Developing A Secure National Payment Gateway


Bank Indonesia (BI) inaugurated last week the National Payment Gateway (NPG), an integrated, efficient and affordable electronic payment system. The NPG aims to process all domestic electronic transactions through local payment companies and on soil infrastructure.


In a world under the NPG, we would only see one electronic data capture (EDC) machine at every merchant — capable of processing transactions using cards from different issuers — instead of multiple EDCs sitting at the register, each serving a limited group of card transactions using certain payment networks.


This exciting movement toward an integrated national payment system was recently accentuated by state lenders, who have agreed to integrate their EDCs for point-of-sale (POS) transactions in six state-owned enterprises (SOEs).


Starting December 2017, cards issued by Bank Mandiri, BNI, BRI and BTN can be processed using only one EDC machine at the merchants of these SOEs. Moreover, any idle EDC at one merchant can be transferred to another merchant to increase electronic payment penetration. This aligns with Bl's mission to promote cashless transactions under the National Cashless Movement (GNNT).


It is a splendid idea, but not one without challenges. A movement toward a cashless economy requires changes in customer behavior, which in turn requires trust in the payment system, which itself can only be attained through reliability and security of the payment system in question. This is even more true under a centralized system like the NPG, which might be more likely to be exposed to system failures.


Once hackers find a single weak point in the NPG, our entire payment system is compromised and, thus, vulnerable to fraud and cyberattacks. An attack to the NPG would lead to an unprecedented level of damage as our entire payment system is dependent on it.


Needless to say, BI and NPG operators need to commit to developing secure payment infrastructure and procedures. Unfortunately, Indonesia does not have a law on personal data protection, hence the minimal pressure on industry players to develop such infrastructure and procedures to comply with data protection measures.


Under this situation, the immediate action to be taken is to align NPG's security standards and technology with existing ones. Currently, none of the local switching companies that will become NPG operators are certified in accordance with international security standards, such as the Payment Card Industry Data Security Standard (PCI DSS). This is rather alarming and might engender mistrust toward electronic payments among the public.


Amid the dizzying pace of digitalization in multiple facets of our economy, security should never take a back seat and instead be given priority. The NPG will effectively become a strategic backbone of our growing digital economy and enabler of all domestic electronic transactions, including disbursement of social aid, toll electrification and payment in e-commerce portals. Given the NPG's importance, BI and NPG operators need to develop a robust risk management and mitigation system to eliminate threats of cybercrimes that have only swelled in the past few years.


In the long run, it is true that creating a safe and sound payment ecosystem is not only the responsibility of payment regulators and players. From the regulatory perspective, a law on personal data protection is essential. The government, especially the Communications and Information Ministry, and the House of Representatives are currently discussing this draft law (RUU), but so far it looks like the RUU will not be included in next year's legislative priority agenda (Prolegnas). Such is unfortunate, as the idea for this law has been discussed in the House in the past decade to no tangible results.


Pressure on the government and the House is needed from many sides to accelerate the drafting process of this law. Currently, we do not have clear stipulations on what and how providers should protect customer data and system security. A prevailing law on personal data protection would force system providers to up their security standards and penalize them should they fail to do so.


Reliable payment security standards and infrastructure, backed by adequate laws and regulations, would create a trustworthy system for existing customers and attract more people to start using electronic payment systems. Ultimately, this is what BI envisions with GNNT: to reduce our dependency on cash and shift our economy to a cashless one.

Surely with confidence comes comfort — on the back of a secure system, the public will gradually adapt to digital payments in their daily lives and realize the benefit of it. Propped with the right incentives and support, cashless payments would then no longer be exclusively enjoyed by the upper middle class, which has been the case until now, but it would also be enjoyed by those who have never had a bank account or used a debit card.


Indeed, creating a secure payment system under the NPG is the first step toward a more inclusive, cashless economy.


The writer is chairman of the Communication and Information System Security Research Center (CISSReC). The views expressed are his own.