1. The objectives of an effective payment system is to ensure a Safe, Secure, Efficient, Robust and Sound Payment System in the country. In order to secure electronic documents and transactions and to ensure legal compliance, digital technology is used.
2. Payment systems are subjected to various financial risks viz. Credit Risk, Liquidity Risk, Systemic Risk, Operational Risk and Legal Risk.
3. Electronic payments are based on Information security, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc.). Two major aspects of informtion security are: IT Security and Information Assurance.
4. Information Systems are composed in three main portions, hardware, software and communications with the purpose to help identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: physical, personal and organizational.
5. Without security measures and controls in place, the data might be subjected to an attack. Some attacks are passive, meaning information is monitored; others are active, meaning the information is altered with intent to corrupt or destroy the data or the network itself.
6. Network Attacks in Electronic Payment Systems include Eavesdropping, Data Modification, Identity Spoofing (IP Address Spoofing), Password-Based Attacks, Denial-of-Service Attack, Man-in-the-Middle Attack, Compromised-Key Attack, Sniffer Attack, and Application-Layer Attack.
7. The core principles of Information Security are Confidentiality, Integrity, Availability, Authenticity and Non-repudiation.
8. It is important to note that while technology such as cryptographic systems can assist in non-repudiation efforts, the concept is at its core a legal concept transcending the realm of technology. It is not, for instance, sufficient to show that the message matches a digital signature signed with the sender's private key, and thus only the sender could have sent the message and nobody else could have altered it in transit. The alleged sender could in return demonstrate that the digital signature algorithm is vulnerable or flawed, or allege or prove that his signing key has been compromised. The fault for these violations may or may not lie with the sender himself, and such assertions may or may not relieve the sender of liability, but the assertion would invalidate the claim that the signature necessarily proves authenticity and integrity and thus prevents repudiation.
9. Reserve Bank has been promoting use of Public Key Infrastructure (PKI) technology in the electronic payments systems to secure a transaction from non- repudiation angle. Various electronic payments systems introduced by RBI and other agencies viz. Real-Time Gross Settlement (RTGS) System, National Electronic Fund Transfer (NEFT), CBLO, Forex Clearing, Government Securities Clearing, and Cheque Truncation System (CTS). In volume terms, these systems contributed 25.1 percent whereas these systems contributed 93.7 percent share to the total number of payment transactions carried out in the year 2012-13 (Table 2.2). Whereas non-PKI enabled payment systems contributed 75 percent in volume terms but only 6.3 percent in value terms in the year 2012-13.
Chapter I Introduction
1.1 The objectives of an effective payment system is to ensure a Safe, Secure, Efficient, Robust and Sound Payment System in the country. In order to secure electronic documents and transactions and to ensure legal compliance, digital technology is used. However, in online banking transactions in India the account holder bears the liability of transactions in case of dispute. In view of this a Group comprising of members from banks (SBI and ICICI bank), IDRBT- CA, CCA (New Delhi) and RBI (DIT, DPSS, DGBA- CBS and CISO) was formed to prepare an approach paper for enabling PKI for the Payment Systems in India.