POS industry wary of Aadhaar-enablement over cost, security issues

Stingray III (JS-970) Fixed POS Workstation
The demand for point of sale (POS) devices — which saw a spurt after demonetisation as people and merchants opted for cashless transactions — could be dented by the mandate to make them Aadhaar-enabled as this will push up costs and increase security risks, industry players said.

“One of the biggest challenges in making the POS machines Aadhaar-enabled is the high cost of adoption as well verifying its reliability. Tampering and skimming threats for merchants and processors of card data are on the rise,” Ravi Goyal, Chairman and Managing Director, India Transact Services, told IANS.

India Transact imports POS machines — also known as payment or credit card machines — from Europe and supplies them to Syndicate Bank, Bank of India, Reliance Retail and PVR Cinemas, among others.

According to the Reserve Bank of India (RBI) mandate, all POS machines acquired after January 1 this year had to be enabled for Aadhaar-based biometric authentication. The date was was later extended to June 30 because the rate of deployment slowed down due to a drop in the supply of such Aadhaar-enabled devices.

“Fingerprint authentication per se is not secure. It is about the levels and forms of encryption that companies implementing the solution follow. It is important that fingerprint data is encrypted at the source of the scanning device and remains encrypted all the way through till it reaches the card-issuing authorities,” ePaisa Co-founder Siddharth Arora told IANS.

ePaisa will start manufacturing POS devices this year and plans to reach a million merchants by 2018.

“If somebody is able to capture the biometric data, which is easily done, they can very easily impersonate me,” Manish Patel, Founder, Mswipe Technologies, which supplies POS terminals to 165,000 merchants, told IANS.

Apart from the increased security vulnerability to the person’s biometrics, another deterrent to the digital mode would be the increased costs of the additional hardware.

“The costs of POS machines will go up. Currently, each terminal costs Rs 6,000. With the additional hardware, it will mean Rs 3,000-3,500 extra per terminal, which is 50 per cent increase in costs,” Patel said.

“This is not technically a difficult task but rather a very expensive one. We need to attach a biometric reader to the currently available POS machines and simultaneously make changes in application,” Goyal said.

They feared that ultimately the merchants will have to bear the cost and they may pass this on to the customer.

The demand for POS machines saw a steep rise just after demonetisation. At the peak of demonetisation, the government had floated a tender through Energy Efficiency Services Limited (EESL) to acquire one million POS machines, but so far has been unable to procure any.

Mswipe alleged that the tender was floated but the government failed to buy any POS terminals because of the cost factor.

Corporation Bank said it placed an order for 10,000 devices immediately after demonetisation was announced November 8.

“We have approximately 30,000 POS machines. An order for about 10,000 additional POS machines was placed after demonetisation for immediate use,” Eknath Baliga, Manger, KYC-Antimoney Laundering Cell, Corporation Bank, Mangalore, told IANS.

“Our sales shot up by 300 per cent in November and December compared with the previous year,” India Transact Services said.

The total value of financial transactions done by the debit and credit cards issued by at POS terminals was at Rs 51,883.68 crore while the number of transactions stood at approximately 23 lakh in October 2016.

About 15 lakh POS terminals were deployed by the banks in October.

But as cash returns to the system again, the demand for POS machines is tapering and these additional directives can prove a further deterrent to POS machines, the industry said, adding that there was no clarity on the revenue model in the Aadhaar-enabled payment system (AEPS).

“There is no revenue model defined for AEPS payments against the card-based payment system where MDR (Merchant Discount Rate) is a source of revenue. The reliability of AEPS infrastructure for mass payment is yet to be proven,” Goyal said.

A typical transaction uses a payment instrument like a card, which is secured by a PIN (personal identification number). When a PIN gets captured on a terminal, there are payment card industry standards for the security of transactions.

While RBI is calling for biometric enablement, it is not clear if the transaction is going to be carried out by a PIN and biometrics would be the second level of authentication, or if the biometric credentials are going to be used to identify the person with no second factor of authentication.

“If the thumb impression alone will authorise a transaction, it will be a disaster. It has to be backed by a PIN. There are proven technologies to copy your fingerprint, like cloning,” Patel said.

“A second factor of authentication is must. Else anyone can do a transaction in my name and I will not be able to dispute it,” he said.

If by adopting these new measures, security against data theft can be ensured only then would both merchants and customers be assured that their hard-earned money is safe, he added.

Meghna Mittal / IANS