Securing APIs to Enable QR Code InteroperabilityAssessing Third-Party Risk to Prevent Transactional Fraud
RBI's drive for QR code interoperability will pressure the payments companies to secure their APIs and enhance their authentication standards.
P Vasudevan, chief general manager, RBI, explains that going forward, those using proprietary QR codes will have to build interoperability with either Unified Payments Interface or Bharat QR codes by March 31, 2022.
The change will require building APIs and deploying appropriate security controls, encryption tools, and third-party risk evaluation mechanisms to prevent data leakage during the transaction
Previously payments companies used proprietary QR codes, which only allowed digital payments from specific mobile applications.
The change will require building APIs and deploying appropriate security controls, encryption tools, and third-party risk evaluation mechanisms to prevent data leakage during the transaction.
Delhi-based consultant Amit Dev says payments firms will face increased risks if they fail to build effective interfaces to align with NPCI's UPI and Bharat QR code.
Streamlining QR Code: What does RBI Want?
Using just two standards, rather than the current 100, and making QR codes interoperable will remove the need to maintain different apps for payments across merchants. RBI says better user convenience will be achieved with enhanced system efficiency, as only the approved APIs will be used for transactions.
When India withdrew larger banknotes from circulation in a bid to hit untaxed wealth (demonetization in 2018), QR codes grew in popularity. Digital fintech player PayTM rolled out code-based payments, followed by many others including PhonePe, Mobikwik, Razorpay, and Freecharge. QR code-based payments were used by small and informal merchants using proprietary apps.
A standard QR code with Bharat QR and UPI QR used by all types of merchants across all payment instruments will reduce the threat landscape and so help prevent fraud.
But risk will be concentrated on the two platforms, so companies need to develop secure APIs for interoperability with Bharat QR code and UPI.
Currently, APIs are poorly protected despite rapid and widespread deployment, and automated threats are mounting. Personally identifiable information (PII), payment card details, and business-critical services are at risk due to bot attacks.
Payment firms need to:
- Make API security a higher priority;
- Conduct security testing and audit of the Application being used for QR Code-based payment;
- Evaluate the use of encrypted tools and API documentation between the app provider, payment gateways, and banks.
- Ensure that there is no authentication lapse while building interoperability, which could result in funds being intercepted or sent to the wrong person.
The security level will improve digital cashless transactions once the QR code platform is standardized with this interoperability and secured API.