Skip to main content

Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators (PSOs)

Reserve Bank of India (RBI) has issued directions on cyber resilience and digital payment security controls for non-bank Payment System Operators (PSOs).

To whom are the directions applicable?

The directions shall apply to all authorised non-bank Payment System Operators (PSOs).

To effectively manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities (like payment gateways, third party service providers, vendors, etc.), PSOs shall ensure adherence to the directions by such unregulated entities as well, subject to mutual agreement. 

What are different categories of non-bank PSOs?

What are the timelines for complying with the directions?

To provide adequate time to put in place the necessary compliance structure, a phased implementation approach is prescribed as under –

Regulated Entity Timeline
Large non-bank PSOs April 1, 2025
Medium non-bank PSOs April 1, 2026
Small non-bank PSOs April 1, 2028

If a PPI Issuer moves to a higher category, the timeline of the category to which it moves into, would apply. For instance, if a small (or medium) PPI issuer moves into medium (or large) category, it will need to comply with the directions within 2 (or 1) years from the time of new categorisation.

What are some of the important directions on cyber resilience and digital payment security controls for non-bank PSOs?

  • The Board of Directors (Board) of the PSO shall be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience. However, primary oversight may be delegated to a sub-committee of the Board, headed by a member with experience in information / cyber security, which shall meet at least once every quarter.
  • The PSO shall formulate a Board approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised. The policy shall be reviewed annually.
  • The PSO shall prepare a distinct Board approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond and recover from cyber threats and cyber attacks.
  • The Board shall entrust the responsibility and accountability for implementing the IS policy and the cyber resilience framework as well as for continuously assessing the overall IS posture of PSO to a senior level executive with expertise in areas of information security including cyber security [e.g. Chief Information Security Officer (CISO)].
  • The PSO shall follow a ‘secure by design’ approach such as Secure-Software Development Life Cycle (S-SDLC) for design and development of products / services.
  • To safeguard applications against risks emanating from insecure Application Programming Interfaces (APIs), the PSO shall put in place, inter-alia, the following measures –
    • Authentication and Authorisation – Establish identity of the communicating applications.
    • Confidentiality – Ensure that the message content is not tampered with.
    • Integrity – Resources are reliably transferred.
    • Availability and Threat Protection – APIs are available when needed; anomalous activities identified and mitigative action taken.
  • Whenever there is a change in registered mobile number or email ID linked to the payment instrument there shall be a cooling period of minimum 12 hours before allowing any payment transaction through online modes / channels.
  • Audit logs shall be preserved for at least 5 years.

What are the reporting requirements?

  • Unusual incidents like cyber-attacks, outage of critical system / infrastructure, internal fraud, settlement delay, etc., shall be reported to RBI within 6 hours of detection. 
  • Any cyber security incident shall also be reported to Indian Computer Emergency Response Team (CERT-In).


References

Reserve Bank of India. (2024, July 30). 'Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12715&Mode=0


Follow at - Telegram   Instagram   LinkedIn   X   Facebook

Labels:

Comments

Post a Comment

Popular Posts

Report of the Committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in the Financial Sector

Reserve Bank of India (RBI) has released the report of the committee to develop a framework for responsible and ethical enablement of artificial intelligence (FREE-AI) in the financial sector. Committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in the Financial Sector In the financial sector, Artificial Intelligence (AI) has the potential to unlock new forms of customer engagement, enable alternate approaches to credit assessment, risk monitoring, fraud detection, and offer new supervisory tools. At the same time, increased adoption of AI could lead to new risks like bias and lack of explainability, as well as amplifying existing challenges to data protection, cybersecurity, among others. To encourage the responsible and ethical adoption of AI in the financial sector, the committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in the Financial Sector (Chairperson: Dr. Pushpak B...
Post a Comment
Read more

Continuous Clearing and Settlement on Realisation in Cheque Truncation System (CTS)

Reserve Bank of India (RBI) has issued direction on continuous clearing and settlement on realisation in Cheque Truncation System (CTS). What is Cheque Truncation System (CTS)? Cheque Truncation System (CTS) involves halting the physical movement of the cheque and its replacement by images of the instrument and the corresponding data contained in the MICR line.  In CTS, 3 images are taken of each cheque – front Gray Scale, front Black & White and back Black & White. MICR (Magnetic Ink Character Recognition) is a 9-digit code printed at the bottom of cheques using magnetic ink – first 3 digits indicate City Code, middle 3 digits indicate Bank Code and the last 3 digits indicate Bank Branch Code. Only CTS-2010 standards compliant instruments can be presented for clearing through CTS. The presenting banks which truncates the cheques need to preserve the physical instruments for 10 years. From when will the continuous clearing and settlement on realisation in CTS be implemented...
Post a Comment
Read more

Non-Fund Based Credit Facilities

Reserve Bank of India (RBI) has issued directions on non-fund based credit facilities. To whom shall the directions be applicable? The directions shall apply to the following Regulated Entities (REs) for all their Non-Fund Based (NFB) exposures such as guarantee, letter of credit, co-acceptance etc. Commercial Banks (including Regional Rural Banks and Local Area Banks) Primary (Urban) Co-operative Banks (UCBs) / State Co-operative Banks (StCBs) / Central Co-operative Banks (CCBs) All India Financial Institutions (AIFIs) Non-Banking Financial Companies (NBFCs) including Housing Finance Companies (HFCs) in Middle Layer and above, only for the issuance of Partial Credit Enhancement. The directions shall not apply to the derivative exposures of a RE. Which NFB facilities are permitted to be issued by RE? RE shall issue a NFB facility only on behalf of a customer having funded credit facility from the RE. However, this shall not be applicable in respect of – Derivative contracts entered int...
Post a Comment
Read more

RBI’s Monetary Policy (August 06, 2025): In A Nutshell

The bi-monthly monetary policy of Reserve Bank of India (RBI) was announced on August 06, 2025. Here are some of the highlights of the monetary policy announcement. Rates   Change Rate Policy repo rate Unchanged 5.50% Standing deposit facility (SDF) rate 5.25% Marginal standing facility (MSF) rate 5.75% Bank rate 5.75% Monetary policy stance Monetary policy stance unchanged as ‘neutral’. Domestic Economy  Real GDP growth for 2025-26 is projected at 6.5%. CPI headline inflation declined for the eighth consecutive month to a 77-month low (since January 2019) of 2.1% in June, driven primarily by a sharp decline in food inflation. Food inflation recorded its first negative print since February 2019 at (-) 0.2% in June. CPI inflation for 2025-26 is projected at 3.1%. India’s current account deficit (CAD) moderated to 0.6% of GDP in 2024-25 from 0.7% of GDP in 2023-24 due to robust services exports and strong remittances receipts despite higher merchandise trade deficit. As on Augus...
Post a Comment
Read more

Committees to be constituted by NBFC-BL

Non-Banking Financial Companies (NBFCs) are required to constitute various committees for effective corporate governance. This article lists out some of the important committees to be constituted by the Base Layer NBFCs (NBFC-BL). Board of Directors Applicability Companies Act, 2013 Section 149(1) – Every company shall have a Board of Directors. Composition of the Board Companies Act, 2013 Section 149(1) – The Board of Directors shall consist of individuals as directors – Public company – minimum 3 directors Private company – minimum 2 directors One Person Company – minimum 1 director  Maximum 15 directors (more than 15 directors may be appointed after passing a special resolution) Section 149(4) – Every listed public company shall have at least 1/3rd of the total number of directors as independent directors. Companies (Appointment and Qualifications of Directors) Rules, 2014 Rule 3 – The following companies shall appoint at least 1 woman director – Every listed company Every other...
Post a Comment
Read more