Payment security has always been a strategic discussion. However, the global pandemic has further taken these conversations to the next level, says Deepak Kalambkar, CSO & AVP Infrastructure, SafexPay.
In his career spanning over two decades, Deepak Kalambkar, CSO & AVP Infrastructure for SafexPay, the payment gateway company, has seen how security has evolved to be a strategic priority for all kinds of companies.
With the rapid adoption of digital payment channels, he believes, the payment ecosystem is placing greater importance on security and payment companies are increasingly adopting the ‘security by design’ approach while building apps and services.
In his conversation with CIO Dialogues, Kalambkar talks about the evolving security landscape in the payment sector.
How do you see the impact of global pandemic on digital payment security?
Payment security has always been a strategic discussion. However, the global pandemic has further taken these conversations to the next level. While COVID in many ways has been a huge catalyst for digital transaction, it also led to a significant spike in digital payment frauds. KYC related frauds especially have been skyrocketing as consumers shifted to digital services and payment mechanisms. In India itself, many have been victimized to digital payment frauds so far. While fintechs and banks have ensured availability of payment systems during times of crises, security is emerging as a key aspect.
At SafexPay, for example, payment gateway security has been paramount, to ensure that the transactions carried out through digital sources are 100% secure. So I would say that the global pandemic has moved the needle for digital payment security.
What is one technology or area that you think will be critical in ramping up digital payment security?
I believe that multi-factor authentication is an effective mechanism to deal with fraudulent transactions and digital payment fraud. In fact, many firms are introducing MFA at multiple levels—for example while logging into the app as well us while the payment is being made. This way, even if the password is hacked, the user’s app will be secured because it has MFA enabled. This is a huge step in curbing online frauds.
SafexPay is planning to be a neobank and launch new UPI-based app for consumers. How do you see the discussion on security evolving as India move towards being a cash-light economy?
Yes, we are in the process of rolling out neobanking services and end-user app quite soon. We believe that digital payment market in India is growing at rapid pace and will continue grow. Security of the digital payment ecosystem is paramount today and in future. In fact, there is a major change in the way security is being approached. Payment gateway companies are moving their budgets to security and also involving their security teams right at the production stage with a security by design approach. The overall shift of focus to security will lead to apps that have lesser flaws and are inherently more secure.
PCI DSS compliance is most critical for payment companies. Reports indicate that achieving 100% compliance is a challenge. What have been your learnings as a CSO?
We, at SafexPay, are following the PCI compliance from day one, and fortunately, it has not been a big challenge for us. We have an internal testing team of around six to seven people, who test our codes. We have a security team that does the testing of applications through various tools available and ensure that the end-product that goes to our production server is 100% security compliant.
When the third party does the scanning for the application, we find it 100% compliant. We do the testing of the product in-house before giving it to any external party. This helps us achieve 100% compliance in all the reports.
Payment security is an on-going business priority. How do you ensure that you have the right resources who are well-updated & the required management support for your efforts?
Generally, for a payment gateway, we have to follow all the RBI guidelines for data localization. We are already following the Prompt Corrective Action (PCA) guidelines process, compliance process, and the data localization process. We don’t do anything before the audits; we follow all the precautions from day one. If the audit is in December, we prepare all the reports from January itself so that there are no issues in any of the compliances we follow. By doing this, we are following the compliance 100 % and getting all the scan reports 100%.
Our management has been very supportive in meeting our demands for additional resources. When we wanted more testing guys, they were open to hiring them. While most companies removed people during the pandemic, we recruited 50 to 60 persons in the testing and development teams in the last six to seven months.
