Who moved my wallet? Inside the evolution of digital payments

The digital payment industry has grown rapidly in the past five years, solving countless consumer inconveniences, including how to shop without hard cash in hand, and how to transfer money without making a trip to the bank. Like most facets of our day-to-day life, technology has driven significant change in the way we use money.

From barter exchange to commodity money to metallic and paper money, it subsequently gave way to plastic in the form of debit and credit cards. Now, an increasing number of people are turning to digital money: mobile wallets/applications that enable today’s tech-savvy generation to operate without real cash.

Industry reports show the digital payments industry accounted for a total transaction value of $51,756M USD in 2018. There are several factors, outlined below, pushing the industry towards a growth trajectory.

1. Technology is the Future: The advent of technology and internet has indubitably favored the Indian economy to become less cash-dependent. As of 2017, approximately 300 million and 480 million people use smartphones and internet respectively. The increased number of affordable smartphones has led to decreased cost of data plans resulting in expanded user base for digital payments.
2. Convenience is the Key: Today’s fast-paced generation demands convenience and on-the-go access. This need for speed is seen across various sectors, and digital payments have profited from this drift. Ease of usage in booking tickets, transferring money, paying electricity bills, etc., have become table stakes among young consumers.
3. E-commerce Boom: Rising internet penetration has boosted the Indian e-commerce industry. Online stores prove to be more efficient, cost-effective and convenient than physical stores, and buyers have increasing purchasing power with incentives and shopping options from overseas merchants. Digital payments are a critical piece of this model.
4. Demonetization Upshot: On November 8, 2016, the govt. demonetised INR 500 and INR 1000 currency notes. The immediate impact of this announcement was a search for alternate modes of payments, leading to a surge in the utilization of the digital payments industry.

Understanding Digital Payment Models
There are a wide range of payment instruments that fall under the digital payments umbrella, including the tried and tested plastic money. The applications for banking transactions initiated by National Payments Corporation of India (NPCI) include *99#, a facility backed by USSD, Aadhar Enabled Payment System (AEPS) and United Payments Interface (UPI), used by Bharat Interface for Money (BHIM) application. Consumers can also carry out banking transactions 24×7 online or by using mobile banking provided by their banks.

Currently, the in-trend payment modes are digital wallets and mobile payment technologies wherein users can store debit/credit card or bank information and transact securely. Examples are PayTm, Google Pay, Apple Pay, Samsung Pay, Amex Pay, SC Pay, etc. These allow for funds transfers, online shopping, bill payments, etc., all via mobile devices.

Mobile payment technologies use mobile phone biometric and encryption technologies for security, and special hardware such as Host Card Emulation (HCE), Near Field Communication (NFC) and Magnetic Secure Transmission (MST) for interacting with a merchant payment machine. With HCE-enabled wallets, consumers can keep a virtual representation of bank cards in their wallets. The application then uses an NFC/MST-based contactless payment system at the point of sale (PoS).

The NFC method permits enabled terminals to process transactions between two devices placed near each other. MST sends a magnetic signal from a compatible device to the payment terminal’s card reader and imitates swiping a physical card, and does not require the merchant to upgrade the payment terminal. These technologies are revolutionary in PoS terminals and help eliminate the processes through which debit/credit cards are skimmed while swiping to falsify card transactions.

In India, NFC-compliant technologies include Samsung Pay, HDFC PayZapp, ICICI Pockets (Touch and Pay Feature) and Amex Pay. Google Pay in the U.S. and UK uses NFC, however, in India it is used as a UPI service-provider only. Apple Pay also uses NFC but is not available in India as it is not currently integrated with any bank or NPCI. Apart from wallets, tangible cards like PayTm Tap Card and Visa payWave use the NFC system. MST technology is currently available only in Samsung Pay. Samsung Pay is one of the leading applications in India as it currently has partnered with UPI, all major banks, networks like Visa and Mastercard and wallets like PayTm.

Another emerging, nascent-stage innovation is a smart card which can upload various accounts to one card and displays them on a touchscreen. Users can swipe and tap to use multiple payment methods. Fuze by BrilliantTS is bringing this tech to market, and while it may be useful for ATMs and other scenarios, it will be difficult for them to compete with new mobile payment technologies.

Forecast
Digital payments have a promising future given the convenience and ongoing digital transformation of numerous industries. They also provide a secure way to store and use the money, and are more easily protected than other payment modes because they can incorporate encryption, biometric safeguards, and multifactor authentication. Still, digital wallets are an attractive target for hackers and stand the risk of security breach and fraud. As the industry continues to evolve, providers will need to find the delicate balance between strong security measures and usability, to ensure the inherent convenience is maintained, without compromising customers’ devices, private information, and financial assets.

Amit Jaju
Senior Managing Director and India Head
FTI Consulting (Technology segment)

BOX

Securing digital payments
To secure India’s growing digital payments ecosystem, it’s vital to have comprehensive regulatory guidelines as well as a threat sharing platform, according to a report by the Data Security Council of India and PayPal.

“The ecosystem that enables the digital payment services is a complex one posing various challenges in terms of managing security of enterprises and data protection, the “Securing India’s Digital Payments Frontiers” report notes. “Currently, due to lack of a single agreed standard or guidelines around the finance industry, each payment player can choose the standard/guidelines which suits his payment solutions to create a more secure and trusted solution ecosystem.”

Apart from European Union’s General Data Protection Regulation, which deals with privacy issues, strong privacy laws are lacking around the globe, some experts assert. Because payment systems are linked worldwide, a common minimum standard on security and privacy is essential, they say. “We are seeing digital payments crimes perpetrated from locations that are poor on legislation and privacy laws,” says U.K.-based Steve Marshall, founder of Risk-X, an audit and risk assessment consulting firm. “Though globally we are getting closer with our ability to do business together, the fact is we are getting apart legislatively.”

The Report’s Recommendations
The report recommends the following steps to help ensure the security of cashless payments in India:
Establish a long-term strategy for managing the dynamic global cybersecurity environment and controlling cybercrime;
Standardize data protection laws and cybersecurity frameworks for digital payments;
Develop comprehensive regulatory guidelines on risk management technologies, payment security management and business continuity management;
Encourage threat intelligence sharing across the ecosystem;
Build a regulatory sandbox environment for cybersecurity testing;
Incentivize companies to make cybersecurity and data protection a priority for boards and C-suites.

While India has been successful in spurring a move to cashless transactions, including the use of mobile wallets, it has not yet launched a consolidated effort to secure these transactions. “The government needs to recognize that by not mandating a minimum security framework, it is actually damaging the growth in the payments space and causing the concern of citizens; and if widespread disruption occurs, it could be catastrophic,” says a security practitioner at a mobile wallet provider.

“Only if the legislature works with the interested parties and mandates that there is an implementation of standards can there be any real protection to the consumer,” he says. “This needs to be backed by stiff penalties, not for those that get it wrong, but those that deliberately flout the rules.”

But security practitioners caution that a security framework has to be carefully designed so it does not stifle innovation. This was the case with PCI DSS, and the fact that there are now 25 standards that cover the gambit of payment technology that is in use as someone comes up with something new that does not fit within the current frameworks, so a new one has to be developed,” Marshall says.

The report emphasizes building a strong public / private partnership for trust, transparency and information sharing around threat intelligence, incident reporting, best practices assessments and responsible disclosures, such as bug bounties.

“We need to encourage active participation and partnerships with industry and government in research, standard building, threat intelligence sharing and development of frameworks, etc., to help secure the overall ecosystem for enhanced consumer trust,” the report states.
The lack of threat intelligence sharing makes it more difficult to prevent breaches. But organizations cite a multitude of reasons for holding back from sharing intelligence, ranging from worries about revealing too much to competitors to trust questions and, ultimately, fear of embarrassment, some security practitioners say.

One solution, some experts say, would be to have the Indian government establish cyber threat sharing centers in various cities, along with an online threat intelligence portal.

In the meantime, security experts say organizations can take steps toward improving payment security. For example, they urge merchants to avoid storing payment data.

“The only ones with a need to store the data is the cardholder / consumer and the financial institution that issues the payment method,” Marshall says. “There is no need for others to store this data, as it only increases the risk of the data being stolen or compromised along its journey. Therefore, the ideal method is encryption at the point of inception and only reversal of the information for authentication, verification and authorization at the financial institution.”

Only the information needed to be able to prove, defend or verify that a transaction has occurred should be retained, security experts advise. Using unique transaction numbers, so that payment information doesn’t have to be retained, also is important, they say.