Information Technology (Security of Prepaid Payment Instruments) Rules 2017 –Draft

In March, 2017 the Union Government has come up with Information Technology (Security of Prepaid Payment Instruments) Rules for digital transactions made through prepaid payment instruments in order to make them secure and address privacy issues. The rules have been framed by the Ministry of electronics and information technology. The ministry has invited public comments over the draft rules.


Increase in electronic payments since demonetisation drive and the government’s intent to promote cashless economy requires the need to ensure the confidentiality, integrity, safety, security of the transactions through PPIs.

Pre-paid payment instrument (PPI)

PPI means a payment instrument which facilitates purchase of goods and services with the help of the value stored on such instruments. PPIs can be smart cards, magnetic stripe cards, internet accounts, internet wallets, mobile accounts, mobile wallets, paper vouchers etc. PPI issuers refer to individuals/organisations under authorisation from the RBI under the Payment and Settlement Systems Act 2007.


Information security policy

Every e-PPI issuer needs to develop an information security policy for security of the payment systems operated by them.

Privacy Policy

Every e-PPI issuer should publish on their website and mobile applications the privacy policy and the terms and conditions for use of the payment systems operated by them in simple language. The privacy policy should include the following:

  • information collected directly from the customer and information collected otherwise;
  • uses of the information;
  • period of retention of information;
  • purposes for which information can be disclosed and the recipients;
  • sharing of information with law enforcement agencies;
  • security practices and procedures;
  • name and contact details of the Grievance Redressal officer
  • mechanism for grievance redressal;
  • any other details as may be specified by the Central Government.
Risk assessment and risk control

Every e-PPI issuer should carry out risk assessment, and review the security measures at least once a year, as well as after any major security breach. e-PPI issuers should implement security measures in accordance with the information security policy.

Customer identification and authentication

e-PPI issuers must make sure that customers are identified through appropriate procedures for authentication and shall adopt multiple factor authentication where a customer initiates a payment against the value stored on the pre-paid payment instrument.

Personal information

Every e-PPI issuer should adopt security measures to protect the security, confidentiality and integrity of the personal information collected from the customer, including name, address, telephone number of the customer. The personal information of the customer should not be disclosed to any person without the consent of the customer.

The financial data of the customer should be treated as sensitive personal information and procedures prescribed in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 needs to be followed by PPI issuers.

End-to-end encryption

Every e-PPI issuer should make sure that end-to-end encryption is applied to safeguard the data exchanged, in accordance with the rules prescribed by the central government.

Cyber incidents

PPI issuers should evolve a mechanism for monitoring, handling and following up of cyber incidents and breaches to CERT-In (Indian Computer Emergency Response Team).

Grievance Redressal

e-PPI issuers must appoint a Grievance Redressal Officer to resolve complaints of customers. The Officers must act on the complaint within 36 hours and resolve them within one month from the date of receipt of the complaint. The name, contact details of the Grievance Redressal Officer and the procedure to be followed to by the customers must be provided in the website/mobile applications by the PPI issuers.


According to the critics, while all the payments are regulated by RBI, transaction rules through PPIs have been laid down by the ministry of information technology. This may lead to confusion. An entity complying with RBI rules may find itself violating the rules set by the IT ministry.  While the draft rules tries to address many issues related to PPIs, important key rules with respect to authentication of e-PPI and issuance of e-PPI has to be framed properly so that customer convenience does not gets vanished while addressing security issues.

Topics: , ,