In the span of a mere decade, the Indian economy has gone from being cash-based to being heavily reliant on digital payment systems. This transition has been driven by domestic initiatives such as the Unified Payments Interface, IndiaStack, Aadhaar-Enabled Payment Systems and mobile wallets. These have brought many visible and worthwhile changes, such as greater convenience, financial inclusion, transparency in transactions, substantial tax revenue and wider scope for financial technology to come into its own. But the growing digitisation of payment systems also has brought greater threats, perpetrated by hackers, organised criminal syndicates and, in some cases, foreign governments. Indian regulators and the payment industry have focused on tackling these threats.

This paper analyses India’s payments industry and reviews trends in cyber-attacks on its payment infrastructure. It maps the system’s vulnerabilities and channels to explain how attacks may arise. It also includes a review of existing policy measures and cyber-security standards. The paper argues that in order to secure its digital payment systems, India will need to expand its efforts by focusing on data protection, information sharing, cyber hygiene and cyber attack attribution. A safe and secure payment system will increase citizens’ confidence and strengthen the digital economy.

India’s policy push towards digital payments makes it an important global actor in the digital economy. Therefore, a greater emphasis is needed on threat mitigation and vulnerability-patching to ensure resilience of the payment systems and a greater level of cyber security. This paper makes the following recommendations for action on three levels: government, business and diplomatic.

Government

• Make reporting of data breaches mandatory
• Expedite creation of CERT for the financial sector
• Adopt a phased approach to local data storage requirements for the payments industry • Expand cyber hygiene education initiatives

Business (industry)

• Create a payment-industry platform for information-sharing
• Enable consumers to control data through a consent dashboard

Diplomatic (global)

• Negotiate preferential and conditional data-sharing agreements with like-minded countries • Articulate a normative framework for cyber-attack attribution

This research was funded by SWIFT Institute.