RBI To Make Digital Payments More Secure: Proposes Draft Master Directions On Cyber Resilience And Digital Payment Security Controls
RBI has proposed draft guidelines in order to establish robust governance mechanism for PSOs
RBI has suggested to set up strong governance methods for licenced non-bank payment system operators (PSOs) in order to efficiently deal with growing cybersecurity concerns. A “Draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators” has been released by the central bank.
These guidelines describe the governance frameworks for the detection, evaluation, surveillance, and control of risks associated with cybersecurity, encompassing vulnerabilities and hazards to data safety. In order to guarantee the safety of digital payment transactions, they also outline minimum security standards. The RBI has asked stakeholders to make observations and offer suggestions on the proposal by June 30.
One can get in touch with the Chief General Manager of the Department of Payment and Settlement Systems at the Reserve Bank of India’s Central Office in Mumbai with suggestions and comments via email or postal mail.
The draft proposal offers numerous guidelines for how card and prepaid payment providers should maintain security while processing payments via electronic cards, digital wallets, applications, or mobile banking.
According to the draft, PSOs have to guarantee that these instructions are followed by all unsupervised structures that are a part within their digital payments ecosystem, pursuant to mutual consent, in order to accurately recognize, track, oversee, and cope with cyber as well as technology-related potential hazards. These entities include payment portals, independent service vendors, merchants, and others. A board-approved organizational policy in this regard must be implemented.
The governing board of PSOs will be the ones in charge of making sure that risks associated with information security, particularly cyber risk along with cyber resilience, are adequately supervised. Nevertheless, a sub-committee of the Board may be given primary control; this group must convene at least once every three months.
Additionally, the PSO is required to develop an Information Security (IS) strategy that has been authorized by the Board to address actual and prospective security threats to information for every application as well as goods related to payment systems.
According to the proposed standards, the PSO is required to create a business continuity plan (BCP) focused on several cyber threat instances, encompassing the most unlikely but conceivable occurrences towards which it could possibly be subject. For handling cyber security occurrences or situations, the BCP must be evaluated not less than every twelve months and should include a thorough reaction, resume, and recovery plan.
The BCP must be created to ensure that procedures and information are secure while enabling quick recovery from any unfavorable occurrence and facilitating the safe restart of crucial activities in line with restoration time and recovery point objectives (RPO). The PSO will work to get RPO down to almost zero.
According to the draft’s outline of cyber security readiness, PSOs will be required to create a Cyber Crisis Management Plan (CCMP) to identify, stop, handle, as well as react to cyber threats and assaults. Additionally, it indicates that the organization’s board of directors will have responsibility of cyber security.
If a transaction appears questionable, a warning must be sent out. Users should keep their account and credit card details and other private information hidden. Online transactions should identify the payment gateway or aggregator, not the retailer. It must be specified for which purpose the OTP is intended when delivering it by email or mobile.
In accordance with the significance and delicate nature of the information held or transferred, the PSO must also implement a thorough data breach safeguarding strategy to ensure the privacy, security, accessibility, and safekeeping of both company and consumer data (while in transit as well as at rest).
The secure processing, storing, and preservation of information, specifically “Personally Identifiable Information“, must be the main emphasis for both application as well as database security measures. According to the RBI, data must be encrypted either during transmission or at rest or both.
RBI Issued Guidelines for Card Payments
The bank that issued the concerned card must be notified if there are any fraudulent or questionable transactions on the card. The operator of the payment system will be the one in charge of maintaining POS terminal security.
RBI Issued Guidelines for Prepaid Payment Products
Between depositing funds and sending them, there ought to exist a cooling off interval. Information about transactions and OTPs must additionally be delivered in the native tongue.
RBI Issued Guidelines for Mobile Banking
It should be possible to recognize and categorize fraudulent payments if they are discovered using mobile banking. Only after a cooling-off window of twelve hours prior to making any payments should changing the contact number or email be permitted. One shouldn’t be running the same application on two different devices at once.
A mobile banking application must be reactivated via the SIM and biometrics if it hasn’t been used for a while. The login needs to be disabled if someone tries to log in using inaccurate information that exceeds the permitted limit, however there must also be a way to revive it.
In addition to all this, according to the proposed standards, the PSO must create suitable Key Risk Indicators (KRIs) for recognizing possible risk incidents and Key Performance Indicators (KPIs) to evaluate the efficacy of security procedures.
Further, the PSO is required to conduct a cyber risk evaluation exercise prior to the introduction of new products, services, or technology or the implementation of significant modifications to the system or operations of already-available goods or services. The Chief Information Security Officer (CISO) or an executive with a similar role must supervise the implementation of any action items resulting from this evaluation.
The proposed guidelines will require that PSOs alert RBI of any unusual occurrence, encompassing cyber-attacks, failures of vital machinery or infrastructure, fraud inside the company, and settlement delays, within six hours of their detection. Every individual who has entry into the PSO’s IT environment should be assigned a digital identity, which would be kept and monitored until termination, according to the RBI’s suggestion.
When is the RBI draft proposal going to be implemented?
Up to June 30th, RBI has requested input on this from the appropriate stakeholders. This plan will be put into effect from April 1, 2024, till April 1, 2028, following agreement and authorization. Prominent non-bank payment system operators have been given till April 1, 2024. It will be applied to medium non-bank operators by April 1, 2026, and it will become obligatory for smaller non-bank operators starting from April 1, 2028.
According to the RBI, the guidelines will additionally tackle fundamental safety protocols to guarantee system resilience and the safety of digital payment transactions. They will, however, make an effort to upgrade to the most recent security requirements. According to the statement, the current guidelines for safety and risk reduction for payments carried out with cards, prepaid payment instruments (PPIs), and mobile banking continue to remain in operation.
The release of the draft guidelines is associated with an increase in cyber-attacks targeting payment systems, which have become a driving force behind economic stability and backing for financial inclusion. According to the proposed rules, the PSO Board will be in responsibility for ensuring data security concerns, which includes cyber risk along with cyber resilience, are effectively overseen.
The PSO will be tasked with developing an information security strategy which has been authorized by the board of directors to address possible risks for all apps and goods related to payment systems, in addition to control over threats which have already materialized.
Published By Naveenika Chauhan