The FinTech market in India is rapidly growing and changing the entire ecosystem of the Indian banking system and the economy. On this blog we talk about payment security from the perspective of India with two leading Indian FinTech service providers – CRED and In Solution Global Pvt Ltd. Here we talk with Nitin Bhatnagar, Associate Director, India, PCI SSC, Himanshu Kumar Das, Head of Security, Risk & Compliance, CRED, and Adelia Castelino Co-founder Managing Director, In Solution Global Pvt Ltd. about FinTech market trends in India, the cyber threat landscape and industry involvement opportunities for the region.
What is behind the rapid growth in FinTechs in India?
Nitin Bhatnagar: The recent push towards digital banking and payments from the Indian government as well as recent innovations within the industry, has led to most of the banks in India switching to digital banking as well as moving towards paperless and cashless banking processes. Being the third largest fintech ecosystem in the world, FinTech’s in India have gained a lot of traction and found a very budding atmosphere to massively scale up due to the phenomenal economic growth the country has experienced in the last few years.
Himanshu Kumar Das: Fintech has completely revolutionized and transformed the banking and finance sector in India with high adoption for newer payment methods and better technology like mobile wallets, mobile banking, secure payment gateways and this has led to a very high and ever-increasing number of paperless transactions and lending’s. This revolution can mostly be attributed to better technology, easy access and penetration of internet and smartphones among the general public, favorable markets, increased adoption and end user awareness, the highly innovative nature of the start-up culture and government backed initiatives and promotions to the payments industry.
The recent innovations in Fintech which help ensure safer, securer and lightning-fast transactions with enhanced user experience have completely transformed and modernized banking and financial institutions.
Adelia Castelino: The main reason for the rapid growth has been innovation. The four main areas of innovation that are responsible for this growth are: Hyper-personalized customer service, tokenization, cloud native payment platforms, and e-converse through e-commerce. The common theme among these innovation drivers is security of data and convenience for the consumer.
What are trends that Fintech companies like yours are seeing in the changing payment landscape for India and globally?
Himanshu Kumar Das: In recent years, the Fintech market, being currently valued at INR 2.30 Trillion in 2020 and expected to reach around INR 8.35 Trn by 2026 with an expected compounded annual growth rate (CAGR) of ~24.56%, has been one of the highest-growing technology segments globally and not just in India and has taken the centre stage in the global financial services industry by bringing in top innovations in various applications and fields such as payments, lending, credit scoring, stock trading etc. India in particular accounted for the highest fintech adoption rate of 87% and is the biggest destination for investment deals in the Fintech space worldwide. With the increased support from governments, increased penetration of smartphones, faster internet speeds and coverage of technology throughout the masses, there has been a steep rise in partnerships between fintech companies and other services providers which directly propelled its growth.
Adelia Castelino: A starburst of rapidly evolving technology has revealed a constellation of new enablers like Cloud Native Architecture, API-driven composalble micro-services, fraud and risk management and data analytics powered by AI and ML, with Public-Private sandboxes enabling rapid innovation, at the same time, as supporting regulatory reform.
Cloud computing is the cornerstone of the post-Covid economy, supporting global supply chains and remote workforces. ISG is working with issuers, acquirers, schemes and third-party processors to make legacy services cloud native for optimised portability and scalability.
Multi-factor authentication and innovations in identity and access management using trusted device and biometric authentication, are enabling payments providers to stay one step ahead of the criminals.
What are those Key Security challenges in the evolving Fintech landscape? How are you overcoming this?
Adelia Castelino: The cost of leading a deep and diverse digital existence is having to secure oneself and one’s customers from increasingly frequent, costly and damaging cybersecurity incidents, be they a result of criminal activity or asymmetric warfare by state and non-state actors, which may even paralyse critical services and infrastructure. With more data now in digital format, financial service and payment providers face a key challenge securing sensitive personal information about individuals, whose digital footprint and data have become an appendage to their identity.
Software Supply Chain Security (SSCS) -- Third-party security risk management is a key focus area for boards and senior management across organisations. In the last one year, there has been a sharp rise in one of the third-party security risk use cases - software supply chain attacks. Other examples of key security challenges in the payments space include account takeovers and ransomware.
To overcome these challenges, Information Security Professionals are joining forces, sharing information and participating in roundtable discussions. Cybersecurity has been given higher priority within organisations at both decision-making and product design levels. Top cybersecurity and compliance talent is being recruited at all levels of the organisation. All employees are being trained and educated about the threat of cybersecurity and the need and means to report suspicious activity.
Himanshu Kumar Das: The Fintech space is growing and expanding day by day and offers several services and advantages, but also comes with its own share of uncertainties and threats too. Building a secure and robust Fintech application or product is an extremely challenging and complicated and moreover a very expensive and time-consuming task. If there is no past and relevant experience and awareness of the Fintech security requirements, this becomes an added obstacle. The high sensitivity of the data that revolves around the financial services has made security and privacy even more important in Fintech. As such, data has become the next big target for attackers and is now the new digital currency. With data security and ubiquity becoming a huge cause of concern, the protection and processing of data is becoming increasingly difficult and challenging.
Organisations need to resort to the best security practices and cybersecurity solutions to counteract these challenges like how CRED is solving for best-in-class security. Encryption and tokenisation are one of the most essential and effective security solutions in the Fintech space. All critical data should be protected by encryption using complex encryption algorithms like RSA, or 3DES. And tokenisation is one of the current trends of implementation of security solutions around payment data and credit card numbers where sensitive data such as credit card numbers are replaced with a generated number called a token.
Nitin Bhatnagar: Part of the key security challenges when it comes to payment security is education and training. The PCI Security Standards Council continues to conduct training programs in India and recruit a community of payment security experts through our Participating Organization (PO) program. With significant feedback from payment stakeholders, we recently release the PCI Date Security Standard (DSS) v4.0 which aims to promote security as a continuous process, add flexibility for different security methodologies, and enhance validation methods.
What are the Growing cyber threats to India's digital payments in India?
Nitin Bhatnagar: We continue to see India ranked very high on the list of countries that are a target for cyber-attacks. That is a result of our growing, expanding economy which has gotten the attention of cyber criminals. The PCI SSC continues to issue industry threat bulletins in order to educate the marketplace about looming threats and tips on how to defend against them. We recently issued an industry threat bulletin about ransomware attacks which continue to be a problem not just in India but around the world.
Himanshu Kumar Das: Some of the most prominent and commonly seen cyber-attacks faced by end users and organisations in the digital payments ecosystem are; Phishing, Distributed Denial of Service attacks (DDoS), Malware exploits, Application vulnerability exploits, Social Engineering Methods, Spam, Identity Thefts and Merchant Frauds among others. A lot of these attacks could be attributed to several factors like:
- Lack of end user awareness, which is one of the major causes for cyber-attacks being successful
- Inadequate security measures on end user devices
- Cracked applications installed on devices
- Vulnerable/unpatched operating systems
- Security controls not designed comprehensively for digital payment products
- Undefined perimeter in a large ecosystem with multiple data interfaces, devices and systems
- Multiple Data interfaces across the products leading to API exposure to untested/ untrusted interfaces
- Lack of focus on security of Third-party service providers
This leads us to some of the key areas where organizations in this industry can work proactively on to combat these issues:
- Design and implement robust cybersecurity frameworks
- Identify the ’crown jewels’ and protect them
- Establish adequate measures for protection from third party risks
- Evaluate the changing threat landscape and align risk treatment strategies
- Empower the users through enhanced security awareness & security defense
- Establish robust measures establishing user identity & authentication for transaction
- Establish advanced risk based/adaptive authentication measures
- Deploy adequate technical measures to deal with cyber warfare
- Establish comprehensive cyber and incident response plan & conduct regular drills
Such initiatives and steps can lead to securing the digital payments ecosystem for both the organization and mainly the end users who are most vulnerable to attacks.
Adelia Castelino: Cybersecurity is the most critical challenge faced by digital payment ecosystem stakeholders in India. With a growing number of users preferring digital payments, the chances of getting exposed to risks such like online fraud, information theft, malware or virus attacks are also increasing. Fraudsters today are working with advanced technologies to manipulate their targets. Th playbook of cyberattacks now includes the compromising of web portals and applications, ransomware, reconnaissance, and Distributed Denial of Service (DDoS) attacks.
CERT-In publications show that, between 2019 and 2020, reportage of Phishing and DDoS grew by 40%, while identity theft, merchant fraud, malware, and cyber espionage grew by 20%.
How can tokenization be a game changer for the payment industry in India?
Nitin Bhatnagar: Technology is only as good as its implementation. To minimize risk and fraud, data needs to be desensitised & devalued. This is where technologies that devalue data such as– Tokenization, P2PE, EMV & 3DS can play a critical role in helping prevent theft incidents from becoming breaches. The goal of these technologies is to eliminate persistent value in the data you use to conduct a transaction. So, if a criminal attacks and steals data, there is no threat to the system, the consumer and/or the merchant. PCI SSC provides standards and programs to support the secure implementation of these technology solutions.
- Information Supplement: PCI DSS Tokenization Guidelines
- Tokenization Product Security Guidelines – Irreversible and Reversible Tokens
Himanshu Kumar Das: Payments data security is one of the most critical aspects of security for any Fintech. With the sudden and recent boom of the payments ecosystem in India, it requires and needs intensified protection against any sort of frauds, counterfeit payments and misuse of accounts and payment details of any form. Clearly tokenisation is the true game changer in the payments ecosystem and CRED has already adopted tokenisation to enhance its payments security and address any concerns of consumer privacy and improve the security of payment data. With the multitude of applications that tokenisation provides and the unexplored applications that could come up in the fintech space due to tokenisation the boundaries and applications are limitless, and this will benefit the entire payments ecosystem in India.
Adelia Castelino: From onboarding, transaction processing and real-time fraud checks, to settlement and near real time reconciliation, ISG is implementing the latest technologies, including tokenisation, to make the transaction lifecycle more secure building trust within the payments ecosystem.
Also on the blog: The Threat of Ransomware Attacks