Topics In Demand
Notification
New

No notification found.

Call for Inputs: RBI’s Draft Master Directions on Cyber Resilience and Digital Payment Security Controls
Call for Inputs: RBI’s Draft Master Directions on Cyber Resilience and Digital Payment Security Controls

June 6, 2023

340

0

On June 2, 2023, the Reserve Bank of India (RBI) released draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators (draft Master Directions) with the objective of securing the safety of non-banking payment systems.

The draft Master Directions cover governance mechanisms for identification, assessment, monitoring and management of cybersecurity risks by payment system operators (PSO). PSOs include Clearing Corporation of India Limited, National Payments Corporation of India (NPCI), NPCI Bharat Bill Pay Limited, Card Payment Networks, Non-bank ATM Networks, PPI Issuers, Payment Aggregators (PAs), instant money transfer operators etc.

The draft Master Directions include:

1.       Governance controls

·       The Board of Directors of the PSO will ensure oversight over information security risks.

·      The PSO shall formulate an Information Security (IS) policy and Cyber Crisis Management Plan (CCMP).

·  The PSO shall define Key Risk Indicators to identify potential risk events and Key Performance Indicators to assess the effectiveness of security controls.

 

2.       Baseline Information Security Measures

·       Inventory management - maintaining a comprehensive record of key roles, information assets, critical functions etc., process flow diagrams of network resources and data flows.

·  Identity and access management for individuals with access to the IT environment of the PSO, privileged accounts, remote access situations etc.

·       Network security measures for protection from external threats.

·       Following a ‘secure by design’ approach.

·       Security testing for all applications to be put in place, deficiencies to be resolved timely.

·   Put in place a data leak prevention policy, information security management system, process to identify and implement patches to technology and software, incident response mechanism.

·     Reporting any unusual incidents, outage of critical system, internal fraud, settlement delay, etc., to RBI within 6 hours of detection and to CERT-In.

 

3.       Digital payment security measures

·       Online alerts for failed transactions, and additional alerts in case of new account parameters, such as, excessive activity.

·    Ensuring that bank account details are redacted, online payment transactions mention merchant name, OTP is mentioned at the end of the message etc. must be ensured when sending SMS or e-mail.

·    Mobile payments – put in place a mechanism to ensure that the mobile application is free from any anomalies for which the application was not programmed, safeguards for authenticated sessions, finger printing of applications with the device/SIM, automatic termination of mobile sessions etc.

·    Card payments – terminals that capture card details should adhere to the point to point encryption programme, implementation of transaction limits on cards, alert mechanism in cases of suspicious incident etc.

·   Prepaid payment instruments (PPI) – PPI issuers encouraged to communicate transaction and OTP alerts in the choice of user’s language, put in place cooling period for fund transfers after loading into the PPI.

We are preparing a response for the draft Master Directions. We are requesting your feedback and suggestions by June 20, 2023. Kindly write to garima@nasscom.in and priyanshi@nasscom.in.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
Garima Prakash
Manager, Public Policy and Government Affairs

Reach out to me for all things policy about e-commerce, international trade, export controls, start-ups and fintech

© Copyright nasscom. All Rights Reserved.