The Reserve Bank of India (RBI) will issue new cybersecurity guidelines for ATM service providers by December 31, it said in a statement on developmental and regulatory policies. The guidelines would require implementation of several measures to strengthen the process of deployment and changes in application softwares in the ecosystem, continuous surveillance, implementation of controls on storage, processing and transmission of sensitive data, building capacity for forensic examination and making the incident response mechanism more robust.

The apex bank noted that a number of commercial banks, urban cooperative banks and other entities regulated by the RBI, rely on third-party application service providers for ATM Switch applications. Since these service providers have exposure to the payments system landscape, it leaves them exposed to cybersecurity threats. RBI said that the cybersecurity guidelines will have to be mandated by the regulated entities in their contractual agreements with these service providers.

Why this matters: Over 1.3 million payment card details  98% of them being Indian banks’ cards  were put up for sale on Joker’s Stash. 550,000 of these cards belonged to one single Indian bank. The data was being sold at $100 per card, and was likely obtained by using skimming devices installed on ATMs and Point of Sales systems.

Urban cooperative banks also to get cybersecurity guidelines

Urban cooperative banks (UCBs) will also be issued a comprehensive cyber security framework by the RBI, based on their “digital depth and interconnectedness with the payment systems landscape, digital products offered by them and assessment of cyber security risk”. Under this new set of guidelines, which will be issued in detail by December 31, UCBs will have to implement cybersecurity measures such as:

  • Implementation of bank specific email domain
  • Periodic security assessment of public facing websites/applications
  • Strengthening cybersecurity incident reporting mechanism
  • Strengthening of governance framework
  • Setting up of Security Operations Center (SOC)

“This would bolster cyber security preparedness and ensure that the UCBs offering a range of payment services and higher Information Technology penetration are brought at par with commercial banks in addressing cyber security threats,” RBI said.