Security Practices & Data Protection
This Security Policy describes the technical, administrative, and organizational measures adopted by MOCARD PAYMENT SERVICES PRIVATE LIMITED to protect user data, financial information, and transactions in compliance with IT Act, DPDP Act 2023, RBI guidelines, and NPCI security standards.
Purpose of This Policy
Safeguarding Information
This Policy outlines how MoCard safeguards user information and ensures secure payment operations.
Applicability
This Policy applies to all users, merchants, partners, employees, contractors, and service providers accessing the MoCard Platform.
Core Framework
Security is a core component of MoCard's operational and compliance framework.
Security Governance & Responsibility
Dedicated Personnel
The Company has designated internal security and compliance personnel responsible for overseeing data protection and cyber security practices.
Training
All employees and contractors undergo periodic security awareness and confidentiality training.
Access Control
Access to systems is granted strictly on a need-to-know and role-based basis.
Data Encryption & Transmission Security
TLS/SSL Encryption
All data transmitted between user devices and MoCard servers is protected using industry-standard encryption protocols (TLS/SSL).
Data at Rest
Sensitive data such as PAN, Aadhaar details, bank information, and authentication credentials are encrypted at rest.
Key Management
Encryption keys are securely managed and access is restricted to authorized personnel only.
Secure Infrastructure
AWS India Hosting
MoCard's infrastructure is hosted on secure cloud environments (AWS) located in India for data localization compliance.
Protection Systems
Servers are protected using firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).
Maintenance
Regular system hardening, patching, and vulnerability remediation are performed to maintain security.
Access Control & Authentication
Multi-Factor Authentication
Multi-factor authentication (MFA) is implemented for administrative and critical system access.
User Authentication
User authentication is performed using secure OTP-based verification and device validation.
Session Security
Session timeouts and auto-logout mechanisms are enforced to prevent unauthorized access.
Payment & Transaction Security
Authorized Partners
All payment transactions are processed through authorized and regulated payment partners such as banks, NPCI, Razorpay, and Paysprint.
Card Data Policy
MoCard does not store sensitive card details on its servers for enhanced security.
UPI Compliance
UPI transactions comply with NPCI security and risk management guidelines.
KYC & Identity Security
Regulatory Compliance
KYC data including identity documents and selfies are collected only for regulatory compliance purposes.
Secure Storage
KYC information is securely stored and access is limited to authorized verification systems.
Re-verification
Re-verification may be conducted to prevent identity fraud or misuse of accounts.
Fraud Detection & Monitoring
Automated Monitoring
MoCard employs automated monitoring systems to detect suspicious or abnormal transaction patterns in real-time.
Transaction Review
Transactions may be temporarily restricted or flagged for manual review if fraud risk is detected.
Reporting
Confirmed fraudulent activities may be reported to law enforcement or regulatory authorities.
Data Minimization & Retention
Minimal Collection
MoCard collects only data that is necessary for providing Services and meeting legal obligations.
Retention Period
Financial and transactional data is retained as per regulatory requirements (typically up to 8 years).
Secure Deletion
Data is securely deleted or anonymized after the retention period or upon account closure, where permitted.
Third-Party Security
Vendor Evaluation
Third-party service providers are carefully selected and evaluated for security compliance before engagement.
Contractual Obligations
Contractual obligations require third parties to maintain appropriate security safeguards for data protection.
Liability
MoCard is not responsible for security breaches occurring solely within third-party systems.
Incident Response & Breach Management
Response Plan
MoCard maintains an incident response plan to address security breaches promptly and effectively.
Breach Handling
In the event of a data breach, appropriate containment, investigation, and remediation steps will be taken.
Notification
Users and authorities will be notified where legally required under applicable data protection laws.
User Responsibilities
Credential Security
Users must keep their login credentials, OTPs, and devices secure at all times.
Reporting
Users should immediately report any unauthorized activity or suspected breach to our support team.
Negligence
MoCard shall not be responsible for losses arising from user negligence or failure to secure credentials.
Limitation of Liability
Reasonable Practices
While MoCard follows reasonable security practices, no system is completely secure against all threats.
Force Majeure
MoCard shall not be liable for losses caused by factors beyond its reasonable control.
Policy Updates
Periodic Updates
This Security Policy may be updated periodically to reflect regulatory or technological changes.
Acceptance
Continued use of the Platform constitutes acceptance of the revised Policy.
Security Reporting & Contact
For security-related concerns, vulnerability reporting, or questions about our data protection practices.
Security Highlights
By using MoCard, you acknowledge that you have read, understood, and agreed to this Security Practices & Data Protection Policy.