SUMMARY
The RBI has reportedly reached out to key stakeholders, including the Payments Council of India, to inquire about the enforcement of new payment aggregator licensing norms
RBI is expected to soon launch a full-scale investigation to determine vulnerabilities in the IT infrastructure of the country’s burgeoning digital payments ecosystem.
Sources told Inc42 that RBI has also sent letters to all banks and prepaid payment instruments (PPI) providers about potential data breaches
Following the data leak of 10 Cr digital transactions from the server of Indian payments processor Juspay, the Reserve Bank of India (RBI) has reportedly reached out to key stakeholders, including the Payments Council of India (PCI), to inquire about the enforcement of new payment aggregator licensing norms that mandate storage of card data only by licensed payment aggregators and gateways.
It is expected that RBI will soon launch a full-scale investigation to determine vulnerabilities in the tech security infrastructure of the country’s burgeoning digital payments ecosystem players. According to ET, which first reported the development, PCI will soon send a representation to RBI on steps that can be taken to remove the vulnerabilities associated with India’s digital payments infrastructure.
Meanwhile, sources privy to the development told Inc42 that RBI has also sent letters to all banks and prepaid payment instruments (PPI), instructing them to immediately notify the central bank if they notice a data breach on their servers.
Earlier this week, the attack on Juspay’s servers left confidential data of a number of users exposed. Juspay later confirmed that for at least 2 Cr users out of the total 10 Cr affected users, 16 fields of data relating to their payment cards, such as their card brand (VISA/Mastercard), card expiry date, the last four digits of the card, the masked card number, the type of card (credit/debit), the name on the card, card fingerprint, card ISIN, customer ID and merchant account ID, had been leaked on the dark web, where it was available for sale for around 6,000 Bitcoins.
Another subset of the leaked database, which was in the form of a data dump, contained users’ phone numbers and email addresses.
The leaked payment information was masked in places to reveal only partial copies of card numbers. While this reduces the possibilities of a financial scam, resourceful hackers could still use the information to launch phishing scams to induce victims to hand over their card information.
Juspay offers a software development kit (SDK) for app makers to integrate its services. It counts major Indian and international tech companies such as Amazon, Airtel, Swiggy, Vodafone, Uber, Cred, Ola and Flipkart among its clients. Its solution powers the payment gateways for these companies and Juspay claims that it processes over 2 Mn transactions per day.
The Juspay data leak is one of the biggest in India in terms of the number of users affected. It has been reported that the hacker behind the attack on Juspay also holds 80 Lakh user records for Indian classifieds website Clickindia and 10 Lakh user records for fintech startup Chqbook.
