Industry Insights Archives - Page 3 of 3 - Digital Payments, Payment Security and Lending

Understanding ONDC and what banks must do to benefit from it

Wibmo / July 15, 2022

Introduction: what is ONDC and why it is a game-changer for India India’s digital commerce industry is growing rapidly. From around US$38 Billion in 2021, it is expected to touch US$120 Billion by 2026 (source: KNN India), and possibly cross US$200 Billion by 2029 (source: India TV News). Given the country’s demographics and internet penetration, digital commerce is still an underserved market in India. Thus far, its biggest beneficiaries have been large monopolistic marketplaces/platforms because of the massive investments needed. But there is a change in the air. Technology-led innovations such as India’s Open Network for Digital Commerce (“ONDC”) are creating open, network-centric digital commerce models to compete with existing platform-centric models. ONDC promises to revolutionize the country’s digital commerce landscape by democratizing access/participation. Over the next few years, the transformative effect will be similar to what UPI has done for digital payments. ONDC is a public infrastructure project being executed by a non-profit organization under the aegis of the Government of India’s Department for the Promotion of Industry and Internal Trade. In April 2022 pilot projects began in five Indian cities; 100 cities are to be covered by the end of August 2022. A number of public and private sector banks (e.g., SBI, PNB, Kotak Bank, Axis Bank, HDFC Bank) have already invested in ONDC. The “my way or the highway” approach taken by many proprietary e-commerce platforms has led to predatory practices. Smaller businesses are disadvantaged because they inherently lack bargaining power vis-à-vis these e-commerce marketplaces/platforms. ONDC aims to create a level playing field for thousands of small businesses across India as well as customers living in rural areas and smaller towns so that they can all benefit from digital commerce. ONDC is effectively a platform that allows you as a consumer to search and buy products/services that are currently offered only on multiple marketplaces, without having to log into each of them. You can conveniently browse and buy products that are listed on Amazon, Flipkart, Meesho, Myntra, Neu, or indeed anywhere else- using just one app. As a seller, registering on this platform gives you access to customers of multiple marketplaces. There is no need to list on multiple marketplaces, be tied to specific delivery partners, or comply with the different requirements of these platforms. The main beneficiaries of ONDC ONDC is designed to benefit three main categories of stakeholders: · Small businesses/suppliers of goods and services, who can access a larger market; · Customers across India (especially those in smaller towns and rural areas), who will get greater choice and better prices; and · Banks, who get another chance to be a relevant intermediary in digital commerce (both in the retail and SME space). Since the launch of UPI-based payments in 2016, proprietary payment platforms owned by non-banking players such as Google, Amazon, PayTM, etc. have accounted for a majority of digital payment transactions, especially in the retail space. Banks found themselves left behind. Both sellers/merchants and buyers/consumers are banks’ traditional customers, but third-party digital apps have effectively disintermediated them. By registering on ONDC, banks can offer solutions to both sets of customers. Banks get the opportunity to efficiently monetize their relationships with customers- a key source of competitive advantage in an increasingly digital, ecosystem-driven world. ONDC will give banks access to a much larger base of prospects and customers; it will also allow banks to offer these customers a larger bouquet of products/services (both banking as well as those offered by partners on the network). For example, banks can target retail customers with offers related to insurance, wealth management, loans, deposits, etc. Just as important is the opportunity that ONDC will provide banks to deepen their relationships with Current Account customers. India’s SMEs in particular have begun to gravitate towards fintech players and if this trend intensifies, it can spell trouble for corporate banks. Given that ONDC is designed to attract large numbers of SMEs, it affords banks a good opportunity to build and strengthen their relationships with customers in this segment by offering a larger portfolio of services, including working capital loans, Capex loans, export credit, etc. Thus, banks that choose to be part of ONDC can expect to capture greater mindshare (and hence, wallet share) of customers who choose to be active on the ONDC network. Given the “all-digital” nature and national/global reach of the ONDC, banks no longer need to worry about catering only to “local” customers (whether retail or corporate). Across segments, ONDC can help banks reduce costs of customer acquisition and service delivery, thereby boosting profitability and margins. Banks will need to upgrade their technology stacks to benefit from ONDC To offline merchants/sellers, banks either offer QR codes or PoS-based payment solutions or Open Banking based Payment Gateways to e-commerce players. Therefore, banks need a deep integration of their mobile apps with those of partner merchants and/or aggregators to enable customers to use their mobile banking apps. The objective is to build stickiness for the banks’ mobile apps, but the absence of an industry-standard protocol makes this expensive and time-consuming. All this will change with ONDC. Instead of direct integration with merchant apps, banks will need the capability to connect with the ONDC platform using a standard Beckn protocol, which is an “open, interoperable and universal transaction protocol to enable a decentralized digital economy,”(source: beckn). This will enable customers to use the bank’s app to: · easily register on the ONDC platform and discover products/services; · search for products/services they need using criteria such as geo-location, sellers, price ranges, etc.: · Make purchases; and · Manage returns and resolve disputes more easily and speedily. Provided banks are ready with the necessary technology components for ONDC, they can thus deliver access to a wider range of products/services as well as a smoother customer experience. Merchants joining ONDC will expect banks to provide a complete Digital Commerce solution that seamlessly integrates offline/online registration on the platform with transaction experience and banking services such as collecting customer payments and paying suppliers. Banks

Things you must know about Tokenization — talk of the town

Ravi Battula / July 6, 2022

After the industry requested more time to comply with the latest data security rules, the Reserve Bank of India mandated the implementation of tokenization of card transactions, with a deadline of June 30, 2022, which is further extended to September 30, 2022. So, what exactly is tokenization? And how would it aid in the security of online transactions? Tokenization is a process of replacing sensitive information with non—sensitive information [token]either completely or partially, rendering the token useless for the unintended users. Tokens are irreversible, original data cannot be derived back using a key, unlike the cryptographic process. It follows the principle of ‘pseudonymization’ [Pseudo Anonymization or simply put alias or surrogate] for sensitive data like Aadhar, SSN, Credit Card, Bank ac/c, phone, or DOB. A tokenization system links the original data to a token but does not provide any way to decipher the token and reveal the original data. For e.g. in the case of a card/PAN, Token PAN is generated using the Format Preserving Hash which is irreversible PAN, and Lunch’s check is passed on the same so all the card validations on the token are also successful and follow card network rules. Original PAN: 7654 1111 1111 1111 Token PAN: 6667 2397 1422 2655 [Identical to PAN but of no value for a bad actor as it cannot be used without the valid Token Requestor and Merchant Id combination.] Any token generated for a card will inherit the key attributes of the original card e.g. expiry date, product code, card art, etc. Tokenization is a secure method of storing payment information. In essence, a token (an alias or a Pseudo number) is generated for the stored payment card. As a result, simply possessing the token does not grant you access to the card information without first passing through the tokenization system. When we apply this to the real world, we can see the benefits. Consider a website that sells specific products but also offers recurring deliveries. When a client purchases from the website for the first time, they will enter their credit card information themselves; however, for recurring transactions (such as the delivery of specific cosmetics on the first day of each month, for example), the information must be stored by the website in order for a monthly payment to be made. If card information is not stored securely, unauthorized personnel or even bad actors can gain access, causing a nuisance for the consumer and a serious problem for the merchant resulting in chargebacks. To solve this problem in the simplest way possible, we turn to tokenization. When a client first enters his card details, the payment platform collects the information and sends it to the tokenization system, which returns the token to the website and processes the payment. The token will be stored on the website in conjunction with the information entered during the registration process. For a Standing Instruction when the merchant website needs to charge the client on a recurring basis, it will simply send the amount and the token to the payment platform. The payments platform will then send the token to the tokenization system, which will map the card number against the token and complete the transaction on behalf of the customer. The website does not need to store the actual card details to process recurring payments using this method, and the payment process is limited to the dialogue between the tokenization system and the payment platform, both of which have high levels of security. Tokenization inherently uses a pseudonymization process to replace sensitive data with random data. Card tokens are intent-based which is unique per merchant. Card tokens generated at one merchant cannot be used at other merchants. In case of any data compromise at a particular merchant/entity, it cannot be used for any other purpose. Even if the bad actor wants to use the stolen token at the same merchant, they will also need the cryptographic keys to initiate any transactions which are almost impossible to get access to organization cryptographic keys. Hence tokenization makes the data storage, data transmission, and data usage very secure without worrying about misuse. In this case, the user would simply delete/cancel the token for a particular merchant only as opposed to canceling the card and managing storage at all other locations Because online shopping is becoming more popular by the day, cybercrime has skyrocketed so as data proliferation, both businesses and their customers must now rely on secure online solutions for all types of transactions. This means that more credit card information is being stored and processed, providing more opportunities for cybercriminals. Security solutions such as tokenization are arguably more important than ever before, as they can assure clients that their sensitive data is much more secure, thereby fostering trust and loyalty between businesses and consumers. Benefits of tokenization on your cards : · With rising subscriptions and recurring economy, intent-based unique tokens enable users to manage multiple subscriptions (COF or SI) very securely · Can be used for an online card on file and device-based tap n pay contactless payment on mobile devices · Greater protection against data theft due to higher storage security · Higher customer control to view and manage tokens and set controls · Bring standardization for card storage across the ecosystem rather than every entity implementing their own standards The Wibmo Areion ‘Token Hub,’ built in accordance with EMVCo standards, is the only unified tokenization solution for merchants, acquirers, Issuers, and Fintechs. It ensures that you are in compliance with the latest RBI guidelines while also providing a frictionless payment experience. To find out more, write to: [email protected] Author: Ravi Battula, Vice President, Merchant Acquiring Business Wibmo A PayU/Naspers FinTech Company Card Payment, Card Token, Digital Payment, Online Payments, Tokenization

Industry Insights, Product, Reading List

Why is Biometric Authentication becoming the headline in the world of Digital Payments?

Shatrughan Sharma / March 24, 2022

The last decade has witnessed a progressive adoption of technology in almost all the industry. Few industries like banking and fintech have embraced the technology to grow in leaps and bounds. The revolutionizing spread of internet has ushered in an incredible increase in the number of the users and in turn the addressable market. The hitherto latent yet humongous body of rural population is today enabled with fintech services like online payment and transaction and even Ecom. The one word which has propelled the whole population into the digital payment however is rather old fashioned -TRUST Let’s dive deeper with an example. When a small business owner from a village in Bihar pays a vendor residing in another state, he needs be assured that the payment would indeed be done. Similarly, a migrant labourer, slogging in the southern state need to believe that his hard earned money is indeed going to reach his family in a matter of minutes if not seconds. However both the people also need assurances that it would be paid only to the intended parties and not to anyone else! Authentication: The foundation of trust in the digital payment space Authentication is used most commonly to assure the consumers of reliability. However, the question remains if the authentication mechanisms used currently produce the highest levels of trustworthiness. Let’s delve into the circumstances where multifactor authentication is the best option. The following two out of the three ways have proved to be a strong medium for payment authentications: · Possession: for example, a documented identify or device, etc. · Knowledge: for example, a password or secret, etc. · Inherence: for example, their fingerprint, hand, face, etc. History of Biometrics — An evolved tool used in payment securities Although biometrics go way back into human history, the contemporary commercial usage of biometric authentication began in the mid-nineteenth century using fingerprints by William James Herschel, a British administrator in India. Biometric authentication gained popularity among consumers and service providers with the rising usage of feature-rich smartphones and other devices enabled with high-resolution cameras. The instant gratification was stoked with the biometric authentication as it is based on the biological traits which are unique to every individual and cannot be faked. One of the most widely used examples of biometric usage is that of Aadhaar card in the Indian Market: All Indian residents are given an Aadhaar number, which is a 12-digit unique identification number. This figure is derived from their biographic and biometric data (a photograph, ten fingerprints, two iris scans). The concept was originally related to government subsidies and unemployment benefits, but as its authenticity is proved, it now includes a payment scheme. The growth of biometric payments in a post-pandemic world According to global surveys, the pandemic has heightened awareness and acceptance of biometric payments. This popularity doesn’t show any signs of abating as we step into the post-pandemic era, thanks to a focus on sanitation and contactless payments. Biometric authentication is popular due to the simple and uncomplicated process that it entails. Unlike the conventional authentication techniques, which suffer from glitches like not getting an OTP or issues with the strength of the internet network. Biometric payments are becoming more popular in large and densely populated countries such as Russia, South Africa, Kenya, Nigeria, Ukraine, India, and others. Consumers sense the simple and foolproof option of biometric authentication is safer, quicker, and simpler. Biometric authentication provides several advantages over knowledge-based and possession-based authentications: 1. It’s universal, as these metrics can be found in every human. 2. It is unique. 3. It is permanent, as metrics like fingerprint or dental don’t change. 4. It can be easily recorded if the consumer wants it to be so. 5. Finally, it can be measured for comparison and cannot be falsified. Conclusion: Though there have been cases where Biometric authentication based on statistical algorithms may occasionally provide false positives, resulting in erroneous results, the benefits of using biometric authentication for digital payments outweigh the drawbacks. This is causing a significant shift towards its adoption, and it seems to be continuously growing. In a diverse socioeconomic environment like India which has a population that is both cost-sensitive and aspirational, there is no other solution that can beat biometric authentication. Author: Shatrughan Sharma, Global Head- Payment Security Wibmo A PayU/Naspers FinTech Company Authentication, Biometric Authentication, Global Digital Payments, Payments, Secure Payment

Industry Insights, Stories

Identification, Authentication, Authorisation — Know the Difference

Sujit Kumar Mahato / February 21, 2022

We undergo the process of Identification, Authentication, and Authorization every day in both physical and digital worlds. Let’s first start with the physical world. You have been planning for a weekend vacation for a long time but have been stalling because of the busy work schedule. After months of long hours of work, you finally find a weekend for a getaway. After work hours you meticulously plan the vacation — the place to visit, the hotel to stay, the to-do activities, and whatnot. Finally, the getaway weekend has arrived and the first thing that you do after reaching your destination: is Check-in into the hotel 1. Identification — You walk to the hotel reception and mention that you have a prior booking at the hotel. The first thing the receptionist asks is for your name. The receptionist then checks through the register to confirm of your booking. By providing your name, you claimed your identity. Your name, more or less, is unique and used for identification. 2. Authentication — Once the receptionist has got your name in the booking register, you are asked to present an ID card. The ID card verifies that you are the person whose name is on the reservation Here, the ID card facilitates the process of authentication and verifies your identity. 3. Authorisation — After the receptionist has done the necessary authentication process/paperwork, you receive a guest keycard. The guest’s keycard grants you access to your room, the guest elevators, and the pool — but not other guests’ rooms or the service elevator. Hotel employees have a service keycard, authorized to access more areas of the hotel than guests are. You enjoy the next few days to the fullest and finally be well-rested and rejuvenated. It’s time to go back to your work and give your best. It’s time to check out and walk to the reception desk. You hand over your card to the receptionist to pay the bill. At this moment you have jumped into the digital world of identification, authentication, and authorization. 1. Identification — The receptionist puts your card through a POS terminal. The information stored on your magnetic strip/EMV chip enables the banking systems to identify your valid account details — a bank that has your account, your account details, etc. Here the information on your card’s magnetic strip/EMV chip is analogous to your name which you used during check-in. 2. Authentication — You are then requested to enter your card PIN. Your card PIN is confidential to you — only you know it (an ideal case). By providing the PIN, you establish the validity of you being the owner of the card, associated with the bank account. The PIN authenticates that you are the owner of the bank account, from which money would be transferred to the hotel for its services. 3. Authorisation — There are multiple stakeholders involved when you are making transactions through your card. The bank in which you have your account, the card networks — Visa/Mastercard/Amex/Diners, the bank which has the hotel account, the software provider for the POS terminal, etc. Each stakeholder has a specific role to play. For example, the bank — which has your account- confirms that your account has enough balance amount. It then authorizes the deduction of the bill amount from your bank account. It may seem that all three steps — identification, authentication, and authorization are inseparable. But that’s not true. Remember the last time you uploaded a file on your Google Drive/One Drive and shared a public link. Here, you have authorized anyone with the link to access that file without any prior identification or authentication. Probably, the value of the file is far less than the value of the money in your bank account. Hence, the banking world uses cutting-edge solutions to predict, prevent and detect fraudulent transaction attempts on your card. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Authentication, Authorization, Digital Payment, Identity Management, Security

Industry Insights, Reading List

Why cultivated BFSIs are moving from Cyber Defense to Cyber Resilience

Pravin Kumar / February 14, 2022

Cyber threats like APT (Advance Persistence Threat), Malware, hacking, phishing, ransomware, and distributed denial-of-service (DDoS) attacks have the potential to cause enormous challenges for organizations. Not only can companies suffer serious service disruption and reputational damage, but the loss of personal data can also result in huge fines from regulators. Some experts define cyber defence as preventing hackers from attacking your network and accessing your systems and data. Cyber resilience, they may view it, is about responding and recovering after an attack has happened. While they position cyber defense and cyber resilience as two separate activities, the reality is more complex than that. Cyber security can be seen as the first step in cyber resilience meaning any cyber resilience strategy must encompass cyber security. This blog explains more: If we map these two strategies with NIST -CSF (Cyber Security Framework), Cyber Défense is limited to Identify, Detect and protect pillars, however, Cyber Resilience also touches other two pillars i.e. Respond and Recover. It should be clear by now that cyber security and cyber resilience are different but symbiotic. Some companies do still treat them as separate and inter-related solutions, often establishing cyber security and resilience policy frameworks and strategies. However, there is more value when cyber security forms an element of overall cyber resilience. Why Cyber resilience over cyber security? Cyber resilience starts with nailing the cyber security basics; at Wibmo, we call it “doing the common uncommonly well.” This includes regular risk assessment, patching vulnerabilities, detecting and mitigating threats, and awareness on how to defend company assets. But we need to be doing these things continuously, not just once a year. The aim of cyber resilience is clear enough: to ensure operational and business continuity with minimal impact. But the reality can be harder to pin down because there’s currently a no good way to measure cyber resilience. As leaders, we need to have a certain level of confidence in our ability to respond to an attack, to maintain our customers’ trust, absorb the financial, legal, and brand impact and get back to business. But there is no widely-accepted cyber resilience framework, no maturity model, and I think there should be. The four elements of cyber resilience: I recommend a four-part approach to cyber resilience: 1. Manage and protect The first element of a cyber resilience programme involves being able to identify, assess and manage the risks associated with network and information systems, including those across the supply chain. 2. Identify and detect The second element of a cyber resilience programme depends on continual monitoring of network and information systems to detect anomalies and potential cyber security incidents before they can cause any significant damage. 3. Respond and recover Implementing an incident response management programme and measures to ensure business continuity will help you continue to operate even if you have been hit by a cyberattack, and get back to business as usual as quickly and efficiently as possible. 4. Govern and assure The final element is to ensure that your programme is overseen from the top of the organisation and built into business as usual. Over time, it should align more and more closely with your wider business objectives. Benefits: A cyber-resilient posture helps you to: Reduce financial losses; Meet legal and regulatory requirements: Improve your culture and internal processes; and Protect your brand and reputation Author: Pravin Kumar, CISO Wibmo A PayU/Naspers FinTech Company Cyberattack, Cybercrime, Cybersafe, Cybersafety, Cybersecurity

Industry Insights

What are Pre-Paid Cards and how do they work?

Nsele P. Bokuma / October 2, 2021

By referring to Prepaid Cards, we first need to agree on what do we understand by Prepaid Card, and how do we see it? Do we see it as a closed card program or an open card program? Many get confused in the definition of what exactly is a Prepaid card? A Prepaid Card can be defined as a secured card (a plastic) that enables users to process transactions in order to make purchases of goods and/or services. We can then say that we do have two types of Prepaid Cards: Closed Card Programs. Open Card Programs. A Closed Card Program is usually referred to as a closed-loop, mostly in the form of Gift Cards, used by many stores. On the other hand, an Open Card Program is usually referred to as a debit card, which is linked to a bank account. Both solutions could be referred to as Prepaid Card solutions; however, one does not require the need of having a bank account but for the other, having a bank account is a must. To some extent, some countries around the world are now initiating closed-loop programs, as a debit card, for domestic card transactions. For instance, a country may opt to have a closed-loop domestic card program that can only be utilized in the country, in form of a domestic prepaid card scheme. In today’s world, Financial Institutions (FI) are working hard to promoting Financial Inclusion by providing financial services and/or products to customers at a very affordable cost. However, despite, the efforts and times put together by Financial Institutions, the results for getting everyone inclusive into the Financial Ecosystem is still low. Therefore, FI is constantly improving their products/solutions in order to meet customers satisfaction by positioning solutions such as Prepaid Cards in order to make inclusion attractive. That is why, to meet customer’s satisfaction, Financial Institutions have opened up to the closed/open loop payment program to reach out to all markets and/or segments. These programs have been put in place to solving problems for Consumers, Retailers, Corporates, and Governments. The benefit of those cards is that consumers can make use of the solution to make a purchase, pay bills, transfer funds, and/or withdraw cash from an ATM, Merchant/Retailer stores, or an Agent (Agency Banking), in a very convenient and secure way. Prepaid Cards used by the bank (“the debit card”), can also be offered to customers who do not qualify for credit facilities. By these means, the bank is offering a product to customers which will enable them to transact by using their own funds. On the other hand, Retailers or Merchants are also offering similar solutions to customers in form of Gift Cards, for instance, as previously mentioned. Once a Prepaid Card has been offered to a customer, the Service Provider will immediately issue a card to the customer in order to enable the customer to start transacting from day one. Nevertheless, to make this mechanism fully functional: A plastic card will have to be issued to the customer. Customer will have to load own funds onto the cards. The card will have an Expiring Date, Card Number, and a PIN. Customers can now start transacting. Yet, for Prepaid Card such as Gift Cards, cards can only be used within a network of retailers, and most of the time, the card does not have a PIN number for acceptance of transactions. However, transactions are authorized on a signature basis. So, Prepaid cards could be considered as a fast-growing segment for Retail Banking and Merchant Services Industry despite entries of new innovative payment technologies. Author: Nsele P. Bokuma, Director-Sales, South Africa Wibmo A PayU/Naspers FinTech Company Card Payment, Digital Payment, Online Payments, Prepaid Card

Industry Insights

DevSecOps — A necessity in the current landscape

Ravi Bhushan / September 29, 2021

Let’s start with the basics here. Traditionally, we followed Software Development Life Cycle, in short SDLC, a structured approach to develop quality software that meets customer requirements. With a rapid evolution in lifestyle, we moved to the Agile method which is one of the variants of SDLC to develop software in an iterative and fast way. While the agile methodology aims to develop a software or a component of software quicker, there is a need to deploy that component at equal speed in production set up to make it available to the user community. This development process along with the deployment process is together referred to as DevOps. Essentially, DevOps refers to the continuous integration of a software component and its continuous deployment. Now, thinking of security from the early stage of the development cycle instead of retrospectively fitting at the end of the cycle, transcends DevOps to DevSecOps. Here, we are shifting Security at the early stage of the cycle, i.e., shifting to the left of the cycle, which is referred to as Shift Left. To establish an analogy, may not be exact but a crude analogy to understand better, let’s look at some of the household work like cooking. I cook in my free time at home. After cooking, I request my wife to serve the food to family members. Here, the cooking process is Development, serving process is Operations, together with cooking and serving process is DevOps. Now, it’s important to understand in this example what is DevSecOps. While cooking, I am concerned about the hygiene of the food from the beginning, else, retrospectively fitting hygiene is very difficult. Therefore, the cooking and serving process along with maintaining hygiene in the entire process is DevSecOps. In a rapidly moving world where technology is easing the way we do business and lead life, there is a rapid increase in threats to the technology landscape by fraudsters or individuals with malicious intent. Therefore, it’s imperative that security is looked at from the very early stage of the development cycle and all possible threat vectors are identified and appropriate controls or safeguards are built into the software to protect the software and therefore protect its user community and ultimately customers. Let’s look at some of the benefits of DevSecOps. Continuous integration (CI) — merges code changes to ensure the most recent version is available to developers. Continuous delivery and continuous deployment (CD) — automate the process of releasing updates to increase efficiency. Microservices — builds an application as a set of smaller services. Infrastructure as code (IaC) — designing, implementing, and managing app infrastructure needs through code. Common weaknesses enumeration (CWE) — improves the quality of code and increases the level of security during the CI and CD phases. Threat modeling — implements security testing during the development pipeline to save time and cost in the future. Automated security testing — test for vulnerabilities in new builds on regular basis. Incident management — creates a standard framework for responding to security incidents. Fast delivery — achieve ensure fast delivery of application by embedding automated security controls and tests early in the development cycle. Enriched efficiency — higher efficiency by scanning code for vulnerabilities as it’s written. Automotive: reduce lengthy cycle times while still meeting software compliance standards. Digital Transformation: enable digital transformation efforts while maintaining the privacy and security of sensitive data per regulations such as GDPR. Code analysis — deliver code in small chunks so vulnerabilities can be identified quickly. Compliance monitoring — be ready for an audit at any time that means being in a constant state of compliance, including gathering evidence of GDPR compliance, PCI compliance, etc. Threat investigation — identify potential emerging threats with each code update and be able to respond quickly. Vulnerability assessment — identify new vulnerabilities with code analysis and accordingly analyze how quickly they are being responded to and patched. Security training — train software and IT engineers with guidelines for set routines. Source: https://accelera.com.au/ To conclude, DevSecOps is a cultural shift which means security is a shared responsibility, and everyone participating in SDLC has to a play very vital role in building security into the DevOps workflow. Author: Ravi Bhushan, Head- GRC and Ritesh Prasad, Manager DevOps+SRE Wibmo A PayU/Naspers FinTech Company Compliance, DevOps, Infosec, Risk Management, Security

Industry Insights

How to prevent identity theft?

Krishnan KN / September 29, 2021

With unprecedented growth in online transactions, it is no surprise that online fraud has increased. One of the major malpractices is identity theft. In a country like India which is striding towards the number one position in online shopping, the rise in this kind of fraud cannot be overlooked. Accessing and retrieving personal information is a child’s play in an increasingly digitized country like India. With social media and the deep web or darknet getting more and more accessible to a larger population, the prevalence of identity theft is getting increasingly difficult to control. Who can be the victims of Identity Theft? Have you used your Credit or Debit card to shop online/POS? Have you paid the utility bills using your Card? Have you used UPI or other payment methods? In short, anyone who has used plastic money is in danger of identity theft. Everyone who has shopped online or used any payment portal using their payment credentials is at risk of falling prey to synthetic identity theft. It is, in essence, stealing your identity i.e., impersonating you digitally, and riding on your credibility and creditworthiness. It is done by gathering data that confirms the identity like phone number, Aadhar card number, or PAN card number along with Bank Account number and utilizing this data to impersonate and transact digitally. With widespread social media and the data captured by almost all websites, it is nearly impossible to stay completely private. The Conditions favouring Identity theft In a densely populated country like India, identity theft is spreading like a disease more due to Cyber security laws are in place but reporting and actual implementation of those laws is not easy in a developing country like ours. It is getting easier to lay hands on social security details like Pan and Aadhar Data breach is increasingly difficult to prevent crime by identifying the perpetrators and isolating them. Also, the timeline that the entire fintech industry works, is very limited i.e., the journey of the card to merchant to verification or access control and back to the transaction approval takes just thirty seconds on average. This renders a very small window to our lenders but an easier getaway to the fraudsters. It, therefore, makes more sense to fortify defences at our end through our payment gateways. Usage of multi-layered security makes it a herculean task to track perpetrators while they on other hand enjoy accessibility from any corner which has internet. The Impact It is an indisputable fact that digitization of the financial transactions in India has accelerated beyond what the experts forecasted. Part of it was contributed by the covid waves and the awareness of “cashless transactions and contactless delivery”. It can however not be denied that as the younger population of the country is swelling, we find a major part of the population turning net-savvy and preferring mobile transactions. They demand seamless experience and connectivity through IoT. This has not only provided traction to digitization but has also enhanced the effectiveness of creating an antifraud and secure transactional environment to retain the credibility of the digitized transactions. Role of FRM like Trident in Detection of fraud The simple logic that Wibmo uses is that the more you know your customer, the more difficult it becomes for the fraudsters to impersonate you. E.g., while a person might impersonate another with a banker, it is almost impossible to impersonate him with his family. The difference lies in the fact that the family knows the person in question too well. This is the exact logic we use at Wibmo through our TRIDENT. In essence, the more you use our services, the more difficult it becomes for fraudsters to steal your identity. Collecting various data points through ML or machine learning offers the most effective defence against identity theft. Based on the past patterns, the current transaction can be evaluated and analysed in a fraction of seconds, and thus the fraud detection and prevention can occur without increasing the transaction time. The continuous learning by the machine will only improve as the data points collected are only going to get the virtual persona of the customer more precise. The long-term utility and credibility that such a system can give to the issuer and acquirer are worth every penny spent and every effort taken. Role of end-users in the detection of the fraud There are few steps that you can take to reduce the risk as an end-user. 1. Take time to check the authenticity of the sites where you are planning to use the card. Do not simply click on the links sent over SMS or WhatsApp or mails offering you cashback or discount vouchers 2. Download the apps from a trusted origin and use that for repeat purchase rather than using links that might have been sent to you. 3. Never share the OTP, UPI pin, and other bank details. However, at times this has been reiterated it is surprising how even the educated crowd is taken in. Do not hesitate to change them in case you even suspect them having been compromised. No one can deny that Identity theft is a very real threat but reducing our transactions fearing this is akin to not using roads fearing accidents. Neither is it fair to throw the onus of this onto the end-users or customers. The only sustainable and robust solution lies in fortifying our defences at the PG level. Author: Krishnan KN, Advisor in Wibmo’s Agile PMO Wibmo A PayU/Naspers FinTech Company Fraud, Fraud Detection, Fraud Prevention, Identity Management, Identity Theft