Making recurring payments for OTT platforms, digital news subscriptions and other online services using debit or credit cards just got more difficult in India. India’s central bank has asked payment gateways, card-issuing banks and other payment service providers to stop storing card details permanently.
The Reserve Bank of India has taken the step to tackle the spate of data leaks across online payments platforms, examples being the massive data leaks at payments processor Juspay and neobanking startup Chqbook.
As per the new norms, payment gateways and other startups and companies processing digital payments would be allowed to store card information in an encrypted format under the Payment Card Industry Data Security Standard (PCI DSS). “REs (regulated payment entities) shall ensure that card details of the customers are not stored in plain text at the RE and its vendor(s) locations, systems and applications. REs shall also ensure that the processing of card details in readable format is performed in a secure manner to strictly avoid data leakage of sensitive customer information,” the notification added.
The move is likely to impact websites and platforms that use saved card information to auto-subscribe users upon expiry of the subscription. Usually, these terms are displayed in an unclear manner to the users at the time of signing up. But while some of the auto-renewals could be legitimate, the RBI is looking to limit the potential for data leak through such saved details.
With the rise in digital payments, tech businesses and global OTT platforms saw the India subscription opportunity grow. Today, it has truly arrived and is here to stay. Subscription-based news media models are also fast becoming the norm when it comes to the online realm.
Beyond credit and debit cards, subscribers can still pay for recurring transactions using UPI’s Auto Pay Feature that was launched in July 2020. However, this is largely available for recurring payments such as insurance premiums, subscription fees, SIPs and EMI payments, but not largely seen in digital media or OTT platforms. It also has a maximum limit of Rs 2,000 per transaction, which some media platforms may find restrictive.
RBI’s cautionary steps on storage of banking information also comes shortly after instances of data leaks. Personal data including banking and card information of Indian Internet users were found to be on sale illegally on dark web sites as many websites store sensitive information in plain text. In December 2020, Inc42 reported that the personal data of 7 Mn Indian credit card and debit card users has been leaked on the dark web this month.
Screenshots of the leaked data showed cardholders’ names, phone numbers, email addresses, annual incomes, types of accounts and PAN card details were illegally put up on sale on the dark web last year.
Cybersecurity experts Inc42 has spoken to in the past, mentioned that cyber attacks in India have risen in the year 2020, mostly due to enterprises adopting work from home processes and handling larger amounts of data amid the pandemic.
The Fraud and Risk Management in Digital Payments report last year by the Data Security Council of India (DSCI) also pointed out increased numbers for web-skimming, malware campaigns and phishing scams amid the Covid-19 pandemic.