Summary: RBI’s draft cybersecurity norms for payment system operators (PSOs) and digital payments

The Reserve Bank of India (RBI) on June 2 released draft cybersecurity directions for payment system operators (PSOs) and digital payments, outlining baseline security measures and governance mechanisms for identifying and managing cybersecurity risks.

Called the Draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators, the draft is open for consultation until June 30, 2023. Interested stakeholders can submit their feedback to dpssfeedback@rbi.org.in.

With the financial sector being a highly sensitive and lucrative target for cyberattacks and cyber fraud, baseline security norms are the need of the hour, but they also pose a significant compliance burden on payment system operators, which will have to be assessed.

These Directions are being issued under the Payment and Settlement Systems Act, 2007, and will co-exist with any existing instructions on security and risk mitigation measures for payments done using cards, Prepaid Payment Instruments (PPIs), and mobile banking, RBI informed.

STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today! 

Who do these directions apply to?

The Directions apply to all RBI-authorized non-bank payment system operators (PSOs). The PSOs are also responsible for ensuring adherence to the Directions by any unregulated entities that they have linkages with as part of their digital payments ecosystem (payment gateways, third-party service providers, vendors, merchants, etc.).

Advertisement. Scroll to continue reading.

As for timelines for implementing the Directions, RBI has said that it will adopt a phased implementation approach:

Large non-bank PSOs: April 1, 2024

• Payment Aggregators (PAs), card payment networks, large PPI issuers, non-bank ATM networks, White Label ATM Operators, Clearing Corporation of India Limited (CCIL), National Payments Corporation of India (NPCI), NPCI Bharat Bill Pay Limited, TReDS, and Bharat Bill Payment Operating Units fall under this category.

Medium non-bank PSOs: April 1, 2026

• Cross-border (in-bound) money transfer operators under Money Transfer Service Scheme (MTSS) and Medium PPI Issuers fall under this category.

Small non-bank PSOs: April 1, 2028

• Small PPI Issuers and Instant Money Transfer Operators fall under this category.

The Board of Directors (Board) of the PSO is responsible for ensuring “oversight over information security risks, including cyber risk and cyber resilience,” but can delegate oversight to a sub-committee which should meet at least once every quarter.

Summary of governance and baseline information security measures for PSOs

1. PSOs must formulate an Information Security policy, prepare a crisis management plan, undertake a cyber risk assessment, etc: As part of their governance measures, PSOs must formulate an Information Security (IS) policy that covers all applications and products concerning payment systems. The policy should be reviewed annually. The PSO must also prepare a Cyber Crisis Management Plan (CCMP) “to detect, contain, respond, and recover from cyber threats and cyber attacks.” Additionally, PSOs must define appropriate Key Risk Indicators (KRIs) to identify potential risk events and Key Performance Indicators (KPIs) to assess the effectiveness of security controls, and also undertake a cyber risk assessment exercise when introducing new products, services, technologies, or undertaking major changes to existing infrastructure, products, and services.
2. Reporting cyberattacks to RBI within 6 hours: The Directions borrow from CERT-In cybersecurity directions from last year and require PSOs to notify RBI of any unusual incident, including cyber-attacks, outages of critical system or infrastructure, internal fraud, settlement delay, within 6 hours of detection.
3. Multi-factor authentication for payment transactions: All payment transactions, including cash withdrawals, conducted through electronic modes should require multi-factor authentication, except where explicitly relaxed. PSOs must implement security measures to prevent unauthorized or spoofed transactions.
4. Appoint a nodal officer: PSOs must appoint a dedicated nodal officer(s) who is available 24x7x365 to liaise with customers on fraudulent transactions and also with Law Enforcement Agencies (LEAs).
5. Incident response strategies: PSOs should have an incident response mechanism, which shall include response strategies for various incident scenarios, prompt notifying of senior management and other relevant stakeholders including any public authority, and post-incident analysis, including forensic analysis. The PSO should also develop a Business Continuity Plan (BCP) based on different cyber threat scenarios, which shall be reviewed at least once a year.
6. Access management: There should be policies, procedures, and controls on access privileges. Access should be based on “need-to-have, need-to-know and based on the principle of least privilege.” All default authentication settings must be changed before the service or system goes live. Privileged accounts, such as administrator accounts, must have multi-factor authentication and a rotation policy should be implemented. Security controls like whitelist/backlist should be put in place for the use of portable devices like smartphones, laptops, etc. Adequate precautions should be adopted for work-from-home situations. PSOs should also have physical and environmental safeguards to protect access to their assets from natural disasters and other threats.
7. Maintaining network security: The PSO must protect its system from external threats by configuring and periodically checking security rules. To do so, a Security Operations Centre (SOC) should be established to proactively monitor network logs and manage security incidents. PSOs must also establish augmented mechanisms such as a Security Information and Event Management (SIEM) system, which can correlate alerts and detect multi-faceted attacks. PSOs must also implement anti-malware solutions, multi-layered boundary defenses, network segmentation, and whitelisting of allowed application services, and devices.
8. Security testing: PSOs should ensure that all their applications are subjected to “rigorous security testing” through qualified agencies at regular frequencies. Any deficiencies reported in the security testing should be resolved in a time-bound manner.
9. Data Security and PCI-DSS certification: PSOs must put in place a comprehensive data leak prevention policy for the protection of business and customer information (both in transit and at rest). To do so, the PSO should implement an Information Security Management System (ISMS). Any security controls for applications and databases should focus on the secure handling and storage of data, especially Personally Identifiable Information (PII). PSOs must implement secure mail and messaging systems to ensure inbound and outbound traffic through mail and messages are secure. Any PSO storing card (debit/credit/prepaid) data shall adhere to PCI-DSS guidelines and obtain PCI-DSS certification.
10. Security patches: PSOs should put in place a documented policy to identify and implement patches to its assets released by the manufacturers or others. These security patches should be applied within an appropriate time frame, and in case of critical patches, PSOs must have a mechanism to apply them immediately.
11. Safeguarding against risks posed by Application Programming Interfaces (APIs): To safeguard applications against risks from insecure APIs, PSOs should put in place in place authentication measures to establish the identity of the communicating applications, confidentiality measures to ensure that the message content is not tampered with, and integrity measures that ensure resources are reliably transferred.
12. Employee awareness and training: PSOs must arrange for periodic training and awareness programs on information security issues for its employees, including Board members, and vendors. They should also carry out periodic evaluations of cyber security awareness amongst employees.
13. Fraud monitoring: PSOs should put in place a fraud monitoring solution to identify suspicious transactional behavior, and must also have measures to prevent
14. Anti-phishing safeguards: PSOs subscribe to anti-phishing or anti-rogue app services that identify and take down phishing websites and apps.
15. Creating public awareness: PSOs must create public awareness of measures to safeguard against fraud and cyber threats while using digital payment products.
16. Vendor Risk Management: For managing risks from vendors, PSOs should refer to RBI’s Framework for Outsourcing of Payment and Settlement-related Activities by PSOs. Additionally, PSOs must put in place necessary security controls to prevent infiltration into their network from vendor environments. PSOs must also adhere to the relevant data localization guidelines and also ensure compliance by their vendors.
17. Application Security Life Cycle (ASLC): PSOs must follow a “secure by design” approach for the development of services and products “and ensure that no security weaknesses are introduced during the build process.” The PSO should implement a multi-tier application architecture that segregates the database layer from other layers. PSO should also have “an escrow arrangement for the source code of applications procured from third-party vendors, to ensure continuity of services.”

Summary of digital payment security measures

In addition to the above measures, the following is applicable for all digital payment transactions:

1. Enabling online alerts for customers: PSO must have mechanisms for online alerts based on various parameters such as failed transactions, transaction velocity, excessive activity, geo-location, transactions to Virtual Payment Addresses (VPAs) on whom phishing or other types of fraud are registered, etc. While sending any SMS or e-mail alert to customers, it must be ensured that the bank account/card number and any confidential information are masked to the extent possible.
2. Merchant name should be shown on all transactions: All online payment transactions should mention the merchant name, not the payment gateway or aggregator, and amount. For fund transfers, the name of the beneficiary and the debit amount should be mentioned. The name must be taken from the entity maintaining the beneficiary account.
3. OTP at the end of the message: If OTP is a factor of authentication, PSOs should ensure that the OTP is mentioned at the end of the message and the message should also refer to the specific transaction.
4. Easy reporting of fraudulent transactions: PSOs should provide a facility on its app or website that will allow customers to mark a fraudulent transaction “for seamless and immediate notification to the issuer of payment instrument.”

For mobile payment providing PSOs, specifically: PSOs providing mobile payment services should additionally comply with the following security practices:

1. Terminate sessions with interference or inactivity: PSOs must ensure that an authenticated session remains intact throughout an interaction with the customer, but the same should be terminated if there is any interference or if the customer closes the application, or if there is no activity after a fixed period of time. Any affected transactions should be resolved or reversed.
2. Device binding: PSOs must ensure device binding of mobile applications with the device and SIM. If the app is unused beyond the specified period, the device binding should be performed again.
3. Maximum number of failed login attempts: PSOs should specify the maximum number of failed login attempts after which access to the app is blocked and requires a secure procedure to re-activate the access.
4. Preventing remote access services: PSOs should try to identify the presence of any remote access applications and prohibit access to the app while the remote access is live.
5. Cooling period for change in number or email ID: If there is a change in the registered mobile number or email ID linked to the payment instrument, there should be a cooling period of a minimum of 12 hours before allowing any payment transaction.

For card payments, specifically: 

1. Terminals should be PCI-P2PE validated: PSOs should ensure that card terminals installed at merchants are validated against the PCI-P2PE program. PoS terminals with PIN entry shall be approved by the PCI-PTS program. Both o these are standards established by the Payment Card Industry Security Standards Council (PCI SSC).
2. Transaction limits and alert system: Card networks should implement transaction limits at the card, Bank Identification Number (BIN), as well as at the card issuer level.  The card networks should have an alert mechanism on a 24x7x365 basis in case of any suspicious incident.
3. Encrypting card details: Card networks should ensure that the card details of the customers are stored in an encrypted form at any of their server locations as well as by their vendors.

For prepaid payment instruments, specifically: 

1. Support for vernacular languages: PPI issuers should try to communicate OTP and transaction alerts with users in their language of choice.
2. Cooling period: PPI issuers should have a cooling period for funds transfer and cash withdrawal after such funds are electronically loaded onto the PPI.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read

• CERT-In Wants Cybersecurity Incidents Reported Within 6 Hours
• What Is India’s Approach To Regulating The FinTech Sector? RBI Deputy Governor Explains
• Five Talking Points From Data Security Council Of India’s Discussion About Digital India Act’s Impact On Cybersecurity
• RBI To Introduce A New Lightweight Payment System, Calls It “A Bunker Equivalent In Payment Systems”