Techshristi's Forum

Author Topic: Report of the Group on Enabling PKI in Payment System Applications by RBI  (Read 648 times)

0 Members and 1 Guest are viewing this topic.

Offline TechShristi

  • Welclome to Techshristi
  • Administrator
  • *****
  • Posts: 556
    • techshristi
Report of the Group on Enabling PKI in Payment System Applications by RBI

 

 1.  The objectives of an effective payment system is to ensure a Safe, Secure, Efficient, Robust and Sound Payment System in the country. In order to secure electronic documents and transactions and to ensure legal compliance, digital technology is used.

 2.  Payment systems are subjected to various financial risks viz. Credit Risk, Liquidity Risk, Systemic Risk, Operational Risk and Legal Risk.

 3.  Electronic payments  are  based on  Information  security, is  the practice  of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc.). Two major aspects of informtion security are: IT Security and Information Assurance.

 4.  Information  Systems  are  composed  in  three  main  portions,  hardware, software and communications with the purpose to help identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: physical, personal and organizational.

 5.  Without security measures and controls in place, the data might be subjected to an attack. Some attacks are passive, meaning information is monitored; others are active, meaning the information is altered with intent to corrupt or destroy the data or the network itself.

 6.  Network Attacks in Electronic Payment Systems include Eavesdropping, Data Modification, Identity Spoofing (IP Address Spoofing), Password-Based Attacks, Denial-of-Service Attack, Man-in-the-Middle Attack, Compromised-Key Attack, Sniffer Attack, and Application-Layer Attack.

 7. The core principles of Information Security are Confidentiality, Integrity, Availability, Authenticity and Non-repudiation.

8.  It is important to note that while technology such as cryptographic systems can assist in non-repudiation efforts, the concept is at its core a legal concept transcending the realm of technology. It is not, for instance, sufficient to show that the message matches a digital signature signed with the sender's private key, and thus only the sender could have sent the message and nobody else could have altered it in transit. The alleged sender could in return demonstrate that the digital signature algorithm is vulnerable or flawed, or allege or prove that his signing key has been compromised. The fault for these violations may or may not lie with the sender himself, and such assertions may or may not relieve the sender of liability, but the assertion would invalidate the claim that the signature necessarily proves authenticity and integrity and thus prevents repudiation.

 9.  Reserve Bank has been promoting use of Public Key Infrastructure (PKI) technology in the electronic payments systems to secure a transaction from non- repudiation angle. Various electronic payments systems introduced by RBI and other agencies viz. Real-Time Gross Settlement (RTGS) System, National Electronic Fund Transfer (NEFT), CBLO, Forex Clearing, Government Securities Clearing, and Cheque Truncation System (CTS). In volume terms, these systems contributed 25.1 percent whereas these systems contributed 93.7 percent share to the total number of payment transactions carried out in the year 2012-13 (Table 2.2). Whereas non-PKI enabled payment systems contributed 75 percent in volume terms but only 6.3 percent in value terms in the year 2012-13.

 Chapter I Introduction

1.1 The objectives of an effective payment system is to ensure a Safe, Secure, Efficient, Robust and Sound Payment System in the country. In order to secure electronic documents and transactions and to ensure legal compliance, digital technology is used. However, in online banking transactions in India the account holder bears the liability of transactions in case of dispute.  In view of this a Group comprising of members from banks (SBI and ICICI bank), IDRBT- CA, CCA (New Delhi) and RBI (DIT, DPSS, DGBA- CBS and CISO) was           formed to prepare an approach paper for enabling PKI for the Payment Systems in India.

 

 

Particulars

 

Page No.

 

 

Abbreviations

 

 

 

Acknowledgements

 

 

 

Executive Summary

 

i-iv

 

Chapter-I

 

Introduction

 

1-8

 

Chapter-II

 

Security Features in Existing Payment System

Applications

 

9-27

 

Chapter-III

 

Cross Country Experience in implementing PKI

 

28-36

 

Chapter-IV

 

Feasibility in implementing PKI in all Payments

System Applications

 

37-53

 

Chapter-V

 

Implementation strategy by banks : Short-term, Medium-term and Long-Term and Recommendations of the Group

 

54-59

Annex I

Internet Banking Security features deployed by

SBI and ICICI

60-63

Annex II

Exhaustive List of Security features deployed by

other Banks

64-65

Annex III

Security Measures Proposed by RBI for Electronic

Payment Transactions

66-67

Annex IV

Security in EMV Cards

68-69

Annex V

PKI Enabled Payment Systems in Various

 

Countries

70-77

Annex VI

Recommendations of the Working Group headed by Shri G. Gopalakrishna on Electronic Payments

78-90

 

References

91-92

 


Techshristi's Forum


Offline TechShristi

  • Welclome to Techshristi
  • Administrator
  • *****
  • Posts: 556
    • techshristi
Find the above report attached to this post.

Techshristi's Forum


 
Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18