Draft Information Technology (Security of Prepaid Payment Instruments) Rules 2017


The draft Information Technology (Security of Prepaid Payment Instruments) Rules 2017 has been released by the Ministry of Electronics & Information Technology (MEITY) for Prepaid Payment Instruments (PPIs) or e-wallet companies.

The draft rules aims to safeguard security, confidentiality and integrity of electronic payments done through PPIs. It also protects information of consumer, especially financial data.

What are Prepaid Payment Instruments (PPIs)?

Prepaid payment instruments are ways that facilitate purchasing of goods & services against the value stored on such instruments. The value represents the value paid by the holder for instruments, by cash, debit, or credit card to a bank account. The prepaid instruments are issued as mobile accounts, online wallets, smart cards, mobile wallets, magnetic stripe cards, paper vouchers, internet accounts, and any other such instruments used for accessing the prepaid amount.

Draft Rules 2017: Key Facts

  1. e-PPI issuer is a person that operates a payment system which issues prepaid payment instruments to organisations or individuals under the protection of Reserve Bank of India (RBI).
  2. Under the rule, it is compulsory for e-PPI issuers to develop an information security policy which ensures the security of the systems operated by them.
  3. Under the rule it is obligatory for e-PPIs to publish terms for use and privacy policy of their payment systems on their web portals and mobile applications.
  4. It is compulsory for e-PPIs to carry out risk assessment to identify security risks and also to ensure satisfactory due diligence is done by the firm afore issuing PPIs.
  5. It is must for e-PPIs to appoint a chief grievance officer, whose contact details are displayed on the website. It is mandatory for officer to act on any complaint within 36 hours of its filing and to close it within a month. End-to-end encryption e-PPIs must ensure the application of end-to-end encryption for safeguarding the data exchanged. It should also retain electronic payments-related only till it’s necessary.
  6. The Indian Computer Emergency Response Team (CERT-In) must also notify the categories of breaches and incidents that are needed to be stated to it mandatorily.

Leave a Reply !!

This site uses Akismet to reduce spam. Learn how your comment data is processed.