Customer Touch Points&Security ConcernsByMohan Datar9th May 2013BSE InstituteMumbaiByMohan Datar9th May 2013
Agenda• About Customer Touch Points• What are Basic Security Concerns or Risks• Security Concerns at Different Touch Point...
What are customer Touch Points?• A Point Where– customer Touches a Bank Or Bank Touches a CustomerFor– Service Access or S...
What are customer Touch Points?• Examples of Physical Touchpoints4
What are customer Touch Points?• Examples of Other Touchpoints– Relationship Manager– Call Center– Cheques, Receipts, Acco...
Why So Many customer Touch Points?• Technology Driven Causes– Rapid Innovation– Rapid Penetration in to all segments of So...
What are Basic Security concerns ofBanks and Customers?• THEFTAND• DESTRUCTION• THEFTAND• DESTRUCTION7
What are Basic Security concerns ofBanks and Customers?• THEFT– DATA– RESOURCES / ASSETS• DESTRUCTION– DATA– RESOURCES / A...
Some Recent Examples9
Some Recent ExamplesDate Sr no. Security Breach Example28-02-2013 1 14 GB of Bank of America Data hacked.It contained sens...
Some Recent ExamplesDate Sr no. Security Breach Example06-03-2013 5 According to HP, mobile phones vulnerabilitiesrose sig...
Some Recent ExamplesDate Sr no. Security Breach Example11-03-2013 8 Reserve Bank of Australia’s networks were hackedrepeat...
Some Recent ExamplesDate Sr no. Security Breach Example27-03-2013 10 A new Malware called ‘Dump Grabber’ scans thememory o...
Some Recent ExamplesDate Sr no. Security Breach Example25-04-2013 12 A new virus has been found to be spreading widelyin I...
My PC Report on 8th May, 2013
What are Basic Security concerns ofBanks and Customers?• THEFT– DATA• Credentials• Account Details• Account Balances• Non ...
What are Basic Security concerns ofBanks and Customers?• THEFT– RESOURCES / ASSETS• Customer Cash• Bank Cash• Instruments•...
What are Basic Security concerns ofBanks and Customers?• DESTRUCTION– DATA• Web sites and Portals• Account Details• Accoun...
What are Basic Security concerns ofBanks and Customers?• DESTRUCTION– RESOURCES / ASSETS• Customer Cash• Bank Cash• Blank ...
What are Basic Security concerns ofBanks and Customers?• DESTRUCTION– REPUTATION• Reliability• Availability• Credibility• ...
Recap of Basic Security concerns ofBanks and Customers• THEFT– DATA– RESOURCES / ASSETS• DESTRUCTION– DATA– RESOURCES / AS...
Security concerns atTouch points - ATM22
Security concerns atTouch points - ATMTHEFT DESTRUCTIONDATA ASSETS DATA ASSETS REPUTATIONCredentialsCard DataAccountBalanc...
Security concerns atTouch points - POSTHEFT DESTRUCTIONDATA ASSETS DATA ASSETS REPUTATIONCredentialsCard DataPOS Terminal ...
Security concerns atTouch points – Net BankingTHEFT DESTRUCTIONDATA ASSETS DATA ASSETS REPUTATIONCredentialsAccountDetails...
Security concerns atTouch points – MOBILESTHEFT DESTRUCTIONDATA ASSETS DATA ASSETS REPUTATIONCredentialsAccountDetailsAcco...
Security concerns atTouch points – PAYMENT GATEWAYTHEFT DESTRUCTIONDATA ASSETS DATA ASSETS REPUTATIONCredentialsAccountDet...
Security concerns atTouch points – Bank BranchTHEFT DESTRUCTIONDATA ASSETS DATA ASSETS REPUTATIONCredentials(Signatures)Ac...
Part 2Basic Risk Mitigation MeasuresofBanks and Customers29
What are Basic Risk Mitigation Measuresof Banks and Customers?• PREVENTIONAND• RECOVERY• PREVENTIONAND• RECOVERY30
What are Basic Risk Mitigation Measuresof Banks and Customers?• PREVENTION– DETECTION– PREVENTION– UPDATION• RECOVERY– DAT...
Risk Mitigation Measures - Prevention• DETECTION– Physical Surveillance– Electronic Surveillance– Processes and Policies– ...
Risk Mitigation Measures - Prevention• PREVENTION– Anti Virus– Firewalls– Data Center Security– Application Architecture– ...
Risk Mitigation Measures - Prevention• PREVENTION– SMS Alerts– OTPs– Multipart authentications– Multipart logins– KYC– Cas...
Risk Mitigation Measures - Prevention• PREVENTION– Processes and Policies• Dormant account management– Physical– Online• C...
Risk Mitigation Measures - Prevention• RECOVERY– DATA• Backups• Reconstruction• Recapture– ASSETS• Police• Replace• RECOVE...
Risk Mitigation Measures - Prevention• RECOVERY– BUSINESS CONTINUITY• DR Site• Redundancy• Hot swappable Devices• DR and B...
Security and Role of Regulators• Who are the Regulators?• Why Are they concerned about Security?• Who are the Regulators?•...
What are Basic Security concerns ofRegulators?• Legal and regulatory issues• Security and technology issues• Supervisory a...
What are Basic Security concerns ofRegulators?• Legal and regulatory issues– The jurisdiction of law– Validity of electron...
What are Basic Security concerns ofRegulators?• Security and Technology Issues– Questions of adopting internationally acce...
What are Basic Security concerns ofRegulators?• Supervisory and Operational Issues.– Risk control measures,– Advance warni...
What are Basic Security concerns ofRegulators?• Impact on Monetary Policy.– when and where private sector initiative produ...
Some Recent Policy RecommendationsBY RBITarget Date Sr no. Security Breach Example30-06-2013 1 All new debit and credit ca...
Some Recent Policy RecommendationsBY RBITarget Date Sr no. Security Breach Example30-06-2013 3 Banks should ensure that th...
Some Recent Policy RecommendationsBY RBITarget Date Sr no. Security Breach ExampleASAP 5 Banks should move towards real ti...
Some Recent Debit CardRecommendations BY RBITarget Date Sr no. Security Breach ExampleImmediately 1 Banks may issue only o...
Some Recent Debit CardRecommendations BY RBITarget Date Sr no. Security Breach ExampleImmediately 4 No cash transactions t...
Some Recent Debit CardRecommendations BY RBITarget Date Sr no. Security Breach ExampleImmediately 7 The role of the non-ba...
RBI POLICIES• Ref documents– RBI Security Feb 28, 2013.pdf– RBI Guidelines Debit cards Dec 24, 201250
ATM Security standardsStandard Security Breach ExamplePCI PTS POI Standard: PCI PIN Transaction Security Point ofInteracti...
ATM Security standardsStandard Security Breach ExamplePCI PA-DSS PCI SSC Payment Application Data SecurityStandardThis doc...
ATM Security standardsStandard Security Breach ExamplePCI PTS PCI PIN Transaction Security StandardThis standard includes ...
Q and A???
THANK YOU
Upcoming SlideShare
Loading in...5
×

Touchpoints and security

105

Published on

This presentation discusses the security risks and possible mitigation for customer touch points of banks

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
105
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Touchpoints and security

  1. 1. Customer Touch Points&Security ConcernsByMohan Datar9th May 2013BSE InstituteMumbaiByMohan Datar9th May 2013
  2. 2. Agenda• About Customer Touch Points• What are Basic Security Concerns or Risks• Security Concerns at Different Touch Points• What are Basic Risk Mitigation Measures• Risk Mitigation at Different Touch Points• Some Regulatory Measures• Q & A• About Customer Touch Points• What are Basic Security Concerns or Risks• Security Concerns at Different Touch Points• What are Basic Risk Mitigation Measures• Risk Mitigation at Different Touch Points• Some Regulatory Measures• Q & A
  3. 3. What are customer Touch Points?• A Point Where– customer Touches a Bank Or Bank Touches a CustomerFor– Service Access or Service Delivery• Examples of Services– Exchange of Information– Transactional– Relationship Development / management• A Point Where– customer Touches a Bank Or Bank Touches a CustomerFor– Service Access or Service Delivery• Examples of Services– Exchange of Information– Transactional– Relationship Development / management3
  4. 4. What are customer Touch Points?• Examples of Physical Touchpoints4
  5. 5. What are customer Touch Points?• Examples of Other Touchpoints– Relationship Manager– Call Center– Cheques, Receipts, Account Statements– Events– Offerings– E-mails– Other correspondence• Examples of Other Touchpoints– Relationship Manager– Call Center– Cheques, Receipts, Account Statements– Events– Offerings– E-mails– Other correspondence5
  6. 6. Why So Many customer Touch Points?• Technology Driven Causes– Rapid Innovation– Rapid Penetration in to all segments of Society– Rapid Adoption by Variety of Businesses and Government• Business Driven Causes– Drastic Reduction in Cost of Services– Competitive Pressures– Real Danger of Elimination• Technology Driven Causes– Rapid Innovation– Rapid Penetration in to all segments of Society– Rapid Adoption by Variety of Businesses and Government• Business Driven Causes– Drastic Reduction in Cost of Services– Competitive Pressures– Real Danger of Elimination6
  7. 7. What are Basic Security concerns ofBanks and Customers?• THEFTAND• DESTRUCTION• THEFTAND• DESTRUCTION7
  8. 8. What are Basic Security concerns ofBanks and Customers?• THEFT– DATA– RESOURCES / ASSETS• DESTRUCTION– DATA– RESOURCES / ASSETS– REPUTATION• THEFT– DATA– RESOURCES / ASSETS• DESTRUCTION– DATA– RESOURCES / ASSETS– REPUTATION8
  9. 9. Some Recent Examples9
  10. 10. Some Recent ExamplesDate Sr no. Security Breach Example28-02-2013 1 14 GB of Bank of America Data hacked.It contained sensitive information about hundredsof thousands of its employees, globally.2 Botnets are being legally sold on Internet for aslow as $25 for 1000 hosts102 Botnets are being legally sold on Internet for aslow as $25 for 1000 hosts06-03-2013 3 Websites of Czech Central Bank and StockExchange crippled by brute force DDOS attack4 NY police announce that cyber crime is the fastestgrowing crime in NY (more than 50%)Largest no. of crimes consist of- Rigging of ATMs- Card Skimming
  11. 11. Some Recent ExamplesDate Sr no. Security Breach Example06-03-2013 5 According to HP, mobile phones vulnerabilitiesrose significantly (68%) from 2011 to 20126 Following are highly vulnerable:- Mobile phone payments- Tap and Pay ‘Near Field communication’ (NFC)- Digital Wallets( Source: Samsung, Blackberry, Mcafee)11Following are highly vulnerable:- Mobile phone payments- Tap and Pay ‘Near Field communication’ (NFC)- Digital Wallets( Source: Samsung, Blackberry, Mcafee)08-03-2013 7 Mr Rajesh Aggarwal, IT secretary, Government ofMaharashtra ordered PNB to pay Rs45 Lakhs toMr Manmohansingh Matharu, MD, Poona AutoAncillaries as he lost Rs80L by responding to aphishing email
  12. 12. Some Recent ExamplesDate Sr no. Security Breach Example11-03-2013 8 Reserve Bank of Australia’s networks were hackedrepeatedly.It was found to be infiltrated by Chinese malware.9 Two tech savvy brothers from Mumbai, Mr FazrurRehman(26) and shahrukh(23); both collegedropouts; arrested for Rs 1 cr e-fraud by MulundPolice.They managed to transfer Rs 1cr from the currenta/c of a cosmetics co. to 12 different bank a/cswithin 45 minutes, using just a smartphone..12Two tech savvy brothers from Mumbai, Mr FazrurRehman(26) and shahrukh(23); both collegedropouts; arrested for Rs 1 cr e-fraud by MulundPolice.They managed to transfer Rs 1cr from the currenta/c of a cosmetics co. to 12 different bank a/cswithin 45 minutes, using just a smartphone..
  13. 13. Some Recent ExamplesDate Sr no. Security Breach Example27-03-2013 10 A new Malware called ‘Dump Grabber’ scans thememory of POS and ATMs, captures track1 andtrack 2 data and sends to a remote server.The Malware can be installed remotelyIt has affected all major US banks such as Chase,Capitol one, Citibank, Union Bank of California etc.13A new Malware called ‘Dump Grabber’ scans thememory of POS and ATMs, captures track1 andtrack 2 data and sends to a remote server.The Malware can be installed remotelyIt has affected all major US banks such as Chase,Capitol one, Citibank, Union Bank of California etc.28-03-2013 11 Cyber attacks meant for ‘Destruction’ rather than‘Disruption’American Express customers could not accesstheir accounts today for 2 hrs.Last week it happened to J P Morgan Chase.32,000 computers of South Korea banks wereincapacitated last week.
  14. 14. Some Recent ExamplesDate Sr no. Security Breach Example25-04-2013 12 A new virus has been found to be spreading widelyin Indian cyberspace. It cleverly steals, bankaccount details, and passwords.This advisory was issued by CERT-IN today.(Computer Emergency Response Team – India)14
  15. 15. My PC Report on 8th May, 2013
  16. 16. What are Basic Security concerns ofBanks and Customers?• THEFT– DATA• Credentials• Account Details• Account Balances• Non Account Balances• Other Data from Customer PCs / Mobiles &• Entire Databases• THEFT– DATA• Credentials• Account Details• Account Balances• Non Account Balances• Other Data from Customer PCs / Mobiles &• Entire Databases16
  17. 17. What are Basic Security concerns ofBanks and Customers?• THEFT– RESOURCES / ASSETS• Customer Cash• Bank Cash• Instruments• Cards• POS Terminals• ATMs• Documents• Contents of SD Lockers• Network Components• IT Infrastructure &• Other Assets• THEFT– RESOURCES / ASSETS• Customer Cash• Bank Cash• Instruments• Cards• POS Terminals• ATMs• Documents• Contents of SD Lockers• Network Components• IT Infrastructure &• Other Assets17
  18. 18. What are Basic Security concerns ofBanks and Customers?• DESTRUCTION– DATA• Web sites and Portals• Account Details• Account Balances• Non Account Balances• Other Data from Customer PCs / Mobiles &• Entire Databases• DESTRUCTION– DATA• Web sites and Portals• Account Details• Account Balances• Non Account Balances• Other Data from Customer PCs / Mobiles &• Entire Databases18
  19. 19. What are Basic Security concerns ofBanks and Customers?• DESTRUCTION– RESOURCES / ASSETS• Customer Cash• Bank Cash• Blank Instruments• Blank Cards• POS Terminals• ATMs• Documents• Contents of SD Lockers• Network Components• IT Infrastructure &• Other Assets• DESTRUCTION– RESOURCES / ASSETS• Customer Cash• Bank Cash• Blank Instruments• Blank Cards• POS Terminals• ATMs• Documents• Contents of SD Lockers• Network Components• IT Infrastructure &• Other Assets19
  20. 20. What are Basic Security concerns ofBanks and Customers?• DESTRUCTION– REPUTATION• Reliability• Availability• Credibility• Goodwill• Defamation ( defaced portals, redirected to porn sites etc) &• Privacy• DESTRUCTION– REPUTATION• Reliability• Availability• Credibility• Goodwill• Defamation ( defaced portals, redirected to porn sites etc) &• Privacy20
  21. 21. Recap of Basic Security concerns ofBanks and Customers• THEFT– DATA– RESOURCES / ASSETS• DESTRUCTION– DATA– RESOURCES / ASSETS– REPUTATION• THEFT– DATA– RESOURCES / ASSETS• DESTRUCTION– DATA– RESOURCES / ASSETS– REPUTATION21
  22. 22. Security concerns atTouch points - ATM22
  23. 23. Security concerns atTouch points - ATMTHEFT DESTRUCTIONDATA ASSETS DATA ASSETS REPUTATIONCredentialsCard DataAccountBalances -- Money- Equity- Units- etcDebit CardCredit CardCash -- Customer- BankATMOther FixuresATMATM CenterCash- BankOther FixturesCredentialsCard DataAccountBalances -- Money- Equity- Units- etcDebit CardCredit CardCash -- Customer- BankATMOther FixuresATMATM CenterCash- BankOther Fixtures23
  24. 24. Security concerns atTouch points - POSTHEFT DESTRUCTIONDATA ASSETS DATA ASSETS REPUTATIONCredentialsCard DataPOS Terminal POS Terminal Retailercredibility withBanks24
  25. 25. Security concerns atTouch points – Net BankingTHEFT DESTRUCTIONDATA ASSETS DATA ASSETS REPUTATIONCredentialsAccountDetailsAccountBalancesOther datafrom customerPCcustomer- Money- Equity- Units- etcAccountMis-useIndividualRelated DataEntireDatabasesCustomer PCDataBanks PortalsNetworkComponentsNetworksRansomnetsDefamation(DisfiguredPortals)AvailabilityCredibilityReliabilityGoodwillCredentialsAccountDetailsAccountBalancesOther datafrom customerPCcustomer- Money- Equity- Units- etcAccountMis-useIndividualRelated DataEntireDatabasesCustomer PCDataBanks PortalsNetworkComponentsNetworksRansomnetsDefamation(DisfiguredPortals)AvailabilityCredibilityReliabilityGoodwill25
  26. 26. Security concerns atTouch points – MOBILESTHEFT DESTRUCTIONDATA ASSETS DATA ASSETS REPUTATIONCredentialsAccountDetailsAccountBalancesOther datafrom customermobileCash fromdigital ormobile walletscustomer- Money- Equity- Units- etcAccountMis-useMobile unitSIM CardsMemory cardsIndividualRelated DataEntireDatabasesCustomerMobile DataBanks PortalsDigital / mobileWalletsDefamation(DisfiguredPortals)AvailabilityCredibilityReliabilityGoodwillCredentialsAccountDetailsAccountBalancesOther datafrom customermobileCash fromdigital ormobile walletscustomer- Money- Equity- Units- etcAccountMis-useMobile unitSIM CardsMemory cardsIndividualRelated DataEntireDatabasesCustomerMobile DataBanks PortalsDigital / mobileWalletsDefamation(DisfiguredPortals)AvailabilityCredibilityReliabilityGoodwill26
  27. 27. Security concerns atTouch points – PAYMENT GATEWAYTHEFT DESTRUCTIONDATA ASSETS DATA ASSETS REPUTATIONCredentialsAccountDetailsAccountBalancesOther datafrom customerPCDefamation(DisfiguredPortals)AvailabilityCredibilityReliabilityGoodwillCredentialsAccountDetailsAccountBalancesOther datafrom customerPCDefamation(DisfiguredPortals)AvailabilityCredibilityReliabilityGoodwill27
  28. 28. Security concerns atTouch points – Bank BranchTHEFT DESTRUCTIONDATA ASSETS DATA ASSETS REPUTATIONCredentials(Signatures)AccountDetailsAccountBalancesChequesCash- customer- BankSafe DepositVaultsPhysicaldocuments- FD Receipts- Shares /Debentures- etcBranch Data ITInfrastructureOther BranchinfrastructureSafe depositvaultsStaffCustomersPremisesReliability (SDVaults)Availability(Whenreopen?)Credibility(Safe to visit?)Credentials(Signatures)AccountDetailsAccountBalancesChequesCash- customer- BankSafe DepositVaultsPhysicaldocuments- FD Receipts- Shares /Debentures- etcITInfrastructureOther BranchinfrastructureSafe depositvaultsStaffCustomersPremisesReliability (SDVaults)Availability(Whenreopen?)Credibility(Safe to visit?)28
  29. 29. Part 2Basic Risk Mitigation MeasuresofBanks and Customers29
  30. 30. What are Basic Risk Mitigation Measuresof Banks and Customers?• PREVENTIONAND• RECOVERY• PREVENTIONAND• RECOVERY30
  31. 31. What are Basic Risk Mitigation Measuresof Banks and Customers?• PREVENTION– DETECTION– PREVENTION– UPDATION• RECOVERY– DATA– ASSETS– BUSINESS CONTINUITY– REPUTATION• PREVENTION– DETECTION– PREVENTION– UPDATION• RECOVERY– DATA– ASSETS– BUSINESS CONTINUITY– REPUTATION31
  32. 32. Risk Mitigation Measures - Prevention• DETECTION– Physical Surveillance– Electronic Surveillance– Processes and Policies– Audits– Reviews– Logs &– Virus / Malware scans• DETECTION– Physical Surveillance– Electronic Surveillance– Processes and Policies– Audits– Reviews– Logs &– Virus / Malware scans32
  33. 33. Risk Mitigation Measures - Prevention• PREVENTION– Anti Virus– Firewalls– Data Center Security– Application Architecture– Data Architecture– SSL Deployment– WAP / WPA2 Deployment– Anti card skimming devices / designs– Virtual Keyboards &– Technology Standards Compliances• PREVENTION– Anti Virus– Firewalls– Data Center Security– Application Architecture– Data Architecture– SSL Deployment– WAP / WPA2 Deployment– Anti card skimming devices / designs– Virtual Keyboards &– Technology Standards Compliances33
  34. 34. Risk Mitigation Measures - Prevention• PREVENTION– SMS Alerts– OTPs– Multipart authentications– Multipart logins– KYC– Cash and Valuables Strong-room security– Cash in Transit Security &– Cash in ATMs Security• PREVENTION– SMS Alerts– OTPs– Multipart authentications– Multipart logins– KYC– Cash and Valuables Strong-room security– Cash in Transit Security &– Cash in ATMs Security34
  35. 35. Risk Mitigation Measures - Prevention• PREVENTION– Processes and Policies• Dormant account management– Physical– Online• Card and PIN dispatches• Card and PIN storage• Password change policy• Password strength policy &• Regulatory standards compliances• PREVENTION– Processes and Policies• Dormant account management– Physical– Online• Card and PIN dispatches• Card and PIN storage• Password change policy• Password strength policy &• Regulatory standards compliances35
  36. 36. Risk Mitigation Measures - Prevention• RECOVERY– DATA• Backups• Reconstruction• Recapture– ASSETS• Police• Replace• RECOVERY– DATA• Backups• Reconstruction• Recapture– ASSETS• Police• Replace36
  37. 37. Risk Mitigation Measures - Prevention• RECOVERY– BUSINESS CONTINUITY• DR Site• Redundancy• Hot swappable Devices• DR and BC Policies• Trainings• simulations– REPUTATION• Publicity• Transparency• Speed of Action• Hard Decisions• RECOVERY– BUSINESS CONTINUITY• DR Site• Redundancy• Hot swappable Devices• DR and BC Policies• Trainings• simulations– REPUTATION• Publicity• Transparency• Speed of Action• Hard Decisions37
  38. 38. Security and Role of Regulators• Who are the Regulators?• Why Are they concerned about Security?• Who are the Regulators?• Why Are they concerned about Security?38
  39. 39. What are Basic Security concerns ofRegulators?• Legal and regulatory issues• Security and technology issues• Supervisory and operational issues.• Impact on Monetary Policy• Legal and regulatory issues• Security and technology issues• Supervisory and operational issues.• Impact on Monetary Policy39
  40. 40. What are Basic Security concerns ofRegulators?• Legal and regulatory issues– The jurisdiction of law– Validity of electronic contract including the question ofrepudiation– Gaps in the legal / regulatory environment for electroniccommerce.• Legal and regulatory issues– The jurisdiction of law– Validity of electronic contract including the question ofrepudiation– Gaps in the legal / regulatory environment for electroniccommerce.40
  41. 41. What are Basic Security concerns ofRegulators?• Security and Technology Issues– Questions of adopting internationally accepted state of the artminimum technology standards for• access control,• encryption / decryption ( minimum key length etc),• firewalls,• verification of digital signature,• Public Key Infrastructure (PKI) etc.– The security policy for the banking industry,– Security awareness and education.• Security and Technology Issues– Questions of adopting internationally accepted state of the artminimum technology standards for• access control,• encryption / decryption ( minimum key length etc),• firewalls,• verification of digital signature,• Public Key Infrastructure (PKI) etc.– The security policy for the banking industry,– Security awareness and education.41
  42. 42. What are Basic Security concerns ofRegulators?• Supervisory and Operational Issues.– Risk control measures,– Advance warning system,– Information Technology audit– Re-engineering of operational procedures.– Whether the nature of products and services offered are withinthe regulatory framework and– Whether the transactions do not camouflage money-launderingoperations.• Supervisory and Operational Issues.– Risk control measures,– Advance warning system,– Information Technology audit– Re-engineering of operational procedures.– Whether the nature of products and services offered are withinthe regulatory framework and– Whether the transactions do not camouflage money-launderingoperations.42
  43. 43. What are Basic Security concerns ofRegulators?• Impact on Monetary Policy.– when and where private sector initiative produces electronicsubstitution of money like• e-cheque,• account based cards ,• digital coins,• M-Wallets• Cash Cards• Non account based cards• e-money transfers with physical cash payments etc• Impact on Monetary Policy.– when and where private sector initiative produces electronicsubstitution of money like• e-cheque,• account based cards ,• digital coins,• M-Wallets• Cash Cards• Non account based cards• e-money transfers with physical cash payments etc43
  44. 44. Some Recent Policy RecommendationsBY RBITarget Date Sr no. Security Breach Example30-06-2013 1 All new debit and credit cards to be issued only fordomestic usage unless international use isspecifically sought by the customer. Such cardsenabling international usage will have to beessentially EMV Chip and Pin enabled.4430-06-2013 2 Issuing banks should convert all existingMagStripe cards to EMV Chip card for allcustomers who have used their cardsinternationally at least once (for/through e-commerce/ATM/POS)
  45. 45. Some Recent Policy RecommendationsBY RBITarget Date Sr no. Security Breach Example30-06-2013 3 Banks should ensure that the terminals installed atthe merchants for capturing card payments(including the double swipe terminals used) shouldbe certified for PCI-DSS (Payment Card Industry-Data Security Standards) and PA-DSS (PaymentApplications -Data Security Standards)45Banks should ensure that the terminals installed atthe merchants for capturing card payments(including the double swipe terminals used) shouldbe certified for PCI-DSS (Payment Card Industry-Data Security Standards) and PA-DSS (PaymentApplications -Data Security Standards)30-06-2013 4 Banks should ensure that all acquiringinfrastructure that is currently operational on IP(Internet Protocol) based solutions are mandatorilymade to go through PCI-DSS and PA-DSScertification. This should include acquirers,processors / aggregators and large merchants
  46. 46. Some Recent Policy RecommendationsBY RBITarget Date Sr no. Security Breach ExampleASAP 5 Banks should move towards real time fraudmonitoring system at the earliest.ASAP 6 Banks should provide easier methods (like SMS)for the customer to block his card and get aconfirmation to that effect after blocking the card.46ASAP 7 Banks should provide easier methods (like SMS)for the customer to block his card and get aconfirmation to that effect after blocking the card.
  47. 47. Some Recent Debit CardRecommendations BY RBITarget Date Sr no. Security Breach ExampleImmediately 1 Banks may issue only online debit cards includingco-branded debit cards where there is animmediate debit to the customers’ account, andwhere straight through processing is involved.Immediately 2 No bank shall dispatch a card to a customerunsolicited, except in the case where the card is areplacement for a card already held by thecustomer.47No bank shall dispatch a card to a customerunsolicited, except in the case where the card is areplacement for a card already held by thecustomer.Immediately 3 The terms shall put the cardholder under anobligation not to record the PIN or code, in anyform that would be intelligible or otherwiseaccessible to any third party if access is gained tosuch a record, either honestly or dishonestly.
  48. 48. Some Recent Debit CardRecommendations BY RBITarget Date Sr no. Security Breach ExampleImmediately 4 No cash transactions through the debit cardsshould be offered at the Point of Sale under anyfacility without prior authorization of Reserve Bankof India under Section 23 of the BankingRegulation Act, 1949.Immediately 5 The bank shall ensure full security of the debitcard. The security of the debit card shall be theresponsibility of the bank and the losses incurredby any party on account of breach of security orfailure of the security mechanism shall be borne bythe bank.48Immediately 5 The bank shall ensure full security of the debitcard. The security of the debit card shall be theresponsibility of the bank and the losses incurredby any party on account of breach of security orfailure of the security mechanism shall be borne bythe bank.Immediately 6 The banks should undertake review of theiroperations/issue of debit cards on half-yearlybasis. The review may include, inter-alia, cardusage analysis including cards not used for longdurations due to their inherent risks.
  49. 49. Some Recent Debit CardRecommendations BY RBITarget Date Sr no. Security Breach ExampleImmediately 7 The role of the non-bank entity under the tie-uparrangement should be limited to marketing/distribution of the cards or providing access to thecardholder for the goods/services that are offered.Immediately 8 The card issuing bank should not reveal anyinformation relating to customers obtained at thetime of opening the account or issuing the cardand the co-branding non-banking entity should notbe permitted to access any details of customer’saccounts that may violate bank’s secrecyobligations.49The card issuing bank should not reveal anyinformation relating to customers obtained at thetime of opening the account or issuing the cardand the co-branding non-banking entity should notbe permitted to access any details of customer’saccounts that may violate bank’s secrecyobligations.
  50. 50. RBI POLICIES• Ref documents– RBI Security Feb 28, 2013.pdf– RBI Guidelines Debit cards Dec 24, 201250
  51. 51. ATM Security standardsStandard Security Breach ExamplePCI PTS POI Standard: PCI PIN Transaction Security Point ofInteraction Security Requirements (PCI PTS POI)Version: 1.0Date: January 2013Author: PCI Security Standards CouncilPCI DSS PCI SSC Data Security StandardThe PCI DSS is a multifaceted security standardthat includes requirements for securitymanagement, policies, procedures, networkarchitecture, software design, and other criticalprotective measures. This comprehensivestandard is intended to help organizationsproactively protect customer account data51PCI DSS PCI SSC Data Security StandardThe PCI DSS is a multifaceted security standardthat includes requirements for securitymanagement, policies, procedures, networkarchitecture, software design, and other criticalprotective measures. This comprehensivestandard is intended to help organizationsproactively protect customer account data
  52. 52. ATM Security standardsStandard Security Breach ExamplePCI PA-DSS PCI SSC Payment Application Data SecurityStandardThis document is to be used by PaymentApplication-Qualified Security Assessors (PA-QSAs) conducting payment application reviews; sothat software vendors can validate that a paymentapplication complies with the PCI DSS PaymentApplication Data Security Standard (PA-DSS). Thisdocument is also to be used by PA-QSAs as atemplate to create the Report on Validation.52PCI SSC Payment Application Data SecurityStandardThis document is to be used by PaymentApplication-Qualified Security Assessors (PA-QSAs) conducting payment application reviews; sothat software vendors can validate that a paymentapplication complies with the PCI DSS PaymentApplication Data Security Standard (PA-DSS). Thisdocument is also to be used by PA-QSAs as atemplate to create the Report on Validation.
  53. 53. ATM Security standardsStandard Security Breach ExamplePCI PTS PCI PIN Transaction Security StandardThis standard includes security requirements forvendors (PTS POI Requirements), device-validation requirements for laboratories (DerivedTest Requirements), and a device approvalframework that produces a list of approved PTSPOI devices (against the PCI PTS POI SecurityRequirements) that can be referred to by brands’mandates.The PCI PTS list is broken down into the followingApproval Classes of devices: PIN Entry Devices(PEDs—standalone terminals), EPPs (generally tobe integrated into ATMs and self-service POSdevices), Unattended Payment Terminals (UPT),Secure Card Readers (SCRs), and Non-PIN-enabled (Non-PED) POS Terminals.53PCI PIN Transaction Security StandardThis standard includes security requirements forvendors (PTS POI Requirements), device-validation requirements for laboratories (DerivedTest Requirements), and a device approvalframework that produces a list of approved PTSPOI devices (against the PCI PTS POI SecurityRequirements) that can be referred to by brands’mandates.The PCI PTS list is broken down into the followingApproval Classes of devices: PIN Entry Devices(PEDs—standalone terminals), EPPs (generally tobe integrated into ATMs and self-service POSdevices), Unattended Payment Terminals (UPT),Secure Card Readers (SCRs), and Non-PIN-enabled (Non-PED) POS Terminals.
  54. 54. Q and A???
  55. 55. THANK YOU
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×