The RBI recently issued the master direction on digital payment security controls. Read on to know more about it…
The Reserve Bank of India (RBI) on Thursday placed a new set of regulatory guidelines for more safe and secure digital payments in the country through a master direction on “digital payment security controls.”
The RBI has toughened digital payment security norms to improve security, control, and compliance for banks and other regulated entities. The new norms come at a time when India’s thriving payments ecosystem has witnessed increased occurrences of frauds, outages, and cyber breaches.
About Master Direction on Digital Payment Security Controls
The RBI has issued several master directions on regulatory matters, beginning January 2016. The directions comprise instructions on rules and regulations framed by RBI under various acts, including banking issues and foreign exchange transactions.
The RBI, in a set of directives issued on its website on Thursday, February 18, listed prescriptive guidelines for digital payment security, which specified security protocols to be adopted in mobile payment, Internet Banking of scheduled commercial banks, small finance banks, payment banks, and and credit card issuing Non-Banking Financial Companies (NBFC). The ‘Master Direction’ also lays down guidelines for customer protection, and grievance redressal mechanism.
The latest master direction, RBI said on its website, provides necessary guidelines for regulated entities to set up a robust governance structure and implement common minimum standards of security controls for digital payment products and services.
Payment Security Control Parameters
The reported master direction consolidates important control aspects broadly in the following areas — Governance and Management of Security Risks, Generic Security Controls, Application Security Life Cycle (ASLC), Authentication Framework, Fraud Risk Management, Reconciliation Mechanism, Customer Protection, Awareness and Grievance Redressal Mechanism, specific controls related to Internet Banking, Mobile Payments Application Security Controls and Card Payments Security.
Strengthening Payment Security
“In view of the proliferation of cyber-attacks and their potential consequences, regulated entities should implement, except where explicitly permitted/relaxed, multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from ATMs/micro-ATMs/business correspondents, through digital payment applications,” it said.
Such a move is expected to improve the security of digital payment channels and also convenience for users. These directions contain requirements for robust governance, implementation, and monitoring of certain minimum standards on common security controls for channels like internet and mobile banking, card payments, etc.
Minimizing Digital Payment Disruptions
The robust protocol will help in checking frequent outages and disruptions while providing a secure environment for digital transactions. The RBI in December temporarily barred the largest private sector lender HDFC Bank from selling new credit cards or launching new digital banking initiatives, taking a serious view of service outages at the systemically important bank over the last two years.
The digital banking app of the India’s largest lender SBI was also facing service outages. RBI said in its circular that “The Master Direction provides necessary guidelines for the regulated entities to set up a robust governance structure and implement common minimum standards of security controls for digital payment products and services, and the guidelines are technology and platform agnostic and shall create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner,”
Additional Guidelines
RBI further said that entities would incorporate secure, safe, and responsible usage guidelines and training materials for end-users within the digital payment applications.
“They shall also make it mandatory (i.e. not providing any option to circumvent/avoid the material) for the consumer to go through secure usage guidelines (even in the consumer’s preferred language) while obtaining and recording confirmation during the on-boarding procedure in the first instance and first use after each update of the digital payment application or after major updates to secure and safe usage guidelines,” the circular added.
RBI further stated that “Customers shall be cautioned against commonly known threats in recent times like phishing, vishing, reverse-phishing, remote access of mobile devices and educated to secure and safeguard their account details, credentials, PIN, card details, devices, etc.,”
With regard to mobile apps, it asked to deactivate the older application versions in a phased but time-bound manner not exceeding six months from the date of release of the newer version.