Better Safe Than Sorry: RBI Bid To Ask Online Players To Not Store Card Data Is Warranted

The Reserve Bank of India’s (RBI’s) proposal to stop e-commerce platforms, online aggregators and others from storing customers’ credit card data is prudent and sensible. Even though it is going to make transactions more cumbersome — you will have to enter your card details every time you buy something — it is warranted in the context of India’s weak cyber-security laws and preparedness. The new norms are set to kick in from this July.

Over the past nine months, as China upped the ante on our borders, our army was able to handle the intrusions with courage and fortitude. But it is far from clear that we would have done as well if China had extended its warfare to cyber areas.

Over the last few days, there have been western and Indian media reports that China tried – or issued a silent threat — to bring our power systems down through cyber-attacks if we pushed too hard against them on the borders. Even though the government has denied thus, the suspicion will not go away.

Whether it is a hostile neighbour like China or plain and simple cyber crooks and thieves, events over the last one year suggest that our rapidly digitising financial ecosystem is vulnerable.

There have been reports suggesting that the Paytm, Big Basket and Juspay’s consumer databases were compromised by hackers, and even our vaccine suppliers faced cyber threats. Paytm and Big Basket are partly Chinese-owned, and the vaccine hack was attributed to Chinese interests. In June last year, around the time of the Galwan Valley violence involving Chinese and Indian troops, more than 40,000 Chinese hacking attempts were reported.

Other incidents, which may not be China-linked, were the disruptions in the National Stock Exchange’s telecom infrastructure, and HDFC Bank’s frequent outages which forced the RBI to stop it from expanding its card customer base till the glitches were fixed.

The National Stock Exchange is where the bulk of India’s stock market and bond transactions take place. We also ought to be doubly protective of the actual storehouses of India’s stock market and dematerialised wealth — the National Securities Depository Ltd and Central Securities Depository Ltd. These crown jewels clearly need extraordinary cyber protection — and there is no reason to believe they are not very well protected.

In a country where power systems use significant Chinese equipment, telecom infrastructure and handsets are China-dominated, and every kind of chip used in various gadgets is either made in China or Taiwan, there is no way we can afford to be sanguine about our digital vulnerabilities. They exist, and they will expand as our ability to provide cyber security is simply not good enough for the kind of financial digitalisation that we have planned.

As for our police and their ability to tackle cyber-crime, one has to be an extraordinary optimist to believe that they can quickly bring cyber criminals looting my wealth to book.

Consider just one possibility: if my credit card has been compromised, and the same card is used in multiple places, how am I ever going to prove to the police cyber-crimes cell where the breach took place?

The RBI has correctly decided that discretion is the better part of cyber valour, especially when our ability to cope with cyber attacks and frauds are weak.