As these processes continue, security frameworks for sectors like digital payments must be
simultaneously constructed. One clear objective of the mission is to secure the whole digital-payments ecosystem, which incorporates reviewing the efficacy of extant institutional and security frameworks. To the present end, the report contextualizes the varied moving parts within digital payments and broader policymaking arenas to propose a forward-looking cyber-security strategy for the world.

Risk-Based Transaction Authentication: Indian policymakers must consider the viability of adopting risk-based technology-neutral frameworks (as in Austria, Brazil, US and Singapore). As an example, under the EU’s Revised Payment Services Directive (PSD2), EC recently released guidelines on its Strong Customer Authentication (SCA) regime, supported factors like knowledge, possession and inherence. The EC has adopted a risk-based and technology-neutral approach to securing internet-based payments, allowing lenient authentication standards and exemptions for lower-risk transactions, supported factors like value of transaction, and security tools adopted by the Payment Service Provider.

Additionally, automated transaction-monitoring mechanisms have proven effective in securing digital payments in countries like Netherlands. International standard setters like
the EMVCo are developing risk-based SCA standards to balance security principles with user convenience. The group launched a 3D Secure 2.0 specification in October 2016, which analyses device-offered data and combines it with biometric technological innovations to supply a layered risk-based authentication standard.207 The ITU has endorsed EMV standards as a worldwide best practice for transaction authentication.

Biometrics and Other Authentication Solutions: To market secure and frictionless payments, countries like South Africa are partnering with card-network companies to market biometric authentication. The ITU has identified other promising solutions also, including smartcard authentication (using cryptography) to supplement card-based transaction ecosystems, for jurisdictions where infrastructure penetration (e.g. PoS) remains low. However, policymakers must also manage the risks accompanying biometric information.
 

For instance, fingerprint-based authentication, while largely successful for children, is less
reliable for old manual workers or people living in arid climates. Additionally, the accuracy of face and iris biometrics is contingent the standard of cameras, also as environmental conditions such as lighting, backgrounds and contrast. To combat such challenges, the ITU recommends that biometric deployments should be supported three principles, namely, failure to enroll (FTE) rate, false-rejection rate (FRR) and false-acceptance rate (FAR).

KYC biometric identification Identity Verification: Target 16.9 of the UN’s Sustainable Development Goals involves “legal identity for all,”212 especially for access to financial services.213 The ITU recommends that KYC verification/identity-verification mechanisms must adhere to principles of Identity Proofing, Authentication, and Authorization. It observes that to fulfil financial inclusion targets, national identity schemes should be prioritized for state scheme benefits, and transaction account identification processes should be more relaxed to market financial inclusion. Regulators are advised to adopt risk-based identity frameworks, such Levels of Assurance (LOA) are proportionate to the potential risks (see ISO/IEC 29115). The advantages of a dynamic, risk-based KYC approach is that it reduces friction to financial onboarding.

Federated Identity Management: In the context of identity-verification best practices, the ITU highlights the advantages of Federated Digital Identity Management marketplaces, which, if regulated to take care of consumer choice, can create a secure and interoperable KYC-verification model. A key benefit related to such frameworks is that the limitation of privacy concerns. Such management systems limit the amount of times, and entities with which, data is shared by users.