Reserve Bank of India (RBI), the country’s apex financial institution, has issued new directions to bolster cybersecurity and resilience of the digital payment ecosystem in India.
On July 30, the apex bank issued ‘Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators (PSOs)’. “These directions aim to enhance the safety and security of payment systems operated by PSOs, establishing a robust framework for overall information security preparedness with a particular focus on cyber resilience,” RBI said in its notification.
Applicability of Digital Payment Security Norms
The new directives apply to all authorized non-bank PSOs and their associated unregulated entities, including payment gateways, third-party service providers, and vendors. The PSOs are required to ensure that these entities adhere to the directions through mutual agreements and organizational policies approved by their boards.
RBI said the approach is designed to effectively identify, monitor, control, and manage cyber and technology-related risks arising from the integration of various entities within the digital payments ecosystem.
Digital Payment Security Measures and Controls
The RBI‘s directions mandate PSOs to facilitate mechanisms for online alerts based on parameters such as failed transactions, transaction velocity, excessive activity, geo-location, IP address origin, and behavioral biometrics. These measures aim to detect and prevent fraudulent activities and enhance transaction security.
When sending alerts via SMS, email, or other notifications, PSOs and their participants must ensure that sensitive information, such as bank account and card numbers, is redacted or masked. Online payment transactions must clearly display the merchant’s name and transaction amount, while OTP-based authentication messages should include the OTP at the end and refer to the specific transaction, RBI said in its master directions.
Furthermore, PSOs must provide facilities on their mobile applications or websites that allow customers to identify and report fraudulent transactions instantly. This feature ensures seamless and immediate notification to the issuer of the payment instrument.
Mobile Payment Security Practices
PSOs offering mobile payment services are required to implement stringent security practices and risk mitigation measures. These include ensuring that mobile applications are free from anomalies, maintaining authenticated sessions with robust encryption protocols, and implementing device binding or fingerprinting for mobile applications.
PSOs must also ensure that online sessions are terminated after a period of inactivity and that customers are promptly notified of failed login or authentication attempts, as per the new directions. Additionally, RBI added that PSOs must establish control mechanisms to detect the presence of remote access applications and prohibit access to mobile payment applications while remote access is active.
Card Payment Security Measures
For card payments, PSOs must ensure that terminals installed at merchant locations for capturing card details are validated against the PCI-P2PE (Payment Card Industry-Point to Point Encryption) program.
POS terminals with PIN entry for card payments must be approved by the PCI-PTS (Payment Card Industry-PIN Transaction Security) program, ensuring that they meet the highest security standards, RBI said.
Governance and Cyber Security Preparedness
The governance of information security risks, including cyber risk and cyber resilience, lies with the Board of Directors of the PSO. A sub-committee of the Board, headed by a member with expertise in information and cyber security, may be delegated primary oversight responsibilities, said the new guidelines. This sub-committee is required to meet at least once every quarter to review and manage these risks.
Further, RBI said that PSOs must formulate a Board-approved Information Security (IS) policy to manage potential information security risks across all applications and products related to payment systems. This policy must be reviewed annually and cover various aspects, including roles and responsibilities, measures to identify and manage cyber security risks, and processes for training and awareness.
A distinct Board-approved Cyber Crisis Management Plan (CCMP) must be prepared by PSOs to detect, contain, respond to, and recover from cyber threats and attacks, RBI said. Additionally, PSOs are required to implement a comprehensive data leak prevention policy to ensure the confidentiality, integrity, and availability of business and customer information. This includes securing data both in transit and at rest, adhering to PCI-DSS guidelines, and regularly testing backup data to ensure recovery without loss of transactions or audit trails.
The RBI also emphasized the importance of business continuity planning (BCP), directing PSOs to develop a BCP based on various cyber threat scenarios, including extreme but plausible events. The plan should be reviewed annually and include detailed incident response, resumption, and recovery procedures to manage cybersecurity events or incidents, said RBI.
Implementation Timeline
The new directions will take effect from April 2025 for large non-bank PSOs, April 2026 for medium non-bank PSOs, and April 2028 for small non-bank PSOs. Entities such as CCIL, NPCI, Payment Aggregators, TReDS, and large PPI issuers are classified as large non-bank PSOs, while cross-border Money Transfer Operators (MTSS) and medium PPI issuers are categorized as medium non-bank PSOs. Small PPI issuers and Instant Money Transfer Operators are considered small non-bank PSOs.