Is Credit or Debit Card PIN a Electronic Signature as per the Law ?

Is Credit or Debit Card  PIN a Electronic Signature as per the Law ?

For Lawyers across the world, click and wrap agreement i.e. the act of ticking an icon in the shape of a box to accept the terms of a contract can hardly count as a form of signature. In the physical world, that must be right. Similarly, it might be questioned that a personal identity number (PIN) can also be considered to be an electronic signature.

Arguably, the PIN combines two functions. Before considering the two functions, consider the requirements of the bank. The bank needs to satisfy itself that:

1. The card is legitimate (this is difficult to achieve, as the reports about fraud demonstrate), and

2. The card is in the possession of the customer to whom it was issued, or a person authorised by the customer to use the card.

If the bank satisfies itself that its computer systems are interacting with the card issued to the customer (which is not always the case), then the computer system requests the purported customer to undertake one further act to confirm they (or a person authorised by them) have physically inserted the card into the ATM or the point of sale terminal, by keying in the correct PIN. Generally, if the computer systems receive positive results from both interactions, then the bank will permit the person at the ATM or the point of sale terminal to undertake whatever activity they are permitted to do within the terms of the mandate.

The first function of the PIN acts as a means of authentication. The PIN purports to demonstrate that the person that keyed in the PIN knew the correct PIN (there are some forms of attack that do

The first function of a PIN

Prefacenot need the correct PIN – any combination of numbers will act vii to deceive the card issuer that the correct PIN has been keyed in).

Once the computer systems of the bank are satisfied that the card is legitimate and the PIN is the correct PIN of the customer, then the person at the ATM or the point of sale terminal can undertake any activity on the account that is permitted within the mandate and within the limitations of the technology.

The second function of a PIN

The PIN, even though it is offered to the machine before a transaction is effected, acts as a signature to verify a payment or other form of transaction. This means that the presentation of a card to an ATM, and the input of a PIN, is similar to a cheque that is written out by the account holder, signed, and then presented to the cashier at the bank. The customer completes the action necessary to request a payment in advance of the payment being made by the cashier, and then signs the cheque in the presence of the cashier – all before receiving acknowledgment that a transaction has been authorised. This means the PIN is a form of electronic signature.

It might be considered that the action of clicking the ‘I accept’ icon or box, or typing in a PIN are merely a means by which the person agrees to conclude the contract, but the act is not that of appending their electronic signature.
This analysis might be right, but we must recall that the digital world is different to the physical world. Conceptually, some of the forms of electronic signature may not strictly be considered ‘signatures’ in the physical world. Nevertheless, it is a convenient shorthand to refer to some forms of agreeing to enter a contract as an ‘electronic signature’ – at least we can all understand the meaning behind these words, even if the form is not quite what we expect.

Case Law:

Standard Bank London Ltd v. Bank of Tokyo Ltd [1995] CLC 496; [1996] 1 C.T.L.R. T-17 and Industrial & Commercial Bank Ltd v. Banco Ambrosiano Veneto SpA [2003] 1 SLR 221, where a message using an authentication code sent through the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system has the legal effect of binding the sender bank according to its contents, and where a recipient bank undertakes further checks on credit standing or other aspects, it does not detract from this proposition. 

What is ones responsibility as a cardholder?

You, and all your supplementary cardholders, must take all reasonable precautions to prevent the card and the card number, the PIN, or any other security details for the card or account (the “card security details”) from being misused or being used to commit fraud. These precautions include:

• sign the card as soon as it is received and comply with any security instructions;
• protect the card, the PIN, and any card security details;
• do not allow anyone else to have or use the card;
• do not write down the PIN or the card security details nor disclose them to anyone else including the police and/or banks staff;
• do not allow another person to see your PIN when you enter it or it is displayed;
• do not tamper with the card;
• regularly check that you still have your card;
• keep card receipts securely and dispose of them carefully; and
• contact bank about any suspicious matter or problem regarding the use of the card at a terminal.

You must notify bank immediately if:

• your card is lost or stolen; or
• your PIN may have been disclosed; or
• your card is retained by an ATM; or
• your address or contact details have changed

Definition of Electronic Signature in various Countries

USA:
Electronic Signatures in Global and National Commerce Act, 15 U.S.C. §§ 7001-7003. 
ELECTRONIC SIGNATURE. – The term “electronic signature” means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. 

CANADA:
The Uniform Electronic Commerce Act provides a single, media neutral, definition of an electronic signature in s1(b):

(b) “electronic signature” means information in electronic form that a person has created or adopted in order to sign a document and that is in, attached to or associated with the document.

 China:

Order No. 24 of the President of the People’s Republic of China, promulgated on and effective since 4 April 2015, amending the 2004 law.  

Electronic Signatures Law of the People’s Republic of China of 2015. Article 2 provides a definition of electronic signature and data message, both of which are widely drafted:

“Electronic signature” in this law means data in electronic form in or affixed to a data message, which may be used to identify the signatory in relation to the data message and to indicate the signatory’s approval of the information contained in the data message.

“Data message” means information generated, sent, received or stored by electronic, optical, magnetic or similar means.
EU:

The Regulation provides the definition of an electronic signature in article 3(10)
‘electronic signature’ means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign;

India:

Sec 2 (ta) of Information Technology Act 2000 had defines electronic signature as
“Authentication of any electronic record by a subscriber by means of the electronic technique specified in the second schedule and includes digital signature.”
The definition of electronic signature includes digital signature and other electronic technique which may be specified in the second schedule of the Act, thus an electronic signature means authentication of an electronic record by a subscriber by means of electronic techniques. The adoption of ‘electronic signature’ has made the Act technological neutral as it recognizes both the digital signature method based on cryptography technique and electronic signature using other technologies.

DSC & Electronic Signature Laws in India

DSC & Electronic Signatures Law in India
By Prashant Mali

What is a DSC i.e Digital Signature Certificate? 

Digital Signature Certificates (DSC) are the digital equivalent (that is electronic format) of physical or paper certificates. Examples of physical certificates are drivers' licenses, passports or membership cards. Certificates serve as proof of identity of an individual for a certain purpose; for example, a driver's license identifies someone who can legally drive in a particular country. Likewise, a digital certificate can be presented electronically to prove your identity, to access information or services on the Internet or to sign certain documents digitally. Licensed Certifying Authority (CA) issues the digital signature. Certifying Authority (CA) means a person who has been granted a license to issue a digital signature certificate under Section 24 of the Indian IT-Act 2000.

The list of licensed CAs along with their contact information is available on the Controller of Certifying Authorities (CCA) portal (www.cca.gov.in).

Digital Signature Vs. Digital Certificate

Digital signatures are based on three-pointers for authentication – Privacy, Non-repudiation and Integrity in the virtual world, while the objectives of the digital certificate are the authentication of documents, and bind the person who is putting the digital signature, which based on public key cryptography requires two separate keys, as secret and public. However, both the keys are linked together, one key encrypts the plain text, and another decrypts the ciphertext, and neither key can perform both the functions. The other difference is digital signature is an electronic process of signing an electronic document while a Digital Certificate is a computer-based record which is the identification of certifying agency or the identity of a subscriber

Digital Signature Vs. Electronic Signature

The Information Technology Amendment Bill 2006, replaces the word “Digital” with the word “Electronic” at several places in the principal act, which creates a slight difference between the two, electronic signature is wide in nature, while the digital signature is one of the many kinds of electronic signature.Section 2(ta) “electronic signature” means authentication of any electronic record by a subscriber by means of an electronic technique specified in the second schedule and includes digital signature and section 2(p) defined “Digital Signature Certificate” means a Digital Signature Certificate issued Under sub-section (4) of section 35. 

Aadhaar eSign based electronic signatures being used by Legality are completely legally accepted and secure manner of electronically signing documents, under effect of Gazette Notification No. 2015 Jan -GSR 61(E) Electronic Signature or Electronic Authentication Technique and Procedure Rules, 2015. Aadhaar eSigns are recognised as an accepted method of secure electronic signatures as part of the Second Schedule of the Information Technology Act, 2010 (IT Act). The IT Act recognises secure electronic signatures such as Aadhaar eSign as having legal validity equivalent to that of physical signatures. Aadhaar eSigns work under the regulatory framework set up by Controller of Certifying Authorities, Ministry of Electronics and Information Technology, Government of India.

What types of e-signatures are recognized under the IT Act, 2000?

The IT Act recognizes the two following types of signatures:

(1) E-signatures that combine an Aadhaar with an eKYC service

Users with an Aadhaar ID, the unique identification number issued by the Indian government to all Indian residents, are free to use an online e-signature service to securely sign documents online. In this case, the online e-signature service integrates with an Application Service Provider (ASP) to provide users with a mobile or web app interface that they can interact with. The users then use this app interface to apply e-signatures to any online document by authenticating their identity using an eKYC service such as OTP (One time passcode) provided by an eSign Service Provider. The online e-signature service works with an accredited service provider to provide certificates and authentication services that comply with government guidelines.

(2) Digital signatures that are generated by an asymmetric crypto-system and hash function

An ‘asymmetric cryptosystem’ refers to a secure pair of keys: a private key and a public key. Both are unique to each user, and can be leveraged to verify and create an e-signature.

In this scenario, users obtain a digital signature from a reputed Certifying Authority (CA) in the form of a digital certificate. These certificates typically include the user’s name, public key, the expiration date of the certificate, and other necessary information about the user. Operating systems and browsers typically maintain a list of trusted CA root certificates that are used to verify digital certificates issued by a CA. The user might also be issued a USB token containing the digital-certificate-based digital ID, along with a personal PIN, to sign a document.

 What are the factors that make e-signatures valid in India?

Here are the 5 criteria that e-signatures need to satisfy in order to be valid as per the IT Act:

(1) E-signatures must be uniquely linked to the person signing the document. This condition is often met by issuing a digital-certificate-based digital ID.

(2) At the time of signing, the signer must have total control over the data used to generate the e-signature. Most online e-signature service providers allow signers to directly affix their e-signature to the document in order to meet this requirement.

(3) Any alteration to the affixed e-signature, or the document to which the signature is affixed, must be detectable. This is often met by encrypting the document with a tamper-evident seal.

(4) There should be an audit trail of steps taken during the signing process.

(5) The digital signature certificate must be issued by a Certifying Authority (CA) recognised by the Controller of Certifying Authorities (CCA) appointed under the IT Act, 2000.

Can document of all kinds be executed using e-signatures?

No. Certain documents that require a notarial process, or must be registered with a Registrar or Sub-Registrar, can only be executed using handwritten signatures to be legally enforceable. These primarily include:

(1) Negotiable instruments such as a promissory note or a bill of exchange other than a cheque

(2) Powers of attorney

(3) Trust deeds

(4) Wills and any other testamentary disposition

(5) Real estate contracts such as leases or sales agreements

You can’t be a Company director without mobile phone, email ID and DSC, under the new KYC norms. This is the fallout of the new DIR-3-KYC norms brought forth by the Ministry of Corporate Affairs (MCA). The Rules require every director to file the KYC form by 31 August 2018, after which the Directors’ Identification Number (DIN) granted to the director shall be “deactivated”. The rules also lay down that such de-activated DIN shall be re-activated only after the person has filed the KYC Form. One of the mandatory requisites of the new KYC form is that the director shall provide his/ her mobile number, email ID and file the e-form with his/her own digital signature (Differential Scanning Calorimetry or DSC).