Site icon myLawrd

RBI releases Master Direction on Digital Payment Security Controls

Digital Payment Security Controls

RBI has released the Master Direction on Digital Payment Security Controls- focusing on the governance structure of the digital payments regime, and minimum standards of security controls thereof. Given the wide use of digital payment systems post demonetization, this move was imperative. It will provide a common minimum standard for payment systems like mobile banking, card payments, etc.

The direction shall come into effect six months from today. It is applicable to Scheduled Commercial Banks, Small Finance Banks, Payments Banks, and Credit Cared issuing NBFCs.

The directions are divided into five chapters and talk about general controls, internet banking security controls, mobile payments application security controls, and card payments security controls. Here are some of the focal points of the digital payment security controls directions.

General Functionality, Security, and Performance Policy

The Board and the Senior Management shall be responsible for implementation of this policy. They shall also review it annually.

General Risk Management and Fraud Mitigation

Generic Cyber Security Controls

Further, for digital applications that are licensed by any third-party vendor, the regulated entity shall have a source code escrow arrangement to ensure business continuity. Regulated entities shall also conduct regular vulnerability assessment and penetration testing for their payment applications. They shall refer to OWASP standards and security and data protection guidelines as per ISO 12812, as well as guides developed by NIST.

Taking into account the proliferation of cyber-attacks, the direction also discusses transactional authentication framework. It says that regulated entities may adapt the right authentication factors depending on their risk assessment and user risk profile. These measures would help in deterring cyber frauds arising out of phishing, keylogging, spyware/ malware, etc. e.g. Device binding and SIM would prohibit frauds caused by SIM cloning.

Reconciliation Mechanism

The directions mandate a real time reconciliation framework for all digital payment transactions for better detection and prevention of suspicious transactions. However, this framework is not aimed at consumers. For consumer grievance redressal, the regulated entities shall clearly specify the process and procedure to lodge a complaint. The application shall also show an expected timeline for grievance redressal. The regulated entities shall provide a mechanism to mark a transaction as fraudulent within the application.

The complete policy can be found here.

Do subscribe to our Telegram channel for more resources and discussions on tech-law. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.

You can also follow us on InstagramFacebookLinkedIn, and Twitter for frequent updates and news flashes about #technologylaw.

Exit mobile version