loader image
Online Lending Isometric Composition

OCEN – Next step towards Financial Inclusion in India?

India has a population of 1.3 billion people spread across the length and breadth of the country, with majority living in rural and semi-urban areas. This provides with an untapped market of over 300 million Indians that are currently outside the purview of the formal lending system, due to interrupted flows of capital. 

 

This segment includes MSMEs, gig economy workers, small shop owners, farmers, and other such individuals of unorganized sector. They are struggling to adopt new technology/innovations, invest in R&D and hire skilled workforce due to absence of timely and affordable credit. The situation has further aggravated due to current Covid-19 pandemic, with several such businesses being temporarily or permanently getting shut down due to unavailability to secure liquidity for running their operations.

 

The traditional lenders are unable to provide credit to such businesses/individuals, that need the most. Due to the lack of adequate credit history, these lenders ask for collaterals, which such businesses cannot provide. This hinders the loan disbursal at the right cost of capital, and which meets the requirement of businesses.

 

With several technological/fintech innovations in recent times, it can bring this unorganized sector within the financial loop and bridge the financial divide in India. The recent efforts to promote Digital India, this sector is increasingly generating digital transaction history that can be utilized for providing relevant information and building trust with financial institutions. Using this data along with shifting to cash-based lending (based on future cash flows) from asset-based lending, will help channelizing the credit flow towards this sector.

 

However, there is still lack of appropriately customized, priced, and timed credit facilities in this segment. 

 

Here, Open Credit Enablement Network (“OCEN”) will act as a common language, collaborating lenders and marketplaces to create innovative financial/credit products to scale.

 

 

OCEN Framework – Developing New Lending Ecosystem

 

Open Credit Enablement Network (“OCEN”), launched in July 2020, by IndiaStack, is an open protocol infrastructure designed to standardize and modify the lending process by introducing additional touchpoints (for ex: Digital Platforms) in the lending value chain. 

 

There are primarily four stakeholders involved in OCEN ecosystem. These are:

  1. Loan Service Providers (LSPs): Any digital platform that has an existing customer base and wants to bundle enabling credit with their existing offerings
  2. Technology Service Providers (TSPs): Fintechs that work with LSPs/Lenders, for onboarding onto OCEN infrastructure and provide customized credit solutions
  3. Lenders: Banks/NBFCs
  4. Borrowers: MSMEs or Retail Customers

 

OCEN will act as a mediator for interaction between LSPs and traditional lenders, resulting in providing quick, seamless access to capital to the deserving sector.

 

It will be able to address the below issues in the current lending system: 

  • Identifying the credit worthiness of the borrower
  • Reducing the high cost of borrower acquisition
  • Reducing the turnaround time of loan disbursal
  • Disbursement of loans to small businesses/unorganized sector

 

As said earlier, OCEN is just a protocol. The same must be adopted by LSPs and Lenders in the system to put into practice. This is where Embedded Finance comes into picture and solves this. Embedded Finance is a game changing opportunity for new entrants and Fintechs alike. 

 

OCEN and Embedded Finance will lead to democratization of credit, that will allow other players/digital platforms in the lending value chain to offer credit services by providing low-cost tailored credit solutions.

 

This will evolve and ease lending to MSME sector. The entities closest to borrowers can provide financial services. By leveraging Embedded Finance, they can innovate and provide tailored credit solutions to MSMEs, leading to the growth of the sector.

 

Currently, Lending has very limited application in Embedded Finance, due to the complexity involved in such services. However, with new digital business models having tie up with various Embedded service providers, it has allowed them to provide superior & complex lending products, within OCEN protocol.

 

In brief, the adoption of OCEN in the Embedded Finance structure, will help in driving financial inclusion and the digital lending market that is expected to grow to $100 billion by 2023 (as per Joint Study by Omidyar Network and BCG). 

 

“Just like UPI created a common language between debit and credit and so on, and allowed us to create this huge ecosystem, OCEN protocol also enables that. This is something that is going to have a big impact. For the first time, we can truly democratize credit, and make sure credit reaches all the small companies and street vendors and so on.”

 

Nandan Nilekani, Global FinTech Festival, 2020

Learn More

Plastic money abstract concept vector illustration.

What is e-RUPI & and how it is a big leap in the Digital Payments Ecosystem in India

Launched in August 2021 by Prime Minister Narendra Modi, e-RUPI is a new digital payment solution for seamless transfer of funds, without the need for any card, digital payments app, internet access or even a bank account. 

 

e-RUPI is a cashless and contactless payment method done through an e-voucher sent to beneficiaries via QR Codes or SMS strings, which can be redeemed/used for specific purpose only, at the service providers. It connects the sponsors of the services with the users and service providers digitally, with no physical interface required.

 

These vouchers will be both person and purpose/end-use specific, for ex: If they are issued by government for availing any medical service at a particular hospital, then they can be redeemed only for that. In other words, it will work as a closed system PPI.

 

How e-RUPI works?

 

e-RUPI is developed by NPCI on its UPI platform, with onboarded banks as the issuers. The government or any private corporate will approach the partner banks with the details of specific beneficiaries to whom the payments have to be made and the purpose of such payments.

 

Each beneficiary will be uniquely identified basis their mobile number and voucher will then be issued and delivered (in the form of QR Code/SMS) in the name of that beneficiary only. 

 

Objective of e-RUPI

 

e-RUPI is expected to serve the following objectives:

 

  • The long-term vision of e-RUPI is to reach the unbanked population, include them into a formal financial system and reduce the digital gap in the country
  • To provide an equal access to various healthcare, education, and other benefits to each citizen of the country
  • Transparency in transactions, as the end-use of the funds can be easily tracked
  • Will guarantee that the money is used for the purpose for which it was intended, unlike traditional bank account transfer where it is possible that the funds are used for other purposes

 

Further, with the government in the process of establishing a digital currency for the Central Bank, e-RUPI can be used to emphasize the flaws in the current digital payment infrastructure which is crucial for the development of digital currencies in future. 

 

Application of e-RUPI

 

Currently, this is a platform launched as a government initiative for leak-proof distribution of welfare benefits to eligible beneficiaries. It aims to provide services under various schemes of the government including Ayushman Bharat Pradhan Mantri Jan Arogya Yojana and other subsidy programs, etc. 

 

However, in future even private entities can use this voucher-based payment method for providing services to their employees for travel, healthcare, and other such purpose-specific expenses.

 

It can also be used to provide credit to first-time borrowers, where the end-use of funds is specific and thereby evolving the digital lending landscape in the country.

 

A move towards digitalization and introduction of Digital Currency

 

While e-RUPI is in itself not a digital currency, as it is still backed by Indian Rupee as the underlying asset and is purpose specific, it is definitely a move towards introducing digital currency/cryptocurrency in India.

 

Both e-RUPI and cryptocurrency work on similar principle of enabling end to end digital transactions and removing physical intermediaries thereby ensuring transparency, data security and overall reduction in operating costs. 

 

What lies ahead?

 

With the introduction of e-RUPI, it is clear that the government is in support of new digital initiatives, as they expect that India has tremendous potential to change the way they transact and pay for different services. This is supported by increasing adoption of digital payments for small-value transactions, especially by the non-digital customer segment in the country.

 

This backed by India’s high currency to GDP ratio, validates that such digital initiatives and crypto assets/digital currencies can co-exist and position India as the front runner towards forming a complete digital economy. Further, e-RUPI will encourage the use of PPIs in India for better channelization & monitoring of funds, providing an opportunity for Fintechs driving digital payment solutions to design new products build around e-RUPI/digital currencies and such kind of digital solutions.

Learn More

Plastic money abstract concept vector illustration.

What are the new RBI norms with regard to recurring card payments? – All you need to know

Have you recently started receiving mails/SMS from various banks and service providers asking to re-register your e-mandates for automated payments such as OTT, newspaper subscriptions, etc?. This is because of the new RBI guidelines with regard to recurring transactions, coming into force from October 1, 2021. 

 

What are these new RBI norms?

 

In another step to secure digital transactions via credit/debit card, PPI or UPI, RBI has implemented the new auto debit rules. As per the new norms, all such transactions will have to be further secured with an additional factor of authentication (AFA) – 2-factor authentication. Any transaction, whether domestic or cross-border, using cards, without AFA, would be discontinued.

 

New rules for Automatic Payments – A Snapshot

 

Process
Transaction amount <= INR 5,000
Transaction amount > INR 5,000
Registration of e-mandate
A one-time registration process of card, with AFA validation, irrespective of transaction amount 
Processing of first transaction
Transaction will be processed, with AFA validation
Pre-transaction notification for subsequent transactions
  • Customer will receive a notification giving information about the debit 
  • Nothing further has to be done & the debit will be executed
  • Customer will receive a notification, at least 24 hrs prior to actual debit for approval
  • Approval through 2-factor authentication
  • Post successful AFA, card will be charged
Managing of e-mandates
The issuer to provide online facility to pause/cancel the e-mandate at any point of time, requiring AFA 

Source: RBI

 

Further to this, the bank/issuer is required to take additional information such as the validity period of the e-mandate, etc at the time of registration. And if required, the facility to modify the validity period, shall also be provided.

 

The banks also need to send a post-debit notification to the cardholder, once the auto-debit is processed. And, finally set up a redressal mechanism to address customer grievances related to this.

 

What will be its impact on payments?

 

This move is introduced in an attempt to protect consumers with regard to safeguarding of pre-stored data relating to cards and avoiding digital frauds. And especially those consumers who hastily give their consent to unnecessary automated payments and fall prey to data breaches.

 

With the new guidelines coming into implementation, all such recurring payments need to be reviewed and re-registered with respective issuing banks to avoid transaction failure.

 

However, these will only impact standing instructions (SIs) on cards. The automated instructions under UPI Autopay, e-NACH and other SIs to banks will not be impacted.

 

The directive will empower card users and will give them more control over their transactions. They can now determine and set the amount, velocity, etc, thereby managing such recurring mandates efficiently.

 

Way forward

 

For end consumers

 

Initially, this will impact customers to some extent, as the previous payment mode was meant to provide them with a seamless experience (especially for transactions above the INR 5,000 cap in B2B usage). Also, such payments may move to other alternate modes of payment such as e-NACH, UPI, etc for a better customer experience. However, in the long run with awareness they will realize that such regulations are for their benefit as it will eventually increase the security on card transactions. 

 

For Businesses

 

These guidelines will encourage businesses particularly, small & medium sized businesses to reach out to untapped customer base and build new business models in and around subscription payments and help grow this market multi-fold in the coming years.

 

To sum it up, the entire payments ecosystem is going through changes due to these regulations and all stakeholders are getting impacted in one way or the other. It will require banks/card companies/fintechs in the payments space to provide such portals to comply with the new regulations. However, there is still a long way to go as not only the banks/card companies, but the merchant/merchant aggregators’ ecosystem also needs to be in a state of readiness for its successful implementation. 

 

Learn More

Account Aggregators – Digitizing Transactions

What is an Account Aggregator?

 

Account Aggregator (AA) is a compilation of all the Financial data from bank accounts, credit cards, any investment accounts and other accounts in one place. Currently, the same can be pulled out through the help of an API, etc.

 

AA will help consumers to share all financial data including information on pension, brokerage, tax, insurance, etc. Currently, it is restricted to the financial sector only, however, this model will eventually help consumers sharing data in sectors like healthcare, telecom, etc. 

 

Difference between the AA and Traditional process

 

AA is different from the earlier process of Aadhaar data sharing and other CKYC platforms. Through AA, sharing of information like bank statements (Savings, Deposits, CA) or transactions data is available. However, in earlier methods like CYKC and Aadhaar, the financial institutions only get access to the ID of the customer (address, name, gender, etc).

 

Steps involved for opening an account with AA

 

  1. Open account with the AA (can be an individual or business). Post which AA will link all the financial data (accounts/credit card accounts/brokerage accounts/etc)
  2. Consent provided to  AA
  3. Post consent, the AA will seek for an approval from the financial data providers to access the customer accounts
  4. Once the approval is in place, the AA provides the data to the customer for his/her ease of various transactions

 

Currently, in India we have 8 AAs: Axis Bank, HDFC Bank, ICICI Bank, IndusInd Bank, SBI, Kotak Mahindra Bank, IDFC Bank and Federal Bank.

 

Is AA secure? 

 

The data extracted via AA is encrypted and the same can be decrypted only by the recipient. Digital signatures of the individual while accessing the data provided by AA makes it secure and convenient for the user.

 

Commercials Involved for AA service? 

Depends on the service provider. Some may charge the end customer for providing the service.

 

Benefits of AAs

 

  1. Account management: As of today, the financial data of an individual is stored in various places. The same can be viewed in a single window by the help of an AA eventually leading to one single platform which has access to all accounts/transactions.
  2. Quicker access to loans: Getting a loan from a bank will become much simpler. An individual can give a consent to a bank and data like number of accounts, balances, statements, assets given for a previous loan, etc can be extracted through the help of an AA.

 

Way forward with AAs

 

As of today, the consumers have to go through a long process and in silos of sharing the stamped/notarised documents, signed bank statements, sharing the usernames and passwords with financial organisations to check the history (which is a 3rd party in this case). With AA coming into picture, the process becomes much simpler and a secured digital way to share your data with 3rd party in a single access after consent.

Well, this will also create new types of loan opportunities in the market.

AA will create a repository of information which will be available easily for the institutions/etc (of course after the consent).

Currently, the AA is only available for the financial sector; the same will be provided for other sectors eventually too.

Learn More

Banking as a Service (BaaS) – Entering into a New Era of Financial Ecosystem

From the past few years, there has been an increase in the number of sectors like Travel, Retail, SAAS, etc expanding themselves into financial services.

 

Well, Banking and Fintech is a collaboration that is still very new in the Indian economy. The new normal has definitely shaken up the world and it has impacted the traditional banking system. From visiting a branch to opening an account online has been a major revamp in the industry – to be honest, this is just the start.

 

New Fintechs every day are disrupting the old traditional ways of banking and challenging our generation to think something out of the box now and then.

 

BaaS is a vast topic and the meaning of this is changing as per the ask of the end customer every day. Let’s try addressing the details one by one.

 

What is BaaS? 

 

In layman’s terms – BaaS is a process that allows fintechs and third parties to connect with banks via APIs. From opening an account to creating FD’s, etc everything can be done with the help of BaaS. 

 

Offering these services to an end customer is not so easy and requires a lot more regulatory processes to be in place. For eg: issuing prepaid cards – requires PPI license, giving credit to customers – requires NBFC license, and so on and so forth.

 

How does this work?

 

Banks obviously have licenses to offer various services, so they expose their systems to BaaS providers and these providers in return pay to banks for using their services. BaaS will allow businesses to fit the financial technologies and then the businesses will provide new solutions to end customers as per their needs and requirements.

 

Generally, the BaaS model begins with Fintechs, banks or Third party Providers paying fees to the BaaS platform. The financial institutions will open up their APIs to TPPs, thereby giving permission to access the systems and information required to build new banking products or offer white label banking services. 

 

Let’s understand how this is different from old traditional ways of banking

 

In today’s era, opening an account is just a matter of a few minutes compared to the days where opening a bank account required walking to the branch. 

 

Today, if someone has to send money to their children/relatives sitting abroad – trust me, it’s not a task anymore. Of course, this requires the regulatory practices to be in place, however, there are fintechs who are supporting this while simultaneously abiding by the regulatory guidelines.

 

To change the entire structure in the back end and front end for banks is not an easy task and requires a lot of investment. In this case, the banks approach BaaS or Tech service providers to plug in the system and provide end-to-end services to the customer. 

 

Future of BaaS

 

Everyday the financial industry is coming across a new development, the landscape is changing rapidly. Banks, Fintechs and businesses are coming across new requirements frequently. Reaching out to new segments of customers and solving a problem statement is also a new revenue stream for the banks as well as fintechs. 

 

Banks teaming up with the service providers and reaching out to end customers for providing innovative solutions is much required. APIs and applications play a major role in bringing these changes and need to be developed in a responsible way to provide long-term efficiency and scalability.

Learn More

3-D Secure 2.0 – Making transactions Simpler and Safer

Preventing fraud plays a significant role in the digital payments space. We must have encountered many frauds, both online and offline, during our lifetime.

 

Unfortunately, the search for effective methods to eradicate fraud never ends. Fraudsters will always find new methods to commit crimes. There are many tools available to end the same, the latest one being 3-D Secure. 

 

What is 3-D Secure?

 

Putting it simply, 3-D Secure is an additional layer of cardholder authorisation added to an online transaction. VISA and Mastercard offer this tool, and it is known as ‘Verified by Visa’ and ‘MasterCard SecureCode,’ respectively.

 

3-D Secure is a three-sided security system that provides security while performing transactions and transferring payment data amongst 

 

  1.     Issuing Bank
  2.     Acquiring Bank
  3.     Payment Gateway (link that connects acquirer and issuer)

 

How does it work?

 

Several steps are involved when conducting an online transaction. A few additional steps for 3-D Secure can significantly reduce the risk of online fraud:

 

  1.     A cardholder enters payment information on a webpage
  2.     Payment provider sends request to check whether 3-D Secure technology is active
  3.     If Yes, the customer is redirected to the 3-D Secure page
  4.     The cardholder who receives the OTP must enter it in the appropriate field
  5.     The result comes in the form of a response to the server of the payment provider
  6.     The payment provider sends data to the acquiring bank
  7.     The acquiring bank authorises the transaction and informs the customer whether the transaction was successful or not

 

3-D Secure 1.0 v/s 2.0

 

3-D Secure 2.0 is replacing 1.0 to provide a better user experience, which will eventually lead to successful transaction conversion. The need to enter static passwords is replaced by other methods such as biometrics in 3D Secure 2.0.

 

3-DS 2.0 examines over 120 data points. If the transaction is deemed low risk, no further action is required; if the transaction is deemed high risk, 3D Secure requires customers to verify their identity through biometrics or two-factor authentication.

 

Benefits of 3-DS 2.0

 

With the 3-DS 2.0 update, customers will have a more fluid experience when conducting transactions on both mobile and desktop/laptop devices. Benefits of the latest update are:

 

  1.     Better User Experience
  2.     Increase in Online transactions
  3.     Higher conversion rates
  4.     Multiple Device support

 

Conclusion

 

Security is of the utmost importance, especially when customers conduct online transactions. Today, there is a significant shift toward online transactions, and customers must have mental comfort while making these transactions. 3-DS 2.0 makes the transactions safe, seamless and efficient, while also providing a better user experience.

Learn More

Secure Online Payment Processing Concept - Making Secure Payment

Tokenization: Creating a stir in the Payments Industry

In today’s world, increasing online frauds and cyberattacks are causing security and trust issues among the general public in the adoption of digital payments, and these data security issues have become a major concern for online service providers. The service provider has been looking into ways to reduce this risk. One such solution is “Tokenization,” a new buzzword in the payments industry. Tokenization adds an extra layer of security to users’ sensitive data and prevents online and digital data breaches.

 

The concept of digital tokenization is inspired by the concept of physical tokenization, which has existed since the invention of currency. Token coins replace actual coins or banknotes in physical tokenization. These token coins have a real identity and value, but they only have meaning in a limited and controlled space. For example, casino tokens have no value outside of the casino’s premises.

 

The payments card industry is using digital tokenization to protect users’ sensitive data and provide better customer assurance in order to increase their trust. It is a low-cost and simple-to-implement solution for merchants.

 

What is Tokenization?

 

Tokenization is the process of encrypting sensitive data by replacing it with an unreadable token. The tokens can then be passed through the internet or the various wireless networks required to process the payment without exposing actual bank details. The actual bank account number is kept secure in a token vault.

 

Tokenization is commonly used to combat credit card fraud. It relieves merchants of the burden of storing sensitive card data of users, reducing the work and effort required to be PCI DSS compliant.

 

How does it work?

 

A customer makes an online purchase through an e-commerce website or offline through a merchant POS and then chooses a credit card payment method. The customer enters sensitive data on the portal, such as card number, CVV and cardholder name or enters a PIN on the POS machine. The card data collected is stored on the tokenization server rather than the e-commerce website server. The tokenization server processes the card data, stores the original card data on the Secure token server and generates a token of the same length from a random alphanumeric string. The token is then forwarded to the merchant’s acquiring bank. The acquiring bank sends the token to the card network, which processes it and shares card details with the issuing bank for payment authentication. Payment is completed when the issuing bank responds to the card network. The Card Network is the only entity that can read the token.

 

Tokenization Vs Encryption 

 

Data encryption and tokenization are similar in the sense that they both replace original data with a random code, but they are vastly different in terms of ciphering mechanism. 

Sensitive data is mathematically changed into a new code in data encryption, but the original data can be deciphered with the appropriate key. However, because there is no relationship between the token generated and the original data, the token cannot be reversed in the case of tokenization. Even if hackers obtain the token details, they will be unable to retrieve original data from that information, rendering the token meaningless and useless to them.

Tokenization is widely used by the payments industry across the globe due to its data security offering. Furthermore, it provides the following benefits to all stakeholders involved in the transactions. 

  • Customers can develop trust in online transactions as the likelihood of theft or leakage of sensitive data decreases significantly.
  • The merchant, acquirer and processor do not need to be concerned about the user’s sensitive data being compromised even in the event of a cyberattack because they do not store any such information. 
  • Merchants can provide a trusted and secure payment environment for their customers without obtaining PCI DSS certification, saving them the cost of such certification.
  • Tokenization of payments creates a safe and secure environment for users, merchants, payment gateways, financial institutions and regulatory bodies.

Tokenization is currently only available with Networks in India. Issuers must still evolve to make this a reality. 

 

The RBI issued a directive in 2020 stating that merchant payment aggregators and payment gateways could no longer store card credentials. To increase cardholder safety, RBI guidelines require a full-time shift, which is why tokenization must be implemented. And now there will be a plan in place for every issuer, merchant and network to implement this.

Learn More

PCI DSS: The standard for card security

Buoyed by the festival season euphoria, credit card transactions for the first time crossed INR 1 Lakh Crore in October 2021 and debit card transactions were upwards of INR 7.5 Lakh Crore during the same period. With such exponential growth in cashless payments, information security and privacy of cardholder data is of utmost importance. Ever wondered how it is managed? What are the guidelines regarding data security for card based transactions? How does an entity comply with these guidelines? That’s where PCI DSS requirements come into play. 

 

So what is PCI DSS? Who formed these standards? What requirements does it prescribe? And who is responsible for adherence to these requirements? We will respond to these questions below:

 

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit card information maintain a secure environment for processing transactions. PCI DSS was developed to encourage and enhance cardholder data security, as well as to facilitate the global adoption of consistent data security measures. Payment Card Industry Security Standard Council (PCI SSC), an independent body created by Visa, MasterCard, American Express, Discover and JCB to standardise and improve account security throughout the transaction process, launched PCI DSS in September 2006; the latest version was debuted in May 2018.

PCI DSS applies to all payment card processing entities, including merchants, processors, acquirers, issuers and service providers. It also applies to any other entity that stores, processes or transmits cardholder data or sensitive authentication data.

 

12 Standards of PCI DSS

 

PCI DSS specifies 12 standards to which all entities must adhere. The following is an overview of these standards:

 

Objective Standard
Build and Maintain a Secure Network and Systems 1. Configure and maintain a firewall to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3. Protect Stored Cardholder Data

4. Encrypt Transmission of Cardholder Data across open, public networks

Maintain a Vulnerability Management Program 5. Protect all systems against malware and update anti-virus software or programs on a regular basis

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 

8. Identify and authenticate system component access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks  10. Track and monitor all network resource and cardholder data access

11. Test security systems and processes on a regular basis

Maintain an Information Security Policy  12. Maintain an information security policy for all personnel

 

Let’s delve deeper into each standard to better understand the goal:

 

Install and maintain a firewall configuration to protect cardholder data

A firewall is a network security system that monitors and controls network traffic, both incoming and outgoing. Firewalls prevent foreign or unknown entities from accessing private data. These anti-hacking systems are frequently the first line of defence against hackers. Because of their effectiveness in preventing unauthorised access, firewalls are required for PCI DSS compliance.

 

PCI SSC provides a detailed step-by-step process for configuring and maintaining a firewall.

 

 

Do not use vendor-supplied defaults for system passwords and other security parameters

 Routers, modems, POS systems and other third-party products frequently include generic passwords and security measures that are easily accessible to the general public. Businesses frequently fail to secure these vulnerabilities. Before installing a system on a network, businesses must change the vendor-supplied default passwords and remove or disable any unnecessary default accounts.

 

Keeping a list of all devices and software that require a password is one way to ensure compliance in this area (or other security to access). In addition to a device/password inventory, basic precautions and configurations should be carried out on a regular basis. (For example, changing the password). 

 

Protect Stored Cardholder Data

The third PCI DSS compliance requirement is two-way data protection for cardholders. Cardholder data protection methods such as encryption, truncation, masking and hashing are critical components. If an intruder gets around other security measures and gains access to encrypted data, the data is unreadable and unusable to that person without the proper cryptographic keys.

 

The PCI SSC recommends that entities implement data retention and disposal policies to keep cardholder data storage to a minimum. It also requires entities not to store the card verification code or value (a three- or four-digit number printed on the front or back of a payment card that is used to verify card-not-present transactions) after authorization. That is why CVC/CVV is required to be entered by the customer every time an online transaction is made.

Furthermore, when PAN (Permanent Account Number or Card Number) is displayed, entities must mask it (the first six and last four digits are the maximum number of digits to be displayed), so that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.

 

To further prevent entities from storing cardholder data, the RBI has mandated tokenization for all card-based transactions. No entity in the card transaction / payment chain, other than card issuers and / or card networks, shall store the actual card data beginning January 1, 2022.

 

 

Encrypt Transmission of Cardholder data across open, public networks

Cardholder data is transmitted via multiple channels (i.e., payment processors, home office from local stores, etc). Malicious individuals continue to target misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols in order to gain privileged access to cardholder data environments. When this data is transmitted over networks, it must be encrypted. PCI SSC defines cryptographic algorithms, keys and certificates for use in encryption.

 

Protect all systems against malware and regularly update anti-virus software or programs

Malicious software, also known as “malware,” including viruses, worms and Trojans, enters the network through a variety of business-approved activities such as employee e-mail and Internet use on mobile computers and storage devices, resulting in the exploitation of system vulnerabilities. To protect systems from current and evolving malicious software threats, antivirus software must be installed on all systems that are commonly infected by malware. Furthermore, all antivirus software must be updated on a regular basis, and an audit log must be kept.

 

 

Develop and maintain secure systems and applications

To protect against the exploitation and compromise of cardholder data by malicious individuals and software, all systems must have all necessary software patches. All software and applications must be updated on a regular basis with security patches to address system vulnerabilities.

 

 

Restrict access to cardholder data by business need to know 

To ensure that only authorised personnel have access to critical data, systems and processes must be in place to limit access based on need to know and job responsibilities. All employees, executives and third parties who do not require access to this information should not have it. The roles that require sensitive data should be well-documented and updated on a regular basis.

 

 

Identify and authenticate access to system components

 Individuals with access to cardholder data should have their own credentials and identification. For example, there should not be a single login to the encrypted data with multiple employees having access to the username and password. By assigning a unique identification (ID) to each person with access, you ensure that each individual is held individually accountable for their actions. When such accountability is in place, critical data and system actions can be traced back to known and authorised users and processes. In the event that data is compromised, unique IDs reduce vulnerability and speed up response time.

 

 

Restrict physical access to cardholder data

Any cardholder information must be physically stored in a secure location. Data that is physically written or typed, as well as data that is stored digitally (e.g., on a hard drive), should be kept in a secure room, drawer or cabinet. Not only should access be restricted, but any time sensitive data is accessed, a log should be kept to ensure compliance.

 

Track and monitor all access to network resources and cardholder data

Logging mechanisms and the ability to track user activities are critical in preventing, detecting and mitigating the effects of a data breach. When something goes wrong, the presence of logs in all environments allows for thorough tracking, alerting and analysis. Without system activity logs, determining the cause of a compromise is extremely difficult, if not impossible.

 

 

Regularly test security systems and processes

All ten of the preceding compliance standards involve a variety of software products, physical locations, and, most likely, a few employees. Many things can break down, become out of date or suffer from human error. These threats can be mitigated by complying with the PCI DSS requirement for regular system and process scans and vulnerability testing.

 

To ensure that security controls continue to reflect a changing environment, system components, processes and custom software should be tested on a regular basis.

 

Maintain a policy that addresses information security for all personnel

For compliance, an inventory of equipment, software and employees with access must be documented. Access to cardholder data logs will also necessitate documentation. The flow of information into a company, where it is stored and how it is used after the point of sale must all be documented. 

A strong security policy establishes the security tone for the entire organisation and informs employees of what is expected of them.

 

Levels of PCI DSS

In addition to adhering to these standards, organisations must assess and submit a Report on Compliance (RoC) based on the number of transactions handled each year:

  • Level 1: Merchants who process more than 60 Lakh card transactions per year
  • Level 2: Merchants who process 10 Lakh to 60 Lakh transactions per year
  • Level 3: Merchants who process between 20,000 and 10 Lakh transactions per year
  • Level 4: Merchants with fewer than 20,000 transactions per year

The assessment for Level 1 merchants should include an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor). They will conduct an on-site evaluation of the organisation in order to:

  • Validate the scope of the assessment
  • Review your documentation and technical information
  • Determine whether the PCI DSS requirements are being met
  • Provide support and guidance during the compliance process
  • Evaluate compensating controls

 

To demonstrate compliance, the auditor will then submit a RoC to the organization’s acquiring banks. 

To confirm compliance with PCI DSS requirements, Level 2 merchants must only submit a self-assessment questionnaire (SAQ) and a self declared ROC rather than an external audit.

Level 3 and 4 merchants are only required to fill out a self-assessment questionnaire (SAQ).

 

Benefits of PCI DSS Compliance

 

At the very least, complying with PCI Security Standards appears to be a daunting task. The tangle of standards and issues appears to be too much for even large organisations, let alone smaller businesses. However, compliance is becoming more important and may not be as difficult as one might think, especially with the right tools. The following are some of the advantages of being PCI DSS compliant:

  • Your systems are secure, and your customers can put their sensitive payment card information in your hands; trust breeds customer confidence and repeat businesses.
  • It prevents data breaches. Each PCI-compliant business represents a less valuable target for cybercriminals. They will not only have a much more difficult time hacking your network, but they will also not find the data they are looking for!
  • Comply with global data security standards. The PCI DSS regulations were initiated by five of the world’s leading credit organisations in order to provide consumers with a mandatory level of protection by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data. Obtaining PCI compliance allows you to join the ranks of other international businesses dedicated to data security and consumer protection.

 

Non-compliance with these standards will result in fines imposed by the networks on acquiring banks, which will then be passed on to the organisation in question. Repeated violations may result in the merchant’s ability to accept payments using their cards being revoked entirely.

Learn More

Money lending abstract concept vector illustration.

Embedded Credit – A great lever for B2B e-commerce platforms

Merchants & retailers rely on credit to run and grow their businesses and expand their customer base. Easy access to credit, facilitated by embedded finance, enables merchants to purchase more stock, widen their product portfolio, respond to fluctuating demand, buy high-value SKUs (which could be slow-moving), and increase the space and assets in their store. Embedded Finance has shown to double the Average Order Value and Customer Lifetime Value for B2B E-Commerce platforms, depending on the sector (whitegoods, groceries, pharma, apparel, etc). 

Embedded Credit is basically when non-financial companies offer their customers access to credit through their technology platform. Popular examples in India are Khatabook, Arzooo etc. who are facilitating working capital loans to their partner merchants/retailers. Embedded finance also enables banks, insurers, and wealth management companies to form valuable partnerships to distribute their products and services. According to one Forrester report 2020, embedded finance is touted to be a USD 7 trillion opportunity globally by 2030.

Very few merchants are approved for loans by formal channels and have to acquire credit from informal sources. Such credit is either too small to have an impact or offered at terms that don’t facilitate their growth in the long term. B2B E-Commerce platforms that have the ability to offer credit can relieve these bottlenecks for merchants and unlock growth for both, their merchants and themselves.

 

So how do B2B e-commerce platforms facilitate embedded credit?

 

Digital platforms catering to merchants and distributors can offer tailored credit products in-context at the point of demand creation on their platform. Few examples of fintechs operating in this space and facilitating embedded credit options are retail-tech Arzooo, Accounting-tech Khatabook to name a few. Please find an illustrative flow chart for better understanding.

 

 

 Advantages for all the parties involved 

 

Lender Partner
B2B E-commerce Marketplace
Retailer Partner
  • Gets access to increase the portfolio of disbursals via B2B e-comm partner
  • Streamlined pipeline of leads who have fund requirement
  • Open up new revenue streams
  • B2B e-comm partner provides risk sharing
  • Facilitates lines of credit through mobile app 
  • Helps increase wallet share from retailer
  • Increase retailer retention
  • Become a preferred supplier to retailers
  • Access to working capital loans through mobile app
  • Helps merchants better manage cash flows for SKU purchase & other business related expenses with flexible repayment plans

 

The key in this scenario is to provide tailored credit products as part of the digital platform.

                                                              

Line of Credit  
  Merchant Cash Advance  
  Working Capital Loans
Fulfil demand hikes due to seasonality & festivals Merchants can meet their short-term liquidity requirements from lender partners wherein the lender partner settles the outstanding invoice amount with the supplier Avail working capital loans from lender partners of the B2B platform to meet contingencies, better manage cash flows & expand their business

 

Why Embedded Finance?

 

Embedded Finance Infrastructure natively enables credit for all merchants within a B2B E-Commerce platform. It handles the end-to-end lending flow, including the customer journey, loan offer generation, lender partnerships, and third-party integrations, repayment etc.

                                             

Digital lending platform
Increased approval Rates
Best Loan Offers
Customised Credit products
Intuitive UI/UX for each stage of the loan lifecycle – loan application, post-approval & post disbursal. The loan application process is completely mobile app native. Embedded Finance combines lending expertise, alternative data writing and data from the B2B e-comm platform to credit score & underwrite merchants & approve more disbursals. Embedded Finance connects digital platforms to a large and diverse lender network which ensures that your merchants get the best loan offers and have a high probability of being approved. Embedded Finance enables platforms to innovate, evolve & tailor credit products to serve the various use-cases of customers in deep collaboration with the anchor platform.

 

In conclusion

 

Ultimately, Embedded Finance enables digital platforms to leverage their unique position to help their merchants. It empowers B2B E-Commerce businesses to innovate for their customers, offer effective credit products, and provide credit to customers who otherwise wouldn’t be able to access it. This sharply accelerates their own growth and the growth of their retail partners.

Learn More

Will the internet-free digital payments UPI Lite take off in India?

What is UPI Lite?

 

The National Payments Corporation of India (NPCI) is working on a new solution called UPI Lite that will allow small digital payments to be made without the need for an active internet connection. The RBI announced on January 5 that digital payments of up to 200 could be made without an internet connection.

 

How does it work?

 

UPI Lite will allow feature phone users to use their phones to connect to UPI networks and make digital payments directly from their bank accounts. There are currently two key solutions being evaluated. The first is a SIM Overlay, while the second is a software-provisioned solution that will use Over-the-Air (OTA) updates.

 

SIM Overlay is a technique that extends a phone’s SIM card’s capabilities, allowing payments and other services to be completed even when there is no data connection. On the other hand, OTA will deliver the solution straight to the device’s firmware.

 

Users will be required to create a 4-digit or a 6-digit pin, depending on the protocols implemented by their banks. Payments made via the SIM overlay technique will be routed through the NPCI’s UPI system to servers operated by the NPCI, and transactions will then take place over the standard UPI network. Instead of using the internet, the entire procedure will run over SMS networks.

 

How does it affect the Indian ecosystem?

 

Since the demonetisation of banknotes in 2016, India has experienced a surge in digital payments. According to a survey, tier-II and -III cities in India accounted for more than half of all online transactions in the quarter ending March 2021. In villages and towns, though, cash still reigns supreme.

 

According to an industry expert, an alternative, secure, low-cost mode of payments with a near-cash-like characteristic will be provided by small value offline mode for digital payments, improving consumer confidence as a preferred option for small retail payments. It has the potential to promote various creative retail payment use cases, such as tickets, product bundling and non-standardised pricing.

 

Given that feature phones still account for half of the market, this will improve payments in areas where internet penetration is low.

 

This is not the first time the NPCI has attempted to promote offline payments in rural areas. In 2012, it launched UPI-led offline payments over Unstructured Supplementary Service Data (USSD) networks. However, due to SMS charges, it failed to take off in a large way. 

According to NPCI data, the USSD system was used for transactions worth 1.21 lakh in 2021. Around 83 banks were using the USSD system as of December 2021.

If NPCI’s current experiments go as planned, about 350 million feature phone users in India will be able to make digital payments without the need for an internet connection.

Learn More