We are at the cusp of a digital payments revolution in India ushered in by the government's demonetisation exercise late last year, and once again, mobile phones are at the centre of this revolution.
This, of course, involves personal data of millions of users that is sacrosanct. To ensure that this data is not compromised in any way while people use different digital payment modes, robust security across devices is absolutely necessary.
The Government estimates around 2,500 crore digital transactions will occur in 2017-18 via different payment modes such as Unified Payment Interface (UPI), Immediate Payment Service (IMPS), Aadhaar-enabled Payment System (AEPS) and credit cards as well as debit cards, swiped at point-of-sale terminals.
While these tools seek to create a digitally-empowered society, one important element will decide how successful they are: cyber security.
This article brings out key secuirty aspects in digital payment transactions as presented by me in NDTV gadgets 360. And it also includes a reporting by Hindustan Times on how Samsung Pay works in India.
Security of Digital Payments Is Crucial
for a Cashless India
Aloknath De, 18 March 2017
The Government projects 2,500 crore digital transactions in 2017-18
Many wallets and banking apps are not deploying hardware-level security
Better security will improve usability and adoption of digital payments
We are at the cusp of a digital payments revolution in India ushered in by the
government's demonetisation exercise late last year, and once again, mobile phones
are at the centre of this revolution.
This, of course, involves personal data of millions of users that is sacrosanct. To
ensure that this data is not compromised in any way while people use different digital
payment modes, robust security across devices is absolutely necessary.
The Government estimates around 2,500 crore digital transactions will occur in
2017-18 via different payment modes such as Unified Payment Interface (UPI),
Immediate Payment Service (IMPS), Aadhaar-enabled Payment System (AEPS) and
credit cards as well as debit cards, swiped at point-of-sale terminals.
While these tools seek to create a digitally-empowered society, one important
element will decide how successful they are: cyber security.
With multitude of digital transactions happening via mobile phones, the chances of a
security breach exist, particularly when many mobile wallets and banking
applications are not deploying hardware-level security to make online transactions
Security issues include multiple fake accounts, psychological manipulation (known
as phishing), weak device authentication, hacking of servers, and stealing of data.
The red-flag on security is not without reason. Globally, numerous events of hacking
occurred, of email accounts, databases, Twitter handles of celebrities, as well as on
Facebook, and other social media. In such cases, the financial-, privacy-, and
security-related implications for individuals, institutions, and nations can be
enormous. As digital transactions soar, cyber crimes will also rise.
After the severe cash crunch created by the November demonetisation drive, Indians
have scrambled to undertake digital transactions. Given this scenario, cyber analysts
have warned about serious vulnerabilities in the payment systems used across India.
To address the threat, it’s necessary to have security features embedded in the
hardware and software, as design and not as add-on features, as the latter will be
susceptible to hacks.
Nonetheless, the benefits of digital and card payments are decidedly greater than
those of cash. To minimise (if not eliminate) the risk in digital transactions, simplicity,
security and ubiquity are the watchwords for any payment system or gateway to
succeed. To safeguard the details of users, such a system should have the ability to
tokenise, encrypt and authenticate data before use.
Boosting cyber security
There are several methods adopted to boost cyber security. In the tokenisation
method, the system or device does not store any account or card number details on
the device, but relies on tokens to undertake transactions.
When any transaction takes place, the device will transmit two sets of data to the
payment terminal. The first set will be a 16-digit token representing the credit or debit
card number. The second set will be a one-time cryptogram or code generated by
the encryption key of the smartphone. The third safety element, authentication, is
self-explanatory, with the user being identified by the user ID, fingerprint, or other
Today, SFA (Single-Factor Authentication) is clearly not as safe as TFA (Two-Factor
Authentication). Password-based authentication is the most common form of SFA. In
TFA, an extra layer of security is added to the standard log-in procedure, whereby
the person accessing an account verifies their identity through a second question, or
Another benefit of such security systems is that even if a person’s smartphone is
stolen, payments cannot be made from the device unless authorised through a
fingerprint or the specific PIN put down during the setup procedure.
The diverse range of payment technologies makes robust security critical. Two of
these payment technologies are NFC (Near Field Communication), and MST
(Magnetic Secure Transmission) and for both, users need to upload credit card
details into the mobile payment app on their smartphone. Purchases can then be
made in physical retail stores.
Since the card data is encrypted on the phone, one-time authorisation tokens are
provided for every separate purchase. As NFC and MST are contactless payment
solutions, the mobile phone typically does not need manual interaction with the PoS
terminal. Only physical proximity and the customer’s approval are needed to permit a
Although the demonetisation drive has fast-forwarded India’s digital transition, issues
of payment safety and security have not kept pace with these developments. If
repeated security breaches occur, apprehension in people’s mind will slow down the
pace of digital transactions in India.
It is therefore, critical that the issue of security is given due importance by all
stakeholders. It is important that the digital payments industry also upgrades its
systems to ensure the security of its customers. If that happens, everyone will benefit
– including the Government, the digital payments industry, and customers.
The proliferation of mobile devices (smartphone, tablets) gives consumers more
choice. Current digital card-based systems - be it credit or debit payment - assume
that physical cards are available and card virtualisations are done. The traditional
role of banks in issuing physical cards that are dispatched to users could be
substituted by new forms of intermediaries, such as Trusted Service Managers, that
make mobile devices capable of over-the-air provisioning. The time is now ripe to
drive digital payments across India using financial instruments that are backed by
robust security solutions.
Aloknath De is Chief Technology Officer, Samsung R&D Institute, Bangalore
Tags: Samsung, Digital Payments, Security, Fintech, NFC, POS
**Launch of Samsung Pay in India:
Samsung Pay launched in India: Here’s how it works
TECH Updated: Mar 23, 2017 11:26 IST
Hindustan Times, New Delhi
The Samsung Pay service will be available on Visa, Mastercard and Rupay payment cards; and for
ICICI, HDFC, Standard Chartered, SBI, Axis banks(Anirban Ghoshal, Hindustan Times)
Samsung today launched a new digital payments service in the country, called
Samsung Pay, that hopes to bring debit cards, credit cards and wallets under one
Samsung Pay, a service that users of Samsung S7 Edge, S7, S6 Edge Plus, A
series 2016 and 2017, and Note 5 users will get via a service update, will be
available on Visa, Mastercard and Rupay payment cards. ICICI, HDFC, Standard
Chartered, SBI, Axis bank cards will be supported, along with Paytm and Amex
cards. UPI and CitiBank card support is also expected to become available soon.
The Samsung Pay service is also supported on Samsung Gear S3.
So, how does this work?
After updating their Samsung phones to the latest software, users can open the
Samsung Pay app and link their bank or Paytm or credit/debit card accounts.
First, a user must first link their card or wallet to the Samsung Pay account.
For phones, the user can then make a transaction by swiping the pay service from
the bottom of the screen. The screen will offer options of cards or accounts to pay
from. The user selects the card and brings it close to the POS (point of sale)
machine. Once the merchant has entered the amount for the transaction, the
machine connects to the payment gateway and asks the user for the bank/ATM pin.
Entering the PIN completes the transaction.
In case of the Gear S3, the user can open the service by swiping up and then
selecting the card or account to pay from. Once the selection is made, a ‘pay’ button
appears on the screen. Tapping the button and bringing the device close to the POS
machine will complete the transaction in the same way as in the case of a phone.
Consumers can use the Gear S3 with any other Android phone to make transactions
with Samsung Pay. To add cards to the Gear S3, users need to add them on the
Samsung Gear Manager app.
Nearly 90% of all POS machines in India work on magnetic technology for payments
with cards. The Samsung Pay service uses a similar technology. The service creates
a magnetic field between the POS machine and the phone to replicate a card
The Samsung Pay app also offers promotions from banks on reward points. It shows
offers from Paytm as well. The app also comes with built-in customer support .