Annexure-1

Annexure-2

Annexure-3

Annexure-4

Annexure-5

Annexure-1

Note in respect of Liability of Banks

I have perused the draft report of the working group on Internet banking ('the Report"). I would like to express my disagreement on the following issues:

In Paragraph 6.4.16 of the Report it has been provided that that any bank offering internet banking services has to first obtain the approval of the Reserve Bank of India. In this regard I would like to submit that internet banking is merely an extension of the traditional banking activities. Section 6 of the Banking Regulation Act, 1949 does not make a distinction between the banking transactions carried traditionally and that over the Internet. Therefore no separate authorisation or prior approval of the regulator is required for the banks to offer internet banking facilities, since it is the same banking activities being carried out by the banks by way of adoption of different means and medium.

I appreciate and understand that the intention of the Working Group in providing for the same has been to ensure that there are no security breaches while providing the internet banking services. Security breaches may either be due to certain inherent defects in the technology or due to the weaknesses in the design, implementation or monitoring of the system and cannot be controlled or avoided by a prior approval process. I am of the view that security breaches can be controlled and avoided to a great extent by periodic security risk assessment and inspection by the Reserve Bank of India and the internal management of the Bank providing such facility and by stipulating certain minimum security policy and infrastructure standards which a bank providing internet banking activity has to adopt. Further it should also be noted that prior approval process as envisaged in the Report may expose the Reserve Bank of India to the onerous liability in case there is any security breach after a prior approval has been provided by the Reserve Bank of India.

In Paragraph 7.1 1.1, an example has been cited as to whether a bank can claim immunity if money is transferred unauthorisedly by a hacker from a customers' account, on the pretext that it had taken all reasonable and agreed network security measures. It further cites that in a traditional banking scenario, a bank has normally no protection against payment of a forged cheque, and that if the same logic is extended, the bank providing internet banking may not absolve itself from liability to the customers on account of unauthorized transfer through hacking.

Hacking would involve someone gaining unauthorized access, to a communication between the banker and customer that may contain commercial terms, secrets or credit details, for the purpose of either intentionally changing the contents of the communication to prejudice the interests of the parties to the communication, or using the information for some other illegal use. The essence of hacking is to cause a breach in the established network security protocols and measures. An act of hacking is intensely a technological issue, and may be perpetrated with many different intentions including that of causing harm, embarrassment, disrepute and even fraud or forgery. Hence all hacking will not constitute forgery.

Even in case hacking results in forgery Section 66 of the Information Technology Act, 2000 specifically provides as under:

(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking.

(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend upto two lakh rupees, or with both.

This section clearly specifies that a hacker will be penalised for his actions.

Secondly, Section 79 of the Information Technology Act, 2000 excludes the liability of a network service provider to any third party if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence, or contravention.

Given that the law has deemed it fit to specifically affix responsibility for hacking, on the hackers and not on any other party other than the hackers, the bankers should not be at any cost made party for hacking or for something that did not occur with its knowledge or instruction and where it had taken all reasonable and due care within its control.

Hence it may not be unreasonable for bankers to either limit their liability or specify and require via its bilateral agreements with the customers that losses on account of hacking are not its responsibilities.

Further I would like to submit that a bank does have protection against payment of a forged cheque albeit under certain circumstances. This problem is specifically dealt with in the Negotiable Instruments Act 1881 ("the Act"). Section 85 and 128 read with Section 10 of the said Act gives statutory protection to a paying banker in regard to loss by interloper fraud subject to the conditions that the payment must have been made in good faith and in due course. It has also been viewed that when an improper payment is made by the fact of the banker having been misled by contributory negligence or other fault on the part of the drawer, without which the forgery won't have taken place, then the bank can set up such negligence as a defence and secure the protection under Section 85 of the said Act. However, in order to do so, the bank must not be negligent. Thus, even with respect to the forged cheques, for occurrences beyond the control of the banker, a banker is exempted from any liability.

To strengthen my argument further, under the Information Technology Act, 2000, Section 42 clearly imposes the obligation on the subscriber to ensure that the private key is not compromised and the liability of the certifying authority for any compromise of the private key has been specifically excluded unless the subscriber informs the certifying authority of the same.

In the light all the above submissions and given the fact that law relating to the liability of banks on account of unauthorized transfer through hacking is still unsettled and evolving it would not be proper for the Working Group to conclude in its Report that the bank providing internet banking may not absolve itself from liability to the customers on account of unauthorized transfer through hacking especially in the light of the fact that this Report can be used, quoted and relied by any Person in any court of law as a persuasive authority.

C. To revert to the Report, in the same Paragraph 7.1 1.1, a similar conclusion has been reached with respect to denial of services. Denial of service can be either due to the circumstances beyond the control of the bank or due to non-compliance to the eligibility norms.

Very clearly, the bankers would be formulating transparent and pre-notified eligibility norms for availing of services by any person from it. Non-fulfilment of such eligibility norms would lead to denial of service by the bankers. Without probing into the actual eligibility norms, the intent of the same must be appreciated. These eligibility norms complement and supplement the know-your- customer philosophy and aids prevention as also combating money laundering, frauds, etc.

Reference drawn to the provisions of Section 43 of the Information Technology Act, is incorrect as the said provision states:

"if any person without the permission of the owner (the banker) or any other person who is in charge of a computer ... denies or causes denial of access to any person authorised to access any computer, computer system or computer network by any means, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected."

Clearly the section appreciates that the denial has not been caused by the owner, and in fact caused by a third party, and aims at ensuring compensation being payable by such third party to the party affected.

Upon raising queries with the relevant persons when the draft Information Technology Act was made available for comments, it was clarified that in case of damages beyond Rs one crore, the remedy for the person affected lies in the civil courts.

Clearly at no point in time, can the banker be made liable for denial of service due to circumstances beyond its control.

In this regard, I would like to draw your attention to Section 1693h of the U.S.Code which clearly provides exemptions to the liability of a financial institution in case of failure of the financial institution to make an electronic funds transfer, in accordance with the terms and conditions of an account, in the correct manner or in a timely manner when properly instructed if the financial institution shows by a preponderance of the evidence that its action or failure to act resulted from -

• (1) an act of God or other circumstance beyond its control, that it exercised reasonable care to prevent such an occurrence, and that it exercised such diligence as the circumstances required; or
• (2) a technical malfunction which was known to the consumer at the time he attempted to initiate an electronic fund transfer or, in the case of a preauthorized transfer, at the time such transfer should have occurred.

Conclusion:

In conclusion, as has been rightly noted by the Working Group that "the applicability of various existing laws and banking practices to e-banking is not tested and is still evolving, both in India and abroad. With rapid changes in technology and innovation in the field of e-banking, there is a need for constant review of different laws relating to banking and commerce."

The establishment of the multidisciplinary high level standing committee to review the legal and technological requirements of e-banking on a continual basis and recommendations of appropriate measures as and when necessary, would really be a panacea for legal clarifications as and when they arise.

The key in such future and further deliberations would be to encourage banks towards innovation and where necessary or required evolve new practices and customs to complement the banking laws in force from time to time.

 

Annexure -2

List of Members of Working Group:

1. Shri S. R. Mittal, CGM-in-charge,
Department of Information Technology,
Reserve Bank of India,
Central Office,
Mumbai – 400 001	Chairman
2. Shri M. R. Srinivasan, Chief General Manager,
Department of Banking Supervison,
Reserve Bank of India,
Central Office,
Mumbai – 4-00 005	Member
3. Prof N. L. Sarda, Professor,
Indian Institute of Technology,
Powai, Mumbai,	Member
4. Shri S. H. Bhojani, Dy.Managing Director,
ICICI Ltd, Mumbai	Member
5. Shri Romesh Sobti, Chief Executive Officer,
ABN Amro Bank, Mumbai	Member
6. Shri K. R. Ganapathy, Adviser,
Institute for Development and Research in Banking Technology
Hyderabad	Member
7. Shri Deepak Ghaisas, Chief Executive Officer,
i-flex solutions ltd. , Mumbai	Member
8. Shri Ravi Nair, Vice President,
ICICI Bank Limited, Mumbai	Member
9. Shri K. M. Shettigar, Dy. General Manager
State Bank of India,
Cental Office,
Mumbai – 400 021	Member
10. Shri M. P. Kothari, General Manager	Member
Reserve Bank of India,	Secretary
Central Office,
Mumbai – 400 005

 

 

Annexure-3

List of Members of Operational Group:

1. Shri G. P. Muniappan, Executive Director,
Reserve Bank of India,
Central Office,
Mumbai – 400001	Chairman
2. Shri A. Ghosh, CGM-in-charge,
Department of Banking Operations and Development
Reserve Bank of India,
Central Office, Mumbai – 400 005	Member
3. Shri P. V. Subba Rao, Chief General Manager,
Department of Banking Operations and Development
Reserve Bank of India,
Central Office, Mmumbai – 400 005	Member
4. Shri S. C. Gupta, Legal Adviser
Legal department,
Reserve Bank of India,
Central Office,
Mumbai – 400 001	Member
5. Shri V. S. Santhanam, Chief General Manager,
Department of Information Technology,
Reserve Bank of India,
Central Office,
Mumbai – 400 001	Member
6. Shri M. P. Kothari, General Manager,
Department of Banking Operations and Development
Reserve Bank of India,	Member
Central Office, Mumbai – 400 005	Secretary
7. Shri Aditya Narain, Dy. General Manager,
Department of Banking Supervision,
Reserve Bank of India,
Central Office,
Mumbai – 400 005	Member

 

Annexure-4

References and Bibliography

1. The EDIFACT Standards – John Berge, NCC Blackwell, 1991
2. Authentication systems for Secure networks – Rolf Oppliger, Artech House, 1996 (www.artech-house.com, rolf.oppliger@esecurity.ch)
3. Introduction to PGP- Verisign (www.verisign.com)
4. Packet Magazine- Third Quarter 2000 Issue – CISCO systems (packet@cisco.com)
5. Understanding Public Key Infrastructure – RSA Security
6. A step by step guide for secure online commerce – Verisign (www.versign.com)
7. Architecture for Public-Key Infrastructure (APKI) - The Open Group (www.opengroup.org/public/pubs/catalog/g801.htm)
8. The Secure Sockets Layer Protocol – Netscape Communications Corporations (www.home.netscape.com/eng/ssl3/ssl-toc.htm)
9. The Risks of Key Recovery, Key Escrow & Trusted Third Party Encryption – Adhoc Group of Cryptographers & Computer Scientists (www.cdt.org/crypto)
10. Intelligence-Based Threat Assessments for Information Networks and Infrastructures -A White Paper - Kent Anderson Global Technology Research, Inc. (www.aracnet.com/~kea/Papers/threat_white_paper.shtml)
11. Security Extensions For HTML- Eric Rescorla, Allan M. Schiffman Terisa Systems, Inc. (www.ietf.org/proceedings/98aug/1-D/draft_ietf.wts.shtml)
12. The Secure Hypertext Transfer Protocol- Allan M. Schiffman Terisa Systems, Inc (ftp.isi.edu/in-notes/rfc2660.txt)
13. Maximum security – A hacker’s Guide to protecting Your Internet Site and Network –Anonymous (www.ods.com.ua/win/eng/security/Max_Security)
14. Federal Information Processing Standards Publication 191- Guideline for the analysis of local area network security (www.itl.nist.gov/fipspubs/fip191.htm)
15. Security Architecture for the Internet Protocol- Kent & Atkinson
16. The SSL Protocol Version 3.0 – Alan O. & Philip – Netscape & Paul C Kocher (www.fiddle.visc.vt.edu/courses/ecpc4984nad/files/rfc2401.txt)
17. Firewalls – IEEE Spectrum (www.spectrum.ieee.org)
18. CERT^® Security Improvement Modules – CERT (www.cert.org/security_improvement)
19. Site Security Handbook - B. Fraser Editor SEI-CMU (www.csrc.nist.gov/secplcy/rfc1244.txt)
20. Security Issues in networks With Internet Access – Carl E Landwehr & David E Goldschlag (www.chacs.nrt.navy.mil/publcations/CHACS/1997/1997landwehr-PIEEE.pdf)
21. "Biometric techniques: review and evaluation of biometric techniques for identification and authentication, including an appraisal of the areas where they are most applicable" - Dr. Despina Polemi , Report for the European commission DG XIII, 1997
22. NCSC-TG-009 - Computer Security Subsystems (www.radium.ncsc.mil/tpep/library/rainbow/ncsc-TG-009.html)
23. Electronic Banking Safety and Soundness Examination Procedures - Federal Deposit Insurance Corporation Division Of Supervision (www.fdic.gov/regulations)
24. The Information Technology Bill, 1999 (www.mit.gov.in/bill99.htm)
25. E Banking: Risks And Responses Carol Sergeant Director, Banks & Buildings Societies Financial Services Authority –www.fsa.gov.uk
26. Hong Kong Monetary Authority – Guidelines – www.info.gov.hk/hkma
27. Australia – The Electronic Transactions Act – www.law.gov.au
28. Financial Services Regulatory Report – www.mayerbrown.com/legal/fin0696
29. Bank for International Settlements- Implications for Central Banks of the Development of Electronic Money, October 1996 (www.bis.org/publ/Disp01.pdf)
30. Committee on payment and Settlement Systems, Payment Systems in the Group of Ten Countries, Bank for International Settlements, December 1998 (www.bis.org/publ/cpss29.htm)
31. Committee on payment and Settlement Systems and the Group of Computer Experts, security of Electronic Money, bank for International Settlements, August 1996 (www.bis.org/publ/cpss18.htm)
32. Financial Action Task Force, FATF –VIII Money Laundering Typologies Exercise Public Report, February 1997 (www.oecd.org/fatf/Ar97_en.pdf)
33. Working group on EU Payments, Report to the Council of the European Monetary Institute on Prepaid Cards, European Monetary Institute, May 1994 (www.ecb.int, www.systemics.com/docs/papers/EU_prepaid_cards.htm)
34. Journal of Internet Banking and Commerce --www.Arraydev.com/commerce/jibc
35. Arthur Anderson: Financial Services Research Paper-Issue No. 3 (www.arthurandersen.com)
36. JP Morgan securities Ltd. – Equity Research – Online Finance Europe
37. Enabling E-Commerce in India – www.giic.org
38. Business Models for Electronic Markets – CommerceNet (www.commerce.net)
39. E-Commerce: A white Paper – Keith Hazelton University of Wisconsin-Madison, 1998
40. Internet Banking Comptroller’s Handbook, Comptroller of the Currency October 1999

 

Annexure-5

INTERNET BANKING GLOSSARY

Access Products - products that allow consumers to access traditional payment instruments electronically, generally from remote locations.

American National Standards Institute (ANSI) - a standard-setting organization; it is the U.S. representative to the International Standards Organization (ISO).

American Standard Code for Information Interchange (ASCII) - a standard code for representing characters and numbers that is used on most microcomputers, computer terminals, and printers.

Applet - a small application program that is designed to do a small, specific job.

Application - a computer program or set of programs that perform the processing of records for a specific function.

Asynchronous Transfer Mode (ATM) - method of transmitting bits of data one after another with a start bit and a stop bit to mark the beginning and end of each data unit.

Auditability - the degree to which transactions can be traced and audited through a system.

Authentication - the process of proving the claimed identity of an individual user, machine, software component or any other entity.

Authorization - the process of determining what types of activities are permitted. Usually, authorization is in the context of authentication: once you have authenticated a user, they may be authorized different types of access or activity.

Bandwidth - the transmission capacity of a computer channel or communications line

Bastion Host - a system that has been hardened to resist attack, and which is installed on a network in such a way that it is expected to potentially come under attack. Bastion hosts are often components of firewalls, or may be "outside" web servers or public access systems.

Biometrics - a method of verifying an individual’s identity by analyzing a unique physical attribute.

Browser - a computer program that enables the user to retrieve information that has been made publicly available on the Internet; also permits multimedia (graphics) applications on the World Wide Web.

Chip - an electronic device consisting of circuit elements on a single silicon chip. The most complex circuits are microprocessors, which are single chips that contain the complete arithmetic and logic units of computers.

Chip Card - also known as an integrated circuit (IC) card. A card containing one or more computer chips or integrated circuits for identification, data storage or special-purpose processing used to validate personal identification numbers, authorize purchases, verify account balances and store personal records.

Client-Server Network - a method of allocating resources in a local area network so that computing power is distributed among computer workstations in the network but some shared resources are centralized in a file server.

Closed Network - a telecommunications network that is used for a specific purpose, such as a payment system, and to which access is restricted (also referred to as a private network).

Closed Stored Value System - a system in which value is issued and accepted by either a relatively small group of merchants, or in which the system is limited geographically (i.e., university programs and fare cards for mass transit systems).

Code - computer programs, written in machine language (object code) or programming language (source code).

Computer Emergency Response Team (CERT) - located at Carnegie-Mellon University, this incident response team offers advisories, which contain enormous amounts of useful, specific security information.

Cracker - a computer operator who breaks through a system’s security. This can be legitimate activity, such as to test system security measures.

Cryptography - the principles, means, and methods for rendering information unintelligible and for restoring encrypted information to intelligible form (i.e., scrambling a message).

Cyber Mall - a set of electronic or digital storefronts linked through a common web site.

Database Administrator (DBA) - the individual with authority to control the data base management system.

Data Encryption Standard (DES) - U.S. government standard for data encryption method published by the National Institute of Standards and Technology for the encryption of sensitive U.S. government data which does not fall under the category of national security related information. The DES uses a 64-bit key.

Data Integrity - the property that data meet with a priority expectation of quality.

Dedicated - assigned to only one function.

Dial-up - the ability of a remote user to access a system by using private or common carrier telephone lines.

Digital - referring to communications processors, techniques, and equipment where information is encoded as a binary "1" or "0".

Digital Certification - a process to authenticate (or certify) a party’s digital signature; carried out by trusted third parties.

Digital Signatures - a mathematical encryption technique that associates a specific person with a given computer file and indicates that the file has not been altered since that person signed it; should not be confused with making an electronic representation of a written signature.

Distributed Transaction Processing - application processing that involves multiple users requiring concurrent access to a single shared resource.

Domain Name - an alphanumeric name for a web site that includes both the online address and online name.

Download - to transmit a file or program from a central computer to a smaller computer or a remote site.

Electronic Cash - the digital equivalent of dollars and cents (also referred to as digital cash).

Electronic Data Interchange (EDI) - the transfer of information between organizations in machine-readable form.

Electronic Document - the digital or computer equivalent of paper documents.

Electronic Money - monetary value measured in currency units stored in electronic form on an electronic device in the consumer’s possession. This electronic value can be purchased and held on the device until reduced through purchase or transfer.

Electronic Purse - a stored value device that can be used to make purchases from more than one vendor.

E-mail - messages people send to one another electronically from one computer to another.

Encryption (Cryptography) - the process of scrambling data by a device or encoding principle (mathematical algorithms) so that the data cannot be read without the proper codes for unscrambling the data.

End-to-end Encryption - the protection of information passed in a telecommunications system by cryptographic means, from point of origin to point of destination.

Ethernet - a type of local area network originally developed by Xerox, communication takes place by means of radio frequency signals carried over coaxial cable.

File Transfer Protocol (FTP) - a standard way of transferring files from one computer to another on the Internet.

Firewall - a system or combination of hardware and software solutions that enforces a boundary between two or more networks.

Flowchart - a programming tool to graphically present a procedure by using symbols to designate the logic of how a problem is solved.

Gateway - a computer that performs protocol conversion between different types of networks or applications.

Graphical User Interface (GUI) - a way of communicating with a computer by manipulating icons (pictures) and windows with a mouse.

Groupware - software that allows a group of people to work on the same data through a network, by facilitating file sharing and other forms of communication.

Hacker - a computer operator who breaks into a computer without authorization, either for malicious reasons or just to prove it can be done.

Home Banking - banking services that allow a customer to interact with a financial institution from a remote location by using a telephone, television set, terminal, personal computer, or other device to access a telecommunication system which links to the institution’s computer center.

Home Page - a screen of information made available to users through the Internet or a private intranet; it is the "main page" that users are expected to read first in order to access the other pages that comprise the web site.

Host - also known as a host computer that is the primary or controlling computer in a computer network, generally involving data communications or a local area network.

Hypertext - electronic documents that present information that can be connected together in many different ways, instead of sequentially.

Hypertext Markup Language (HTML) - a set of codes that can be inserted into text files to indicate special typefaces, inserted images, and links to other hypertext documents.

Hypertext Transfer Protocol (HTTP) - a standard method of publishing information as hypertext in HTML format on the Internet.

Incident Response Team - a team of computer experts (internal or external) organized to protect an organization’s data, systems, and other assets from attack by hackers, viruses, or other compromise.

Integrated Circuit Card (IC Card) - a plastic card in which one or more integrated circuits are embedded (also called a chip card).

Integrated Services Digital Network (ISDN) - a type of all-digital telephone service. ISDN lines provide a connection that can transmit digital data as well as voice, without a modem.

International Organization for Standardization/Open Systems Interconnection (ISO/OSI) – an international standard-setting organization. ANSI is the U.S. representative.

Internet - a worldwide network of computer networks (commonly referred to as the Information Superhighway).

Internet Service Provider (ISP) - an entity that provides access to the Internet and related services, generally for a fee.

Interoperability - the compatibility of distinct applications, networks, or systems.

Intranet - a private network that uses the infrastructure and standards of the Internet and World Wide Web, but is cordoned off from the public Internet through firewall barriers.

Issuer - in a stored value or similar prepaid electronic money system, the entity which receives payment in exchange for value distributed in the system and which is obligated to pay or redeem transactions or balances presented to it.

Key - A secret value or code used in an encrypting algorithm known by one or both of the communicating parties.

Local Area Network (LAN) - a network that connects several computers that are located nearby (in the same room or building), allowing them to share files and devices such as printers.

Lock and Key Protection System - a protection system that involves matching a key or password with a specific access requirement.

Logging - the storing of information about events that occurred on the firewall or network.

Magnetic Stripe - used on debit, credit, and identification cards to store encoded information read by card readers; less secure than computer chip cards.

Memory Card - an integrated circuit (IC) card capable of storing information only.

Middleware - facilitates the client/server connections over a network and allows client applications to access and update remote databases and mainframe files.

National Institute for Standards and Technology (NIST) – an established US agency, within the Department of Commerce to develop technical, management, physical and administrative standards and guidelines for the cost effective security and privacy of sensitive information in Federal computer systems. NIST issues the Federal Information Processing Standards (FIPS).

Navigation - moving through a complex system of menus or help files.

Network - a group of computers connected by cables or other means and using software that enables them to share equipment and exchange information. A system of software and hardware connected in a manner to support data transmission.

Node - any device, including servers and workstations, connected to a network. Also, the point where devices are connected.

Non-repudiable Transactions - transactions that cannot be denied after the fact.

Offline - equipment or devices that are not in direct communication with the central processor of a computer system, or connected only intermittently.

Online - equipment or devices that communicate with a computer network. Connections can be direct (as in a LAN using dedicated connections) or indirect (as in using the Internet).

Online Scrip - debit accounts on the Internet or other major computer network.

Online Service Providers (OSP) - closed network services that provide access to various computer sites or networks for a fee.

Open Network - a telecommunications network to which access is not restricted.

Open Stored Value System - a system that may be comprised of one or more electronic cash issuers of stored value that is accepted by multiple merchants or entities.

Operating System - a program that controls a computer and makes it possible for users to enter and run their own programs.

Packet Switching - a data transmission method that routes packets along the most efficient path and allows a communication channel to be shared by multiple connections.

Password - a unique word or string of characters that a programmer, computer operator, or user must supply to satisfy security requirements before gaining access to the system or data.

Password Cracker - a software program designed to conduct an automated brute force attack on the password security controls of an information system by "guessing" user passwords.

Password Sniffer - a software program that is illicitly inserted somewhere on a network to capture user passwords as they pass through the system.

Payment System - a financial system that establishes the means for transferring money between suppliers and users of funds, usually by exchanging debits or credits between financial institutions.

Personal Identification Number (PIN) - a sequence of digits used to verify the identity of a device holder.

Piggyback (Between-the-lines Entry) - a means of gaining unauthorized access to a system via another user’s legitimate connection.

Point of Sale (POS) - a system of terminals that debits or charges a customer’s account and credits or pays a merchant’s account to effect payment for purchases at retail establishments.

Prepaid Card - a card on which value is stored, and for which the holder has paid the issuer in advance.

Privacy - in the context of a payment system, the property that no information which might permit determination of transactions may be collected without the consent of the counterparties involved.

Protocols - a standardized set of rules that define how computers communicate with each other.

Proximity Cards - cards that can be read from a short distance; mainly used for security and vehicle identification.

Public Key Cryptography - type of cryptography in which the encryption process is publicly available and unprotected, but in which a part of the decryption key is protected so that only a party with knowledge of both parts of the decryption process can decrypt the cipher text.

Remote Payment - a payment carried out through the sending of payment orders or payment instruments.

Repudiation - the denial by one of the parties to a transaction of participation in all or part of that transaction or of the content of the communication.

Router - a computer system in a network that stores and forwards data packets between local area networks and wide area networks.

Scattering - the process of mixing the integrated circuit (IC) chip components so that they cannot be analyzed easily.

Search Engines - software programs that are capable of locating specified information or web sites on the Internet.

Secure Electronic Transaction (SET) - a set of standards jointly developed by Visa, MasterCard, and several technologies companies to facilitate secure credit card transactions over the Internet.

Secure Hypertext Transfer Protocol (SHTTP) - provides secure communication mechanisms between an HTTP client-server pair.

Secure Socket Layer (SSL) - a protocol for providing data security during transmission using data encryption, server authentication, and message integrity.

Server - a computer that provides services to another computer (the client).

Settlement - an act that discharges obligations with respect to funds or securities transfers between two or more parties.

Settlement system - a system used to facilitate the settlement of transfers of funds.

Simple Mail Transfer Protocol (SMTP) - a protocol used to transfer electronic mail between computers on the Internet.

Smart Card - a card with a computer chip embedded, on which financial, health, educational, and security information can be stored and processed.

Specification - documents that contain basic detailed data.

Spoofing - an attempt to gain access to a system by posing as an authorized user.

Standards - the rules under which analysts, programmers, operators, and other personnel in an information service organization work.

Stored Value Card - a card that stores prepaid value via magnetic stripe or computer chip.

Structured Query Language (SQL) - a query language used to manipulate large databases.

System Integrity - the quality that a system has when it performs its intended function in an unimpaired manner, free from deliberate or inadvertent manipulation of the system.

System Specification - a baseline specification containing all the essential computer-based business system documentation. It is completed at the end of the Development Phase.

Systemic Risk - the risk that the failure of one participant in a funds transfer system, or in financial markets generally, to meet its required obligations will cause other participants or financial institutions to be unable to meet their obligations when due.

Systems Analysis - the performance, management, and documentation of the four phases of the life cycle of a business system: study, design, development, and operation.

Tamper-evident - the capacity of devices to show evidence of physical attack.

Tamper-proof - the proven capacity of devices to resist all attacks.

Tamper resistant - the capacity of devices to resist physical attack up to a certain point.

Telecommunications - data transmission between a computing system and remotely located devices via telephone lines, cable, or wireless technology.

Telnet - a protocol that permits users to access a remote terminal or another computer through a network; widely used on the Internet.

Threat Monitoring - the analysis, assessment, and review of audit trails and other data collected for the purpose of searching out system events that may constitute violations or attempted violations of system security.

Throughput - the total amount of useful work performed by a data processing system during a given period of time.

Topology - the arrangement of nodes usually forming a star, ring, tree, or bus pattern.

Traceability - the degree to which transactions can be traced to the originator or recipient (also referred to as auditability).

Transferability - in electronic money systems, the degree to which an electronic balance can be transferred between devices without interaction with a central authority.

Transmission Control Protocol/Internet Protocol (TCP/IP) - a standard format for transmitting data in packets from one computer to another, on the Internet and within other networks. TCP deals with the construction of the data packets while IP routes them from machine to machine.

Trap Door - a concealed and unauthorized entrance into a computer operating system, designed by the programmer.

Trojan Horse - a program that appears to perform a useful function and sometimes does so quite well but also includes an unadvertised feature, which is usually malicious in nature.

Truncation - dropping off part of a character string either to conserve space or because of limited space.

Trusted Computer System - a system that employs sufficient assurance measures to allow its use for simultaneous processing of a range of sensitive or classified information.

Trusted Third Party - a reputable entity that authenticates one or more parties to an electronic transaction. The authentication process generally involves the issuance and administration of digital certificates.

Uniform Resource Locator or Universal Resource Locator (URL) - a way of specifying the location of available information on the Internet.

Upload - to transmit a file to a central computer from a smaller computer or a remote location.

Usenet - a set of many newsgroups distributed via the Internet.

Virtual Corporations - corporations that have no official physical site presence and are made up of diverse geographically dispersed or mobile employees.

Virus - a program with the ability to reproduce by modifying other programs to include a copy of itself. It may contain destructive code that can move into multiple programs, data files, or devices on a system and spread through multiple systems in a network.

Vulnerability - a weakness in system security procedures, system design, implementation, internal controls, etc., that could be exploited to violate system security.

Web Page - a screen of information supporting the home page of a web site.

Web Site - the collection of an entity’s home page and other proprietary pages located on the World Wide Web.

Wide Area Network (WAN) - a communications network that covers a wide geographic area, such as state or country, using high speed long distance lines or satellites provided by a common carrier.

World Wide Web (web, www) - a sub network of the Internet through which information is exchanged via text, graphics, audio, and video.

Worm - a program that scans a system or an entire network for available, unused space in which to run. Worms tend to tie up all computing resources in a system or on a network and effectively shut it down.