Express Computer

Home  »  Exclusives  »  Security needs to be planned and discussed early, right at the product ideation stage: Prashant Madhyasta, Cashfree Payments

Security needs to be planned and discussed early, right at the product ideation stage: Prashant Madhyasta, Cashfree Payments

ExclusivesInterviewsNews
By Sayantan Mondal
Prashant Madhyasta
0 317

In an insightful interview with Express Computer, Prashant Madhyasta, the Chief Information Security Officer, Cashfree Payments, shares his perspective on the evolving role of CISOs and the growing importance of cybersecurity in India’s rapidly advancing fintech ecosystem. With a particular focus on regulatory compliance, the protection of personal data, and the integration of cutting-edge technologies like AI, Madhyasta emphasises how security must be woven into the fabric of an organisation’s growth and product development.

How do you think that the role of the CISOs has changed over the years?

The role of the CISO has been evolving over the past decade. Earlier, the focus was different, but now there’s a strong emphasis on meeting regulatory requirements and mandates. A lot of new compliance frameworks have emerged that weren’t there before. Compared to MNCs and other countries, India—especially in the fintech space and around PFI data—has placed a much greater emphasis on regulation, user data sensitivity, and PII protection.

The RBI, in particular, has introduced very progressive regulatory requirements, ensuring vendors and companies actively provide feedback and help in developing new controls. It’s a proactive effort to position India as a global leader in BFSI, which is already evident with innovations like UPI and API banking.

Personally, I see this as an exciting shift. Having worked with GDPR and US federal agencies, including on FedRAMP compliance—which is very stringent—I believe India is moving in the right direction. Over time, Indian companies will need to comply with similar high standards.

Do you think India has been slow in adopting a modern data protection law, taking extra time to devise a new strategy?

When it comes to GDPR, it took about seven or eight years for Europe to fully develop and implement it. Even when they began, there weren’t specific requirements—it evolved based on industry standards, attack patterns, and how users were being impacted.

If you look at India’s journey, we really saw the major influence of technology around the COVID period or maybe four to five years ago. Before that, although we had internet and net banking, it was mostly limited to core banking sectors. Broader technology adoption accelerated only when opportunities like UPI came along, prompting regulatory bodies like RBI and others to introduce more requirements and mandates.

So, I wouldn’t say India has been sluggish. Our regulations are developing in response to industry needs and challenges. While we may have started later, especially compared to GDPR, the progress over the last two to three years has been rapid. Many leaders, communities, and chapters are actively contributing to shaping these initiatives. Overall, despite a late start, the journey has been very fast-paced and promising.

With UPI and payment APIs becoming the backbone of India’s digital commerce, how is Cashfree Payments ensuring real-time threat detection without compromising transaction speed or user experience?

I think we’ve built an industry-first solution with RiskShield, along with our product called the UPI Switch. The UPI Switch enables us to deliver very high transaction rates—around 12,000 transactions per second—with about a 30% deviation rate. This was developed by Cashfree in collaboration with NSDL and PCI, and it’s a major innovation that helped us strengthen our offerings.

RiskShield, again an industry-first from Cashfree, allows merchants to review their customers during onboarding. It assesses the specific risks customers might pose and the industries they belong to, using various threat models and AI-based evaluations to provide real-time feedback.

Thanks to UPI, we’ve seen the rise of seamless API banking, UPI transactions, and real-time settlements, and these advancements have contributed significantly to the development of such products.

Given the recent rise in supply chain attacks targeting software vendors, what strategies has Cashfree adopted to secure its third-party dependencies and vendor ecosystem?

Securing third-party dependencies is a multifaceted area for us, as many risks come into play. At Cashfree, for every product integration, we conduct a rigorous vendor assessment even before onboarding. This includes reviewing the vendor’s security compliance certifications, their incident response policies, disclosure practices, product security posture, and the frequency of their security assessments.

This is not a one-time process—once onboarded, vendors are continuously monitored. Every quarter, we reassess their security posture to ensure ongoing compliance. We also have multiple tools integrated into our onboarding and procurement processes. Legal teams conduct a thorough review of contractual obligations, including NDA reviews and agreements.

On the open-source side, where a lot of supply chain risks emerge, we leverage a state-of-the-art development pipeline. Developers follow strict security guidelines and use frameworks embedded with security tools that detect risks associated with third-party libraries—both during development and at runtime. We also have robust monitoring systems in place to detect vulnerabilities and active exploits.

Finally, continuous monitoring ties it all together. Our SIEM solutions use cross-correlation rules to alert us of any potential issues, ensuring we can take timely actions whenever needed.

Is the continuous monitoring process fully automated, like AI-based anomaly detection, or is it more human-centric?

Yes, it’s partially automated because we can’t rely entirely on automation. There has to be a human element involved. We have a dedicated SOC team that monitors activities. To some extent, we use AI-based capabilities to triage alerts, and we are also developing our own LLM models to integrate further automation.

Monitoring technological events is one part, but from a core product perspective, we also need to monitor risk-based activities, like transactions that could potentially lead to fraud. For that, we have strong AI/ML developments already deployed, with a dedicated AI and data science team constantly building new algorithms to detect fraudulent actions.

From a product standpoint, the system is quite mature. On the technology side, monitoring has some automation powered by AI, and we’ve also integrated tools like GitHub Copilot. Our analysts, developers, and security engineers use these technologies to quickly identify potential issues, reducing manual effort significantly.

According to an IDC report, every euro or dollar spent on business AI today is projected to yield a return of 4.6 by 2030 in the global economy. Where does cybersecurity fit into this picture, and how crucial is it to have a cybersecurity investment and cybersecurity posture as robust as AI development?

It’s absolutely crucial because, with AI, one of the biggest risks is the potential leak of PII (Personally Identifiable Information). You can build all the automations and integrate new technologies, but the real question is: how are you controlling the data being passed to them? What kind of data leak prevention tools are in place? Are they able to proactively identify and block PII data leaks?

Many organisations still rely only on detection, but the focus should move towards prevention. It’s essentially AI securing AI—we have to use AI technologies to safeguard other AI systems. Initially, there’s a significant effort needed to review, design, and implement these security measures, but once properly integrated, only a few resources are needed to manage the entire AI tech stack and its security.

There is widespread concern about potential job losses due to AI. However, one sector likely to see increased employment is cybersecurity. Do you agree?

Yes, I agree. In fact, in cybersecurity, we already use a lot of AI models. You might be familiar with penetration testing and product security assessments, there are now tools, including open-source models, where you simply provide a target, like a web application or an API endpoint, and the tool can do an excellent job.

Something that would have taken a product security engineer with six to eight years of experience around four days to complete can now be done in just 30 minutes to an hour. However, the key challenge is trust—you need either a very robust mechanism with all safeguards in place or human intervention for validation.

Going forward, job security in cybersecurity will definitely be there, but individuals must evolve. About 10–15 years ago, when cloud technology emerged, there was a similar fear. Back then, we had large teams managing data centres with dedicated administrators for databases and infrastructure. When cloud adoption began, people worried about losing jobs, but instead, it led to the rise of new fields like DevOps, which didn’t even exist before.

Now, with further advancements like automated deployments, CI pipelines, Infrastructure as Code, and DevSecOps, the industry has evolved again. Similarly, we’re seeing new roles emerge, like prompt engineering with GenAI.

So yes, every new technology may initially seem like a threat, but it actually opens up new opportunities. It all depends on how individuals and the new generation embrace these changes and build new skills.

With Cashfree’s recent push into cross-border payments and payout services, how are you addressing regulatory-driven cybersecurity requirements across jurisdictions?

I think on the cross-border side, we are already certified with ISO 27001:2017 and 27018, which mainly govern international standards for ISMS policies—covering cloud security requirements and protection of user PII data in cloud environments. Being certified on these fronts shows the level of importance we give to security and how robustly we develop and safeguard our products.

Specifically for cross-border payments, there’s an RBI requirement to undergo sandbox testing. Our cross-border solution went through that rigorous process, and we are certified, which proves our solution meets the regulatory standards needed for operating in cross-border areas.

Additionally, we have integrated AI/ML-driven processes for merchant onboarding, especially for cross-border transactions. Though I don’t have the exact terminologies on top of my mind, we use automated tools for reviewing merchant criteria, conducting KYC checks, and performing OCR-based identity validation. Our solution, SecureID, handles the identity validation part for merchants and transactions.

In a nutshell, Cashfree is not only compliant with all regulatory requirements but has also built solutions that go beyond compliance to make our services more secure and efficient.

Could you elaborate on how you’re addressing risks such as model-driven data poisoning and adversarial attacks?

We have around seven to eight different models and AI integrations across four to five of our AI-driven product initiatives. When it comes to developing these models, we rely heavily on providing clean, verified training data. Data poisoning risks mainly depend on how well you verify and sanitise your input data to ensure it doesn’t contain false or malicious entries.

We have continuous checks in place during model training because it’s not a one-time exercise—parameters keep evolving. For example, as we process different IDs like Aadhaar, PAN, etc., new fraud patterns may emerge. So, we use authenticated, weighted data and multiple layers of review, similar to how pull requests are reviewed in software development, before feeding it into the model. These controls ensure our training data remains safe from poisoning.

For adversarial attacks, like injection attacks on chatbots (we recently launched one for support and merchant needs), we start securing them at the design phase itself. Every new product goes through security design reviews, where security engineers help with guidelines, threat modeling, and participate in design calls. After that, we conduct code reviews, threat modeling, and penetration testing before releasing anything into production.

Additionally, we engage third-party vendors for penetration testing on a quarterly basis, which is also a compliance requirement. All our products are tested against standard industry attack vectors, which helps us maintain strong protection against adversarial attacks.

As a CISO, what is your one piece of advice for other security leaders on balancing the adoption of emerging technologies like AI while maintaining strong security measures?

At Cashfree, we are growing at a very rapid pace, and without leveraging new technologies, it would be impossible to meet our speed of development and delivery timelines. As a CISO, if I were to put too many gates or restrictions purely for security, it would impact our go-to-market timelines and deliverables. So, there has to be a balance.

Security needs to be planned and discussed early—right at the product ideation stage with product managers—so that it doesn’t become a blocker at the end. Early involvement makes it much easier and avoids last-minute disruptions.

The other important aspect is the human element. Building a strong, security-focused culture is crucial. Training developers and employees on secure best practices, ensuring they don’t fall for phishing attempts, and making them aware of their security responsibilities in their day-to-day work is vital.

At Cashfree, we run continuous initiatives like phishing simulation campaigns, ISMS-related mandatory training, and other awareness programs. This can’t be a one-time effort—it has to be a continuous process. When everyone treats security as part of their responsibility, it helps the organisation grow and deliver faster.

It’s not that last year I did it, and this year it’s not required. It should be a continual effort. Bringing security into everyone’s responsibility makes us grow faster and deliver faster.

Get real time updates directly on you device, subscribe now.

Sayantan Mondal

Sayantan is a Correspondent at Express Computer and CRN India, The Indian Express Group. His interest lies in technology and innovation across all industries. Sayantan holds a Masters degree in Media and International Conflicts from University College Dublin, Dublin, Ireland and a Bachelors degree in Journalism and Mass Communication from Amity University Kolkata, Kolkata, India.

You might also like More from author
Leave A Reply

Your email address will not be published.

LIVE Webinar

Digitize your HR practice with extensions to success factors

Join us for a virtual meeting on how organizations can use these extensions to not just provide a better experience to its’ employees, but also to significantly improve the efficiency of the HR processes
REGISTER NOW 
Powered by Convert Plus

Stay updated with News, Trending Stories & Conferences with Express Computer
Follow us on Linkedin
India's Leading e-Governance Summit is here!!! Attend and Know more.
Register Now!
close-image
Attend Webinar & Enhance Your Organisation's Digital Experience.
Register Now
close-image
Enable A Truly Seamless & Secure Workplace.
Register Now
close-image
Attend Inida's Largest BFSI Technology Conclave!
Register Now
close-image
Know how to protect your company in digital era.
Register Now
close-image
Protect Your Critical Assets From Well-Organized Hackers
Register Now
close-image
Find Solutions to Maintain Productivity
Register Now
close-image
Live Webinar : Improve customer experience with Voice Bots
Register Now
close-image
Live Event: Technology Day- Kerala, E- Governance Champions Awards
Register Now
close-image
Virtual Conference : Learn to Automate complex Business Processes
Register Now
close-image