Paytm Payments Bank Limited (PPBL) is a Global AUA and has a KUA license issued by Unique Identification Authority of India (UIDAI). It undertakes user authentications as per the UIDAI guidelines to enable some of its services / business functions. PPBL connects to the CIDR through (NSDL) who is an Authentication Service Agency (ASA/KSA). PPBL uses the demographic as well as biometric data in addition to the Aadhaar No/VID of its customers while initiating the account based relationship with its’ customers or while providing account based services to the customers.

Since PPBL handles sensitive resident information such as the Biometric information, Aadhaar number, e-KYC information etc. of the customers, it becomes imperative to ensure its security and safety to prevent unauthorized access. This Policy is in line with the directions of Information Security Policy issued by UIDAI and is applicable wherever UIDAI information is processed and/or stored by PPBL.

The objectives of the policy include:

• Design suitable controls to ensure the privacy and security of the Biometric information of the customer as well as Aadhaar number and any other data received from the UIDAI in due course of authentication.
• To provide necessary guidelines to enable compliance with Aadhaar Act 2016 and any other applicable circulars or directions issued by the UIDAI.

The policy will apply to all departments/employees of the bank which access, process or store Aadhaar number and any other data received from the customers or UIDAI in due course of authentication.

PPBL will exercise below mentioned controls to ensure the privacy and security of the Aadhaar Data:

1. Compliance

2. • e-KYC shall be carried out using only biometric and/or OTP authentication modalities
   • PPBL shall comply with all terms and conditions outlined in the AUA/KUA agreement with UIDAI, Aadhaar Act 2016 and various circulars/ directions issued by the UIDAI.
   • The operations and systems shall be audited by an information systems auditor certified by recognised body on an annual basis so as to ensure compliance with UIDAI standards and specifications. The audit report shall be shared with UIDAI upon request.
   • PPBL shall conduct a background check and sign an agreement/NDA with all personnel handling Aadhaar related authentication data.
   • Necessary Information security trainings shall be conducted for all personnel for Aadhaar related authentication services during induction.
   • Any security incidents affecting the confidentiality, integrity and availability of information received from the UIDAI will be reported to UIDAI at the earliest.
   • Display of Full Aadhaar number of the customers shall be done only for the Aadhaar number holder or employees with special roles/users having the defined need strictly on a “need to know” basis. By default, all displays should be masked and only last four digits of the Aadhaar number shall be displayed.
   • PPBL will nominate a Management point of contact and a Technical point of contact for Aadhaar related activities and communication with UIDAI.
   • UIDAI shall be informed about the ASAs, which AUA has entered into an agreement;
   • PPBL shall create internal awareness about consequences of breaches of Aadhaar data via various channels such as Newsletter articles, employee trainings, internal Memos and communications etc.
   • PPBL shall use only licensed software for Aadhaar related infrastructure environment. Record of all software licenses shall be kept and updated regularly.
   • PPBL shall execute the relevant substantive documentation from its BCs and any third party contractors incorporating confidentiality obligations for their personnel handling Aadhaar related data.
   • Access to Authentication infrastructure shall not be granted before signing the necessary substantive documentation and completion of BGV for the personnel.

3. Handling of Personnel Identity Data (PID)

4. • PPBL will ensure that the Personal Identity data (PID) block comprising of the resident’s demographic / biometric data is encrypted as per the latest API standards/specifications specified by the UIDAI at the end point device used for authentication.
   • The encrypted PID block including OTP shall not be stored unless in case of buffered authentication and in such case it shall be deleted from the local systems post authentication.
   • The authentication request sent by PPBL to UIDAI shall be digitally signed either at PPBL or at ASA.
   • The identity information of the Aadhaar number holders collected during authentication and any other information generated during the authentication process shall be kept confidential, secure and protected against un-authorized access, use and disclosure.
   • The Aadhaar number and any connected data (e.g. e-KYC XML containing Aadhaar number and data) of the customers received through authentication shall be stored on a separate secure database/vault/system called “Aadhaar data vault”.
   • Any other data received during the authentication such as demographic information and photo of the customer can be stored outside Aadhaar Data Vault.
   • Aadhaar Data Vault shall be kept in highly restricted network zone that is isolated from any untrusted zone and other internal network zones.
   • There shall be strong access controls, authentication measures monitoring and logging of access and raising necessary alerts for unusual or unauthorised attempt to access.
   • While storing the Aadhaar number in the database, the data must be encrypted and stored. Encryption keys must be protected securely using HSM.

5. Operations Security

6. • At the time of authentication, the customer shall be informed on: (a) the nature of information that will be shared by the UIDAI upon authentication; (b) the uses to which the information received during authentication may be put; and (c) alternatives for submission of identity information.
   • Consent of the Aadhaar number holder shall be obtained for each authentication preferably in electronic form and maintain logs or records of the consent.
   • PPBL shall capture the biometric information of the Aadhaar number holder using certified biometric devices as per the processes and specifications laid down by UIDAI.
   • No data of the customer shall be stored within the terminal device (i.e., biometric device).
   • Logs shall not, in any event, retain the PID, biometric and OTP information
   • Network intrusion and prevention systems shall be inplace
   • All computer clocks shall be set to an agreed standard using a NTP server or must be managed
   • Centrally
   • The AUA server shall be hosted behind a firewall. The firewall rules shall block incoming access requests to the AUA server from all sources other than AUA/KUA’s PoT (Point of Transaction) terminals;
   • Before sending any equipment out for repair which contains the UIDAI sensitive data, the equipment shall be sanitised to ensure that it does not contain any sensitive data/information.
   • The logs of KYC authentication transactions and the records of consent obtained during authentication shall be maintained for a period of 5 years, from the cessation of the account based relationship during which an Aadhaar number holder shall have the right to access such logs.
   • The authentication logs shall not be shared with any person other than the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the UIDAI for audit purposes or in compliance with any legal/regulatory compliances.
   • Bank shall develop Standard Operating Procedure (SOP) for the operation and maintenance of the Aadhaar related system or service. SOP shall define the actions to be taken in the event of a failure.
   • Periodic VA exercise should be conducted for maintaining the security of the authentication applications. Reports shall be generated and shared upon request with UIDAI.
   • All hosts that handle resident’s identity information shall be secured using endpoint security solutions. An anti-virus / malware detection software shall be installed on such hosts.

7. Access Control

8. • Only authorized individuals shall be provided access to information facilities (such as Authentication application, audit logs, authentication servers, application, source code, information security infrastructure etc.) processing Aadhaar related information. An Access Control List shall be maintained.
   • Access rights of employees accessing/processing information received from UIDAI shall be revoked within 24 hours of termination of service or as mentioned in the HR policy of the organization.
   • There should be periodic review of the Access rights and privileges to information facilities processing UIDAI information.
   • The servers shall be dedicated for the online Aadhaar Authentication purpose and necessary controls should be in place for physical security and surveillance of the servers. Any confidentiality breach/security breach of Aadhaar related information shall be reported to UIDAI within 24 hours.
   • The users should not be provided with local admin access rights on their system. In the case of administrative access being provided, the users shall be prohibited from modifying the local security settings. Modifying the same shall result in disciplinary action.
   • The access rules of firewalls shall be maintained only by users responsible for firewall administration.

   The authentication applications used by the Business correspondents where BC needs to perform application functions, the BC should be authenticated using some authentication scheme such as password, Aadhaar authentication, smart card based authentication, etc.

   • License keys shall be kept secure and access controlled.
   • All User passwords (including administrator passwords) for the Aadhaar related systems shall be allocated, stored, created, and transmitted as per a clearly defined password policy of the bank.
   • All User passwords (including administrator passwords) shall remain confidential and shall not be shared, posted, or otherwise divulged in any manner
   • If the passwords are being stored in the database or any other form, they should be stored in encrypted form
   • Complex passwords shall be selected.
   • Passwords shall not be hardcoded in codes, login scripts, any executable program or files;
   • Password should not be stored or transmitted in applications in clear text or in any reversible form

9. Asset Management

10. • All assets (business applications, operating systems, databases, network etc.) used for the Aadhaar authentication services shall be identified, labelled and classified.
    • There should be a clearly defined procedure for the disposal of the information assets being used for authentication operations.
    • Only STQC certified Authentication devices shall be used to capture residents biometric.
    • Periodic Vulnerability Assessment (VA) exercise shall be conducted for ensuring the security of the Aadhaar infrastructure and Necessary network intrusion and prevention systems shall be implemented.
    • Event logs of the critical user-activities, exceptions and security events shall be enabled and stored as per the data retention policy of the bank.

The Policy shall be reviewed as and when required or at least once in a year, to address the requirements of the Bank and to comply with guidelines issued by the UIDAI or any applicable regulator or judiciary from time to time. However, any of the regulatory changes, during the year, will be implemented immediately with the approval of CEO under information to Board.

• Aadhaar Act 2016
• Requesting Entity Compliance Checklist_v_2.0
• Aadhaar (Authentication and Offline Verification) Regulations, 2021
• UIDAI Information Security Policy for AUA/KUA
• Various circulars issued by UIDAI