After being “killed” by assignments, pre-intensive days, and intensive days—WOW… Semester 2 feels so fast, huh!
So, last February 21, when the wind in Edinburgh was freezing cold, I had the opportunity to meet my Supervisor, Bjorn! I was so happy to finally meet him. There, I told him about my project plan. Bjorn also shared his expectations and considerations, given his strong technical background in IT.
Through this blog, I want to share my project progress! FYI, Bjorn and I agreed to report monthly so that we stay on track! In my story this time, I will focus more on the research question and scope—because when Bjorn asked about this, I realized how broad the scope was, and honestly, I was a bit confused too.
Background
Indonesia already has the Personal Data Protection Law (UU PDP) and derivative regulations from Bank Indonesia (PADG KKS). However, until now, there has been no specific regulation for the payment industry. This makes it difficult for Payment Service Providers (PJP) to implement data security standards, which can result in differences in implementation and legal uncertainty.
Threats to data security also continue to increase, such as cases of e-commerce and fintech data leaks. There’s already a data security framework in place, but does the industry truly find it clear? The digital payment industry is at risk of losing public trust and facing potential major losses if it turns out that they are not yet clear in implementing this data security law.
Existing Challenges
Globally, security standards such as PCI DSS, ISO 27001, and the NIST Cybersecurity Framework have been implemented in the payment industry. In Indonesia, regulations such as the PDP Law and PADG KKS already exist, but there are still several challenges:
- There is no specific framework governing data security for PJP, because from the latest derivative regulations issued, there is no specific international standard statement that must be adhered to.
- Minimum standards for security technology are still unclear.
- Implementation of regulations in the field still faces obstacles. (To be honest, this is still just my hypothesis—considering that the derivative regulations were only issued on December 31, 2024.)
- Audit and supervision mechanisms are not yet fully effective because the regulations have just been issued.
- Cyber threats are evolving faster than existing regulations.
Research Questions
How to develop a practical data security framework for PJP so that it complies with regulations and is easy to implement? To answer this, the research will focus on:
- Security standards that have been implemented by PJP and their comparison with global standards.
- The main components of an effective data security framework.
- Challenges in implementing security standards.
- The effectiveness of audit and supervision mechanisms by Bank Indonesia.
- Technology and best practices that can be implemented by PJP—here, I really hope to get a lot of input from Bjorn because this is his field.
Scope of Research
This research will focus on three types of PJP:
- Banks with digital services such as QRIS and debit/credit cards.
- E-wallets such as GoPay, OVO, and Dana.
- Payment gateways such as Midtrans and Xendit.
Aspects discussed include data encryption, authentication, fraud detection, and compliance with the PDP Law. Research methods include literature studies and interviews with industry practitioners (if possible). Thanks to Bjorn, I’ll try to conduct interviews. To simplify the bureaucracy, I don’t have to interview ‘officials’—instead, I can talk to technical experts who really understand this field.
Expected Impact
The results of this study are expected to:
- Develop a data security framework that can be applied by PJP.
- Provide recommendations for Bank Indonesia in formulating more specific regulations.
Next Steps
Currently, the research is still in its early stages and will continue to be developed with input from Bjorn. The main focus going forward is to get feedback and deepen the literature study related to regulations and best practices in the payment industry.
So stay tuned, guys! Wish me luck—I hope I can do this well!
Meera
I am reading this in continuation to your previous blog on NIST and I am very excited for your project on PJP data security in Indonesia! You have explained your project so well in this blog that even though I have very little knowledge of your area of research, I really want to read your work! The clarity with which you write about your research is fantastic! Wishing you the best!