banner
Home / News / Summary: RBI's draft cybersecurity norms for payment system operators (PSOs)
News

Summary: RBI's draft cybersecurity norms for payment system operators (PSOs)

Dec 18, 2023Dec 18, 2023

Reserve Bank of India (RBI) has released draft cybersecurity directions for digital payments and PSOs outlining baseline security measures.

By

Published

The Reserve Bank of India (RBI) on June 2 released draft cybersecurity directions for payment system operators (PSOs) and digital payments, outlining baseline security measures and governance mechanisms for identifying and managing cybersecurity risks.

Called the Draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators, the draft is open for consultation until June 30, 2023. Interested stakeholders can submit their feedback to [email protected].

With the financial sector being a highly sensitive and lucrative target for cyberattacks and cyber fraud, baseline security norms are the need of the hour, but they also pose a significant compliance burden on payment system operators, which will have to be assessed.

These Directions are being issued under the Payment and Settlement Systems Act, 2007, and will co-exist with any existing instructions on security and risk mitigation measures for payments done using cards, Prepaid Payment Instruments (PPIs), and mobile banking, RBI informed.

STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!

The Directions apply to all RBI-authorized non-bank payment system operators (PSOs). The PSOs are also responsible for ensuring adherence to the Directions by any unregulated entities that they have linkages with as part of their digital payments ecosystem (payment gateways, third-party service providers, vendors, merchants, etc.).

As for timelines for implementing the Directions, RBI has said that it will adopt a phased implementation approach:

Large non-bank PSOs: April 1, 2024

Medium non-bank PSOs: April 1, 2026

Small non-bank PSOs: April 1, 2028

The Board of Directors (Board) of the PSO is responsible for ensuring "oversight over information security risks, including cyber risk and cyber resilience," but can delegate oversight to a sub-committee which should meet at least once every quarter.

In addition to the above measures, the following is applicable for all digital payment transactions:

For mobile payment providing PSOs, specifically: PSOs providing mobile payment services should additionally comply with the following security practices:

For card payments, specifically:

For prepaid payment instruments, specifically:

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read

jQuery(document).ready(function($) { $.post('https://www.medianama.com/wp-admin/admin-ajax.php', {action: 'wpt_view_count', id: '185497'});});

You must be logged in to post a comment Login

You must be logged in to post a comment.

Is it safe to consider all "publicly available data" as public?

PhonePe launched an e-commerce buyer app for ONDC called Pincode. We, however, believe that it should also launch a seller app.

Amazon announced that it will integrate its logistics network and SmartCommerce services with the Open Network for Digital Commerce (ONDC).

India's smartphone operating system BharOS has received much buzz in the media lately, but does it really merit this attention?

After using the Mapples app as his default navigation app for a week, Sarvesh draws a comparison between Google Maps and Mapples

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

Rajesh Kumar* doesn't have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

open for consultation until June 30, 2023 STAY ON TOP OF TECH POLICY: non-bank payment system operators (PSOs). timelines Large non-bank PSOs: Medium non-bank PSOs: Small non-bank PSOs: Board of Directors (Board) of the PSO is responsible PSOs must formulate an Information Security policy, prepare a crisis management plan, undertake a cyber risk assessment, etc: Reporting cyberattacks to RBI within 6 hours: Multi-factor authentication for payment transactions: Appoint a nodal officer: Incident response strategies: Access management: Maintaining network security: Security testing: Data Security and PCI-DSS certification: Security patches: Safeguarding against risks posed by Application Programming Interfaces (APIs): Employee awareness and training: Fraud monitoring: Anti-phishing safeguards: Creating public awareness: Vendor Risk Management: Application Security Life Cycle (ASLC): Enabling online alerts for customers: Merchant name should be shown on all transactions: OTP at the end of the message: Easy reporting of fraudulent transactions: For mobile payment providing PSOs, specifically: Terminate sessions with interference or inactivity: Device binding: Maximum number of failed login attempts: Preventing remote access services: Cooling period for change in number or email ID: For card payments, specifically: Terminals should be PCI-P2PE validated: Transaction limits and alert system: Encrypting card details: For prepaid payment instruments, specifically: Support for vernacular languages: Cooling period: Also Read