Skip to main content

Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators (PSOs)

Reserve Bank of India (RBI) has issued directions on cyber resilience and digital payment security controls for non-bank Payment System Operators (PSOs).

To whom are the directions applicable?

The directions shall apply to all authorised non-bank Payment System Operators (PSOs).

To effectively manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities (like payment gateways, third party service providers, vendors, etc.), PSOs shall ensure adherence to the directions by such unregulated entities as well, subject to mutual agreement. 

What are different categories of non-bank PSOs?

What are the timelines for complying with the directions?

To provide adequate time to put in place the necessary compliance structure, a phased implementation approach is prescribed as under –

Regulated Entity Timeline
Large non-bank PSOs April 1, 2025
Medium non-bank PSOs April 1, 2026
Small non-bank PSOs April 1, 2028

If a PPI Issuer moves to a higher category, the timeline of the category to which it moves into, would apply. For instance, if a small (or medium) PPI issuer moves into medium (or large) category, it will need to comply with the directions within 2 (or 1) years from the time of new categorisation.

What are some of the important directions on cyber resilience and digital payment security controls for non-bank PSOs?

  • The Board of Directors (Board) of the PSO shall be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience. However, primary oversight may be delegated to a sub-committee of the Board, headed by a member with experience in information / cyber security, which shall meet at least once every quarter.
  • The PSO shall formulate a Board approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised. The policy shall be reviewed annually.
  • The PSO shall prepare a distinct Board approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond and recover from cyber threats and cyber attacks.
  • The Board shall entrust the responsibility and accountability for implementing the IS policy and the cyber resilience framework as well as for continuously assessing the overall IS posture of PSO to a senior level executive with expertise in areas of information security including cyber security [e.g. Chief Information Security Officer (CISO)].
  • The PSO shall follow a ‘secure by design’ approach such as Secure-Software Development Life Cycle (S-SDLC) for design and development of products / services.
  • To safeguard applications against risks emanating from insecure Application Programming Interfaces (APIs), the PSO shall put in place, inter-alia, the following measures –
    • Authentication and Authorisation – Establish identity of the communicating applications.
    • Confidentiality – Ensure that the message content is not tampered with.
    • Integrity – Resources are reliably transferred.
    • Availability and Threat Protection – APIs are available when needed; anomalous activities identified and mitigative action taken.
  • Whenever there is a change in registered mobile number or email ID linked to the payment instrument there shall be a cooling period of minimum 12 hours before allowing any payment transaction through online modes / channels.
  • Audit logs shall be preserved for at least 5 years.

What are the reporting requirements?

  • Unusual incidents like cyber-attacks, outage of critical system / infrastructure, internal fraud, settlement delay, etc., shall be reported to RBI within 6 hours of detection. 
  • Any cyber security incident shall also be reported to Indian Computer Emergency Response Team (CERT-In).


References

Reserve Bank of India. (2024, July 30). 'Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12715&Mode=0


Follow at - Telegram   Instagram   LinkedIn   X   Facebook

Labels:

Comments

Post a Comment

Popular Posts

Credit Facilities – Lending against Gold and Silver Collateral

Reserve Bank of India (RBI) has issued directions on credit facilities offered by various regulated entities. This article summarises the directions applicable to lending against gold and silver collateral. To whom are the directions applicable? The directions are applicable to the following Regulated Entities (REs) – Commercial Banks  Small Finance Banks (SFBs) Local Area Banks (LABs) Regional Rural Banks (RRBs) Primary (Urban) Co-operative Banks (UCBs) Rural Co-operative Banks – State Co-operative Banks (StCBs) Central Co-operative Banks (CCBs) Non-Banking Financial Companies (NBFCs) for all layers – Deposit taking NBFC (NBFC-D) NBFC-Investment and Credit Companies (NBFC-ICC) NBFC-Factor  NBFC-Micro Finance Institutions (NBFC-MFI)  NBFC-Infrastructure Finance Company (NBFC-IFC)  Infrastructure Debt Fund-NBFC (IDF-NBFC)  Housing Finance Company (HFC)  To whom are the directions partially applicable? The prudential regulations are not applicable to ‘NBFCs-B...
Post a Comment
Read more

Guidelines on Money Changing Activities (Updated as on May 06, 2026)

Reserve Bank of India (RBI) has updated the guidelines on money changing activities. What are the guidelines for appointment of agents / franchisee? RBI had permitted Authorised Dealers (ADs) Category - I, ADs Category - II and Full Fledged Money Changers (FFMCs) to enter into agency or franchisee agreements at their option for the purpose of carrying restricted money changing business i.e. conversion of foreign currency notes, coins or travellers' cheques into Indian Rupees (INR).  A franchisee can be any entity which has a place of business and a minimum Net Owned Funds of ₹10 lakh.  Franchisees can undertake only restricted money changing business. Franchisees of AD Category - I / AD Category - II / FFMCs functioning within 10 kms from the borders of Pakistan and Bangladesh may also sell the currency of the bordering country, with the prior approval of RBI.  Other franchisees of AD Category - I / AD Category - II / FFMCs cannot sell foreign currency. An authorised pers...
Post a Comment
Read more

Credit Facilities – Digital Lending Guidelines

Reserve Bank of India (RBI) has issued directions on credit facilities offered by various regulated entities. This article summarises the directions applicable to digital lending. To whom are the directions applicable? The directions are applicable to the following Regulated Entities (REs) – Commercial Banks  Small Finance Banks (SFBs) Local Area Banks (LABs) Regional Rural Banks (RRBs) Primary (Urban) Co-operative Banks (UCBs) Rural Co-operative Banks – State Co-operative Banks (StCBs) Central Co-operative Banks (CCBs) All India Financial Institutions (AIFIs) regulated by RBI – Export Import Bank of India (EXIM Bank) National Bank for Agriculture and Rural Development (NABARD) National Housing Bank (NHB) Small Industries Development Bank of India (SIDBI) National Bank for Financing Infrastructure and Development (NaBFID) Non-Banking Financial Companies (NBFCs) for all layers – Deposit taking NBFC (NBFC-D) NBFC-Investment and Credit Companies (NBFC-ICC) NBFC-Factor  NBFC-Micro...
Post a Comment
Read more

Highlights of RBI Annual Report 2025-26 – Chapter 1 to 3

Reserve Bank of India (RBI) has published its annual report for the financial year 2025-26. In a series of articles, we will go through the highlights of the report. This is the first article in the series.  Legal framework for publication of Annual Report by the RBI Report of the Central Board of Directors on the working of RBI for the year is submitted to the Central Government in terms of Section 53(2) of the RBI Act, 1934. The letter of transmittal is signed by the RBI Governor and addressed to the Finance Secretary, Ministry of Finance, Government of India. Documents submitted by the RBI to the Central Government In pursuance of Section 53(2) of the RBI Act, 1934, the following documents have been submitted to the Central Government – A copy of the Annual Accounts for the year ended March 31, 2026 certified by the RBI’s Auditors and signed by Chief General Manager-in-charge, all the Deputy Governors and Governor. 2 copies of the Annual Report of the Central Board on the workin...
Post a Comment
Read more

Credit Facilities – Finance to Non-Banking Financial Companies (NBFCs)

Reserve Bank of India (RBI) has issued directions on credit facilities offered by various regulated entities. This article summarises the directions applicable in respect of finance to Non-Banking Financial Companies (NBFCs). To whom are the directions applicable? The directions are applicable to the following Regulated Entities (REs) – Commercial Banks  Small Finance Banks (SFBs) Primary (Urban) Co-operative Banks (UCBs) All India Financial Institutions (AIFIs) regulated by RBI – Export Import Bank of India (EXIM Bank) National Bank for Agriculture and Rural Development (NABARD) National Housing Bank (NHB) Small Industries Development Bank of India (SIDBI) National Bank for Financing Infrastructure and Development (NaBFID) What are the conditions on finance to NBFCs? Commercial Banks and SFBs The bank shall extend need based working capital facilities as well as term loans to NBFCs registered with the RBI and engaged in infrastructure financing, equipment leasing, hire-purchase, l...
Post a Comment
Read more