, validates that such digital initiatives and crypto assets/digital currencies can co-exist and position India as the front runner towards forming a complete digital economy. Further, e-RUPI will encourage the use of PPIs in India for better channelization & monitoring of funds, providing an opportunity for Fintechs driving digital payment solutions to design new products build around e-RUPI/digital currencies and such kind of digital solutions.

With having the highest fintech adoption rate of 87% in emerging markets, as compared to global average of 64% (as per report published by EY & IVCA), India provides huge opportunities for a decentralized banking system to exist. Already being progressively adopted in the US and EU, decentralized finance (DeFi) is expected to take off in India and as well as other Asian markets. It could be a potential market for tapping and expanding into the underbanked/unbanked population in the country. 

Decentralized Finance (DeFi) is a financial ecosystem that uses cryptocurrency and blockchain technology for executing financial transactions. In layman’s language, it allows consumers to trade, borrow, transfer, and lend a digital currency, independently of traditional financial institutions and regulatory structures. It eliminates the need for middlemen for transactions.

Centralized Finance (CeFi): Present Ecosystem

Today, almost every aspect of financial services is managed by centralized systems, operated by governing and regulatory authorities. The consumers need to depend on the financial intermediaries for getting access to almost everything from loans/capital to trading in stocks.

As a result, it creates dependency for consumers as they cannot bypass the middlemen like banks, NBFCs, or exchanges, who get a share of income for every financial transaction.

 Decentralized Finance: The Future

DeFi is unbundling of this centralized financial system, enabling financial services anywhere for anyone, thereby empowering regular people via peer-to-peer exchanges. 

DeFi services are built and operate on blockchain technology and cryptocurrency, in a completely secured environment, with no manual intervention. Blockchain is a decentralized and distributed public ledger, where all transactions are recorded in encrypted code. It means that all parties will have access to an identical copy of the ledger that records each transaction in encrypted code. This secures the system by keeping anonymity of sensitive data of the users.

Further, all transactions are executed and recorded by parties who use the same blockchain, as there are no middlemen involved for managing the system. It provides users with more control over their money as this ecosystem caters to individual needs.

This makes the financial transactions transparent, low-cost, and more secure than the traditional systems employed in CeFi.

How to use DeFi?

It is powered by decentralized applications or other programs called protocols. Currently, these apps and protocols handle transactions mainly in two cryptocurrencies, Bitcoin and Ethereum (more adaptable than Bitcoin for DeFi). 

Some of the current use cases of DeFi apps and protocols include the following:

• Traditional financial transactions
• Decentralized exchanges (DEXs)
• E-wallets
• Stable coins
• Non-fungible tokens (NFTs): Creating digital assets out of the non-tradeable assets

Adoption of DeFi is powered by the omnipresent nature of blockchain. Further, as they exist outside the purview of regulations of governing bodies, thereby increasing their potential benefits.

Downsides of DeFi

DeFi being a recent innovation, is still not defined by any regulations/rules. Some of the risks involved are:

1. In the absence of any regulation, the user has no protection/recourse in case of any error in executing a transaction
2. While there is no manual intervention, still the software systems pose a serious risk of being hacked and have potential threat of online data breach

DeFi: A Potential Revolution in India

DeFi in India can be the new front for Cryptocurrency market, provided the government defines a legal framework for digital currency. It will provide an opportunity to improve the livelihood of people, earlier excluded by traditional institutions by allowing them to engage in financial transactions cheaply and securely. It will provide with additional investment options to investors, through Bitcoin, Ethereum, etc., thereby providing financial independence on how and where to deploy their money.

Cryptocurrency has the potential for majority of the population to increase their consumption levels, achieve financial security and contribute to the economic development of the country.

Way ahead

These alternatives to traditional banking methods are seeing a positive response, predominantly by India’s young population, as they are recognizing the potential benefits that it will offer to the economy if successfully implemented. However, with lack of regulations and lack of necessary infrastructure, it is yet to be seen how it will play out in future.

With governments of many countries supporting the same and cryptocurrency market growing rapidly, it is only a matter of time when DeFi will become the new normal. 

Have you recently started receiving mails/SMS from various banks and service providers asking to re-register your e-mandates for automated payments such as OTT, newspaper subscriptions, etc?. This is because of the new RBI guidelines with regard to recurring transactions, coming into force from October 1, 2021. 

What are these new RBI norms?

In another step to secure digital transactions via credit/debit card, PPI or UPI, RBI has implemented the new auto debit rules. As per the new norms, all such transactions will have to be further secured with an additional factor of authentication (AFA) – 2-factor authentication. Any transaction, whether domestic or cross-border, using cards, without AFA, would be discontinued.

New rules for Automatic Payments – A Snapshot

Source: RBI

Further to this, the bank/issuer is required to take additional information such as the validity period of the e-mandate, etc at the time of registration. And if required, the facility to modify the validity period, shall also be provided.

The banks also need to send a post-debit notification to the cardholder, once the auto-debit is processed. And, finally set up a redressal mechanism to address customer grievances related to this.

What will be its impact on payments?

This move is introduced in an attempt to protect consumers with regard to safeguarding of pre-stored data relating to cards and avoiding digital frauds. And especially those consumers who hastily give their consent to unnecessary automated payments and fall prey to data breaches.

With the new guidelines coming into implementation, all such recurring payments need to be reviewed and re-registered with respective issuing banks to avoid transaction failure.

However, these will only impact standing instructions (SIs) on cards. The automated instructions under UPI Autopay, e-NACH and other SIs to banks will not be impacted.

The directive will empower card users and will give them more control over their transactions. They can now determine and set the amount, velocity, etc, thereby managing such recurring mandates efficiently.

Way forward

For end consumers

Initially, this will impact customers to some extent, as the previous payment mode was meant to provide them with a seamless experience (especially for transactions above the INR 5,000 cap in B2B usage). Also, such payments may move to other alternate modes of payment such as e-NACH, UPI, etc for a better customer experience. However, in the long run with awareness they will realize that such regulations are for their benefit as it will eventually increase the security on card transactions. 

For Businesses

These guidelines will encourage businesses particularly, small & medium sized businesses to reach out to untapped customer base and build new business models in and around subscription payments and help grow this market multi-fold in the coming years.

To sum it up, the entire payments ecosystem is going through changes due to these regulations and all stakeholders are getting impacted in one way or the other. It will require banks/card companies/fintechs in the payments space to provide such portals to comply with the new regulations. However, there is still a long way to go as not only the banks/card companies, but the merchant/merchant aggregators’ ecosystem also needs to be in a state of readiness for its successful implementation. 

What is an Account Aggregator?

Account Aggregator (AA) is a compilation of all the Financial data from bank accounts, credit cards, any investment accounts and other accounts in one place. Currently, the same can be pulled out through the help of an API, etc.

AA will help consumers to share all financial data including information on pension, brokerage, tax, insurance, etc. Currently, it is restricted to the financial sector only, however, this model will eventually help consumers sharing data in sectors like healthcare, telecom, etc. 

Difference between the AA and Traditional process

AA is different from the earlier process of Aadhaar data sharing and other CKYC platforms. Through AA, sharing of information like bank statements (Savings, Deposits, CA) or transactions data is available. However, in earlier methods like CYKC and Aadhaar, the financial institutions only get access to the ID of the customer (address, name, gender, etc).

Steps involved for opening an account with AA

1. Open account with the AA (can be an individual or business). Post which AA will link all the financial data (accounts/credit card accounts/brokerage accounts/etc)
2. Consent provided to  AA
3. Post consent, the AA will seek for an approval from the financial data providers to access the customer accounts
4. Once the approval is in place, the AA provides the data to the customer for his/her ease of various transactions

Currently, in India we have 8 AAs: Axis Bank, HDFC Bank, ICICI Bank, IndusInd Bank, SBI, Kotak Mahindra Bank, IDFC Bank and Federal Bank.

Is AA secure? 

The data extracted via AA is encrypted and the same can be decrypted only by the recipient. Digital signatures of the individual while accessing the data provided by AA makes it secure and convenient for the user.

Commercials Involved for AA service? 

Depends on the service provider. Some may charge the end customer for providing the service.

Benefits of AAs

1. Account management: As of today, the financial data of an individual is stored in various places. The same can be viewed in a single window by the help of an AA eventually leading to one single platform which has access to all accounts/transactions.
2. Quicker access to loans: Getting a loan from a bank will become much simpler. An individual can give a consent to a bank and data like number of accounts, balances, statements, assets given for a previous loan, etc can be extracted through the help of an AA.

Way forward with AAs

As of today, the consumers have to go through a long process and in silos of sharing the stamped/notarised documents, signed bank statements, sharing the usernames and passwords with financial organisations to check the history (which is a 3rd party in this case). With AA coming into picture, the process becomes much simpler and a secured digital way to share your data with 3rd party in a single access after consent.

Well, this will also create new types of loan opportunities in the market.

AA will create a repository of information which will be available easily for the institutions/etc (of course after the consent).

Currently, the AA is only available for the financial sector; the same will be provided for other sectors eventually too.

From the past few years, there has been an increase in the number of sectors like Travel, Retail, SAAS, etc expanding themselves into financial services.

Well, Banking and Fintech is a collaboration that is still very new in the Indian economy. The new normal has definitely shaken up the world and it has impacted the traditional banking system. From visiting a branch to opening an account online has been a major revamp in the industry – to be honest, this is just the start.

New Fintechs every day are disrupting the old traditional ways of banking and challenging our generation to think something out of the box now and then.

BaaS is a vast topic and the meaning of this is changing as per the ask of the end customer every day. Let’s try addressing the details one by one.

What is BaaS? 

In layman’s terms – BaaS is a process that allows fintechs and third parties to connect with banks via APIs. From opening an account to creating FD’s, etc everything can be done with the help of BaaS. 

Offering these services to an end customer is not so easy and requires a lot more regulatory processes to be in place. For eg: issuing prepaid cards – requires PPI license, giving credit to customers – requires NBFC license, and so on and so forth.

How does this work?

Banks obviously have licenses to offer various services, so they expose their systems to BaaS providers and these providers in return pay to banks for using their services. BaaS will allow businesses to fit the financial technologies and then the businesses will provide new solutions to end customers as per their needs and requirements.

Generally, the BaaS model begins with Fintechs, banks or Third party Providers paying fees to the BaaS platform. The financial institutions will open up their APIs to TPPs, thereby giving permission to access the systems and information required to build new banking products or offer white label banking services. 

Let’s understand how this is different from old traditional ways of banking

In today’s era, opening an account is just a matter of a few minutes compared to the days where opening a bank account required walking to the branch. 

Today, if someone has to send money to their children/relatives sitting abroad – trust me, it’s not a task anymore. Of course, this requires the regulatory practices to be in place, however, there are fintechs who are supporting this while simultaneously abiding by the regulatory guidelines.

To change the entire structure in the back end and front end for banks is not an easy task and requires a lot of investment. In this case, the banks approach BaaS or Tech service providers to plug in the system and provide end-to-end services to the customer. 

Future of BaaS

Everyday the financial industry is coming across a new development, the landscape is changing rapidly. Banks, Fintechs and businesses are coming across new requirements frequently. Reaching out to new segments of customers and solving a problem statement is also a new revenue stream for the banks as well as fintechs. 

Banks teaming up with the service providers and reaching out to end customers for providing innovative solutions is much required. APIs and applications play a major role in bringing these changes and need to be developed in a responsible way to provide long-term efficiency and scalability.

With the global cryptocurrency market now worth more than $3 trillion, this is something which cannot be overlooked, thereby capturing the interest of investors, traders, financial service firms alike. But currently, with the RBI and government highlighting macroeconomic and financial stability concerns and want some form of regulation for cryptocurrencies, it still poses a challenge for its wide acceptance. Further such currencies are difficult to spend like one would do with regular money. 

However, in recent times new platforms and services are being introduced for better managing of such digital coins in day-to-day finances of people. Let us now understand about cryptocurrency banking, its benefits and at the same time what barriers it can have.

What is Cryptocurrency Banking?

This term can be sometime misleading, as these currencies are not yet regulated by any central authority. Moreover, the firms and exchange companies that provide such services aren’t banks, but they only provide ways to people to manage their cryptocurrency balances, by allowing them to hold it in digital wallets and spend it like traditional money.

What are the benefits of Cryptocurrency Banking?

The primary benefit that is envisaged is the use of it in issuing cryptocurrency debit cards. This will allow consumers to use their digital coin balance like any other money for daily expenses, purchases or withdraw it as cash rather than just keeping it for the purpose of investment. 

Prior to this, cryptocurrency could only be spent where it was directly accepted by retailers or sell it in exchange for dollars. Now, fintech firms are partnering with financial institutions and/or debit card issuers to issue such cards, using their partner’s regulatory structure to convert digital coins into an acceptable legal tender (say INR) and allowing retailers/vendors to accept it in exchange for their goods/services. This will allow digital currencies to be accepted wherever regular debit cards are accepted.

This in future can be further extended in the form of prepaid cards, that can be loaded with cryptocurrency for making online/offline purchases from merchants.

Barriers/risks in accepting Cryptocurrency Banking

The biggest barrier to spend and lend in cryptocurrency is how volatile it is. The same is valid in case of investing in it. The financial institutions rely on traditional currency for lending, spending for daily purchases, etc. because of the stability in its value, but the same is not possible with digital coins, currently in a manner that is safe and secure.

Moreover, while spending digital currency, one should be aware of the risk that its value can change after its spent, since the transactions are based on the real time value of the digital coin. 

Another barrier is that the regulators are still evaluating its credibility and validity, as there are no laws/regulations currently in place for them. They are decentralized and are not backed by any asset. Their value gets determined through demand and supply.

How will the future of money evolve?

With the regulatory bodies/government cognizant of the fact that this is an emerging technology, it will require them to keep a close watch and take proactive steps in the future. As this issue is span across geographical boundaries, it will further require global partnerships and collective strategies. 

The combination of cryptocurrency, CBDCs, stable coins and other digital payments could eventually lead to the “demise of [physical] cash”. However, one technology alone will not overtake it. 

Though the future of money is cashless, a dependence on these digital payments will not lead to an efficient system. And eventually all this will affect not only money, but also the economy and society.

Preventing fraud plays a significant role in the digital payments space. We must have encountered many frauds, both online and offline, during our lifetime.

Unfortunately, the search for effective methods to eradicate fraud never ends. Fraudsters will always find new methods to commit crimes. There are many tools available to end the same, the latest one being 3-D Secure. 

What is 3-D Secure?

Putting it simply, 3-D Secure is an additional layer of cardholder authorisation added to an online transaction. VISA and Mastercard offer this tool, and it is known as ‘Verified by Visa’ and ‘MasterCard SecureCode,’ respectively.

3-D Secure is a three-sided security system that provides security while performing transactions and transferring payment data amongst 

1.     Issuing Bank
2.     Acquiring Bank
3.     Payment Gateway (link that connects acquirer and issuer)

How does it work?

Several steps are involved when conducting an online transaction. A few additional steps for 3-D Secure can significantly reduce the risk of online fraud:

1.     A cardholder enters payment information on a webpage
2.     Payment provider sends request to check whether 3-D Secure technology is active
3.     If Yes, the customer is redirected to the 3-D Secure page
4.     The cardholder who receives the OTP must enter it in the appropriate field
5.     The result comes in the form of a response to the server of the payment provider
6.     The payment provider sends data to the acquiring bank
7.     The acquiring bank authorises the transaction and informs the customer whether the transaction was successful or not

3-D Secure 1.0 v/s 2.0

3-D Secure 2.0 is replacing 1.0 to provide a better user experience, which will eventually lead to successful transaction conversion. The need to enter static passwords is replaced by other methods such as biometrics in 3D Secure 2.0.

3-DS 2.0 examines over 120 data points. If the transaction is deemed low risk, no further action is required; if the transaction is deemed high risk, 3D Secure requires customers to verify their identity through biometrics or two-factor authentication.

Benefits of 3-DS 2.0

With the 3-DS 2.0 update, customers will have a more fluid experience when conducting transactions on both mobile and desktop/laptop devices. Benefits of the latest update are:

1.     Better User Experience
2.     Increase in Online transactions
3.     Higher conversion rates
4.     Multiple Device support

Conclusion

Security is of the utmost importance, especially when customers conduct online transactions. Today, there is a significant shift toward online transactions, and customers must have mental comfort while making these transactions. 3-DS 2.0 makes the transactions safe, seamless and efficient, while also providing a better user experience.

In today’s world, increasing online frauds and cyberattacks are causing security and trust issues among the general public in the adoption of digital payments, and these data security issues have become a major concern for online service providers. The service provider has been looking into ways to reduce this risk. One such solution is “Tokenization,” a new buzzword in the payments industry. Tokenization adds an extra layer of security to users’ sensitive data and prevents online and digital data breaches.

The concept of digital tokenization is inspired by the concept of physical tokenization, which has existed since the invention of currency. Token coins replace actual coins or banknotes in physical tokenization. These token coins have a real identity and value, but they only have meaning in a limited and controlled space. For example, casino tokens have no value outside of the casino’s premises.

The payments card industry is using digital tokenization to protect users’ sensitive data and provide better customer assurance in order to increase their trust. It is a low-cost and simple-to-implement solution for merchants.

What is Tokenization?

Tokenization is the process of encrypting sensitive data by replacing it with an unreadable token. The tokens can then be passed through the internet or the various wireless networks required to process the payment without exposing actual bank details. The actual bank account number is kept secure in a token vault.

Tokenization is commonly used to combat credit card fraud. It relieves merchants of the burden of storing sensitive card data of users, reducing the work and effort required to be PCI DSS compliant.

How does it work?

A customer makes an online purchase through an e-commerce website or offline through a merchant POS and then chooses a credit card payment method. The customer enters sensitive data on the portal, such as card number, CVV and cardholder name or enters a PIN on the POS machine. The card data collected is stored on the tokenization server rather than the e-commerce website server. The tokenization server processes the card data, stores the original card data on the Secure token server and generates a token of the same length from a random alphanumeric string. The token is then forwarded to the merchant’s acquiring bank. The acquiring bank sends the token to the card network, which processes it and shares card details with the issuing bank for payment authentication. Payment is completed when the issuing bank responds to the card network. The Card Network is the only entity that can read the token.

Tokenization Vs Encryption 

Data encryption and tokenization are similar in the sense that they both replace original data with a random code, but they are vastly different in terms of ciphering mechanism. 

Sensitive data is mathematically changed into a new code in data encryption, but the original data can be deciphered with the appropriate key. However, because there is no relationship between the token generated and the original data, the token cannot be reversed in the case of tokenization. Even if hackers obtain the token details, they will be unable to retrieve original data from that information, rendering the token meaningless and useless to them.

Tokenization is widely used by the payments industry across the globe due to its data security offering. Furthermore, it provides the following benefits to all stakeholders involved in the transactions. 

• Customers can develop trust in online transactions as the likelihood of theft or leakage of sensitive data decreases significantly.
• The merchant, acquirer and processor do not need to be concerned about the user’s sensitive data being compromised even in the event of a cyberattack because they do not store any such information. 
• Merchants can provide a trusted and secure payment environment for their customers without obtaining PCI DSS certification, saving them the cost of such certification.
• Tokenization of payments creates a safe and secure environment for users, merchants, payment gateways, financial institutions and regulatory bodies.

Tokenization is currently only available with Networks in India. Issuers must still evolve to make this a reality. 

The RBI issued a directive in 2020 stating that merchant payment aggregators and payment gateways could no longer store card credentials. To increase cardholder safety, RBI guidelines require a full-time shift, which is why tokenization must be implemented. And now there will be a plan in place for every issuer, merchant and network to implement this.

Buoyed by the festival season euphoria, credit card transactions for the first time crossed INR 1 Lakh Crore in October 2021 and debit card transactions were upwards of INR 7.5 Lakh Crore during the same period. With such exponential growth in cashless payments, information security and privacy of cardholder data is of utmost importance. Ever wondered how it is managed? What are the guidelines regarding data security for card based transactions? How does an entity comply with these guidelines? That’s where PCI DSS requirements come into play. 

So what is PCI DSS? Who formed these standards? What requirements does it prescribe? And who is responsible for adherence to these requirements? We will respond to these questions below:

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit card information maintain a secure environment for processing transactions. PCI DSS was developed to encourage and enhance cardholder data security, as well as to facilitate the global adoption of consistent data security measures. Payment Card Industry Security Standard Council (PCI SSC), an independent body created by Visa, MasterCard, American Express, Discover and JCB to standardise and improve account security throughout the transaction process, launched PCI DSS in September 2006; the latest version was debuted in May 2018.

PCI DSS applies to all payment card processing entities, including merchants, processors, acquirers, issuers and service providers. It also applies to any other entity that stores, processes or transmits cardholder data or sensitive authentication data.

12 Standards of PCI DSS

PCI DSS specifies 12 standards to which all entities must adhere. The following is an overview of these standards:

Let’s delve deeper into each standard to better understand the goal:

Install and maintain a firewall configuration to protect cardholder data

A firewall is a network security system that monitors and controls network traffic, both incoming and outgoing. Firewalls prevent foreign or unknown entities from accessing private data. These anti-hacking systems are frequently the first line of defence against hackers. Because of their effectiveness in preventing unauthorised access, firewalls are required for PCI DSS compliance.

PCI SSC provides a detailed step-by-step process for configuring and maintaining a firewall.

Do not use vendor-supplied defaults for system passwords and other security parameters

 Routers, modems, POS systems and other third-party products frequently include generic passwords and security measures that are easily accessible to the general public. Businesses frequently fail to secure these vulnerabilities. Before installing a system on a network, businesses must change the vendor-supplied default passwords and remove or disable any unnecessary default accounts.

Keeping a list of all devices and software that require a password is one way to ensure compliance in this area (or other security to access). In addition to a device/password inventory, basic precautions and configurations should be carried out on a regular basis. (For example, changing the password). 

Protect Stored Cardholder Data

The third PCI DSS compliance requirement is two-way data protection for cardholders. Cardholder data protection methods such as encryption, truncation, masking and hashing are critical components. If an intruder gets around other security measures and gains access to encrypted data, the data is unreadable and unusable to that person without the proper cryptographic keys.

The PCI SSC recommends that entities implement data retention and disposal policies to keep cardholder data storage to a minimum. It also requires entities not to store the card verification code or value (a three- or four-digit number printed on the front or back of a payment card that is used to verify card-not-present transactions) after authorization. That is why CVC/CVV is required to be entered by the customer every time an online transaction is made.

Furthermore, when PAN (Permanent Account Number or Card Number) is displayed, entities must mask it (the first six and last four digits are the maximum number of digits to be displayed), so that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.

To further prevent entities from storing cardholder data, the RBI has mandated tokenization for all card-based transactions. No entity in the card transaction / payment chain, other than card issuers and / or card networks, shall store the actual card data beginning January 1, 2022.

Encrypt Transmission of Cardholder data across open, public networks

Cardholder data is transmitted via multiple channels (i.e., payment processors, home office from local stores, etc). Malicious individuals continue to target misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols in order to gain privileged access to cardholder data environments. When this data is transmitted over networks, it must be encrypted. PCI SSC defines cryptographic algorithms, keys and certificates for use in encryption.

Protect all systems against malware and regularly update anti-virus software or programs

Malicious software, also known as “malware,” including viruses, worms and Trojans, enters the network through a variety of business-approved activities such as employee e-mail and Internet use on mobile computers and storage devices, resulting in the exploitation of system vulnerabilities. To protect systems from current and evolving malicious software threats, antivirus software must be installed on all systems that are commonly infected by malware. Furthermore, all antivirus software must be updated on a regular basis, and an audit log must be kept.

Develop and maintain secure systems and applications

To protect against the exploitation and compromise of cardholder data by malicious individuals and software, all systems must have all necessary software patches. All software and applications must be updated on a regular basis with security patches to address system vulnerabilities.

Restrict access to cardholder data by business need to know 

To ensure that only authorised personnel have access to critical data, systems and processes must be in place to limit access based on need to know and job responsibilities. All employees, executives and third parties who do not require access to this information should not have it. The roles that require sensitive data should be well-documented and updated on a regular basis.

Identify and authenticate access to system components

 Individuals with access to cardholder data should have their own credentials and identification. For example, there should not be a single login to the encrypted data with multiple employees having access to the username and password. By assigning a unique identification (ID) to each person with access, you ensure that each individual is held individually accountable for their actions. When such accountability is in place, critical data and system actions can be traced back to known and authorised users and processes. In the event that data is compromised, unique IDs reduce vulnerability and speed up response time.

Restrict physical access to cardholder data

Any cardholder information must be physically stored in a secure location. Data that is physically written or typed, as well as data that is stored digitally (e.g., on a hard drive), should be kept in a secure room, drawer or cabinet. Not only should access be restricted, but any time sensitive data is accessed, a log should be kept to ensure compliance.

Track and monitor all access to network resources and cardholder data

Logging mechanisms and the ability to track user activities are critical in preventing, detecting and mitigating the effects of a data breach. When something goes wrong, the presence of logs in all environments allows for thorough tracking, alerting and analysis. Without system activity logs, determining the cause of a compromise is extremely difficult, if not impossible.

Regularly test security systems and processes

All ten of the preceding compliance standards involve a variety of software products, physical locations, and, most likely, a few employees. Many things can break down, become out of date or suffer from human error. These threats can be mitigated by complying with the PCI DSS requirement for regular system and process scans and vulnerability testing.

To ensure that security controls continue to reflect a changing environment, system components, processes and custom software should be tested on a regular basis.

Maintain a policy that addresses information security for all personnel

For compliance, an inventory of equipment, software and employees with access must be documented. Access to cardholder data logs will also necessitate documentation. The flow of information into a company, where it is stored and how it is used after the point of sale must all be documented. 

A strong security policy establishes the security tone for the entire organisation and informs employees of what is expected of them.

Levels of PCI DSS

In addition to adhering to these standards, organisations must assess and submit a Report on Compliance (RoC) based on the number of transactions handled each year:

• Level 1: Merchants who process more than 60 Lakh card transactions per year
• Level 2: Merchants who process 10 Lakh to 60 Lakh transactions per year
• Level 3: Merchants who process between 20,000 and 10 Lakh transactions per year
• Level 4: Merchants with fewer than 20,000 transactions per year

The assessment for Level 1 merchants should include an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor). They will conduct an on-site evaluation of the organisation in order to:

• Validate the scope of the assessment
• Review your documentation and technical information
• Determine whether the PCI DSS requirements are being met
• Provide support and guidance during the compliance process
• Evaluate compensating controls

To demonstrate compliance, the auditor will then submit a RoC to the organization’s acquiring banks. 

To confirm compliance with PCI DSS requirements, Level 2 merchants must only submit a self-assessment questionnaire (SAQ) and a self declared ROC rather than an external audit.

Level 3 and 4 merchants are only required to fill out a self-assessment questionnaire (SAQ).

Benefits of PCI DSS Compliance

At the very least, complying with PCI Security Standards appears to be a daunting task. The tangle of standards and issues appears to be too much for even large organisations, let alone smaller businesses. However, compliance is becoming more important and may not be as difficult as one might think, especially with the right tools. The following are some of the advantages of being PCI DSS compliant:

• Your systems are secure, and your customers can put their sensitive payment card information in your hands; trust breeds customer confidence and repeat businesses.
• It prevents data breaches. Each PCI-compliant business represents a less valuable target for cybercriminals. They will not only have a much more difficult time hacking your network, but they will also not find the data they are looking for!
• Comply with global data security standards. The PCI DSS regulations were initiated by five of the world’s leading credit organisations in order to provide consumers with a mandatory level of protection by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data. Obtaining PCI compliance allows you to join the ranks of other international businesses dedicated to data security and consumer protection.

Non-compliance with these standards will result in fines imposed by the networks on acquiring banks, which will then be passed on to the organisation in question. Repeated violations may result in the merchant’s ability to accept payments using their cards being revoked entirely.