The Reserve Bank of India has released, on its website, the final Report of the Technical Committee on Enabling Public Key Infrastructure (PKI) in Payment System Applications. It had released the draft report for public comment on February-March 2014.
Cognisant of the fact that non-PKI enabled payment systems, such as, clearing (Magnetic Ink Character Recognition (MICR/Non MICR), electronic credit system, credit card and debit cards contributed 75 per cent in volume terms but only 6.3 per cent in value terms in the year 2012-13, the Group has suggested that in order to ensure a safe, secure payment system in the country and to ensure legal compliance, digital technology, such as, PKI may be used. Based on the feedback received, the Group has also included a detailed study of cloud-Hosted Digital Signature Certificate (DSC), Trusted Execution Environment, Hardened •Soft– Signatures, Mobile PKI, Portable Security Transaction Protocol and Hybrid PKI Solution by Institute for Development and Research in Banking Technology (IDRBT) as alternative strategies keeping in view the Indian context (para 19 in the executive summary of the report).
The report also highlights, among other things, security features in existing payment system applications and feasibility in implementing PKI in all payments system applications. All banks’ internet banking applications should mandatorily create authentication environment for password-based two-factor authentication as well as PKI-based system for authentication and transaction verification in online banking transaction. In online banking transactions, banks should provide the option to its customers for enabling PKI for its online banking transactions as optional feature for all customers. The Group has also recommended that banks may carry out in phases PKI implementation for authentication and transaction verification.
Payment systems are subjected to various financial risks, such as, credit risk, liquidity risk, systemic risk, operational risk, legal risk. As customers continue to increasingly adopt electronic payment products and delivery channels for their transactional needs, it is necessary to recognise that security and safety have to be robust. Any security related issues resulting in fraud have the potential to undermine public confidence in the use of electronic payment products which will impact their usage. Necessary measures to strengthen security have to be taken as such attacks are growing in scale and sophistication.
Against this background, the Reserve Bank of India had, in September 2013, constituted a group to prepare an approach paper for enabling PKI for Payment System Applications in India comprising members from banks (State Bank of India and ICICI bank), Institute for Development and Research in Banking Technology-Certifying Authority (IDRBT-CA), Controller of Certifying Authority (CCA), New Delhi and Reserve Bank of India [(Department of Technology (DIT), Department of Payment and Settlement Systems (DPSS), Department of Government and Bank Accounts (DGBA) – Core Banking Solution (CBS) and Chief Information Security Officer (CISO)]. The Group had also interacted with Indian Banks’ Association (IBA) and other banks which have given their suggestions/feedback on earlier version of the Report.
Principal Chief General Manager
Press Release : 2013-2014/2068