Skip to main content

Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators (PSOs)

Reserve Bank of India (RBI) has issued directions on cyber resilience and digital payment security controls for non-bank Payment System Operators (PSOs).

To whom are the directions applicable?

The directions shall apply to all authorised non-bank Payment System Operators (PSOs).

To effectively manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities (like payment gateways, third party service providers, vendors, etc.), PSOs shall ensure adherence to the directions by such unregulated entities as well, subject to mutual agreement. 

What are different categories of non-bank PSOs?

What are the timelines for complying with the directions?

To provide adequate time to put in place the necessary compliance structure, a phased implementation approach is prescribed as under –

Regulated Entity Timeline
Large non-bank PSOs April 1, 2025
Medium non-bank PSOs April 1, 2026
Small non-bank PSOs April 1, 2028

If a PPI Issuer moves to a higher category, the timeline of the category to which it moves into, would apply. For instance, if a small (or medium) PPI issuer moves into medium (or large) category, it will need to comply with the directions within 2 (or 1) years from the time of new categorisation.

What are some of the important directions on cyber resilience and digital payment security controls for non-bank PSOs?

  • The Board of Directors (Board) of the PSO shall be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience. However, primary oversight may be delegated to a sub-committee of the Board, headed by a member with experience in information / cyber security, which shall meet at least once every quarter.
  • The PSO shall formulate a Board approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised. The policy shall be reviewed annually.
  • The PSO shall prepare a distinct Board approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond and recover from cyber threats and cyber attacks.
  • The Board shall entrust the responsibility and accountability for implementing the IS policy and the cyber resilience framework as well as for continuously assessing the overall IS posture of PSO to a senior level executive with expertise in areas of information security including cyber security [e.g. Chief Information Security Officer (CISO)].
  • The PSO shall follow a ‘secure by design’ approach such as Secure-Software Development Life Cycle (S-SDLC) for design and development of products / services.
  • To safeguard applications against risks emanating from insecure Application Programming Interfaces (APIs), the PSO shall put in place, inter-alia, the following measures –
    • Authentication and Authorisation – Establish identity of the communicating applications.
    • Confidentiality – Ensure that the message content is not tampered with.
    • Integrity – Resources are reliably transferred.
    • Availability and Threat Protection – APIs are available when needed; anomalous activities identified and mitigative action taken.
  • Whenever there is a change in registered mobile number or email ID linked to the payment instrument there shall be a cooling period of minimum 12 hours before allowing any payment transaction through online modes / channels.
  • Audit logs shall be preserved for at least 5 years.

What are the reporting requirements?

  • Unusual incidents like cyber-attacks, outage of critical system / infrastructure, internal fraud, settlement delay, etc., shall be reported to RBI within 6 hours of detection. 
  • Any cyber security incident shall also be reported to Indian Computer Emergency Response Team (CERT-In).


References

Reserve Bank of India. (2024, July 30). 'Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12715&Mode=0


Follow at - Telegram   Instagram   LinkedIn   X   Facebook

Labels:

Comments

Post a Comment

Popular Posts

Reserve Bank of India Act, 1934 – Part-II – Section 17 to 19

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the second article in the series.  Section 17 – Business which the Bank may transact RBI shall be authorized to carry on and transact the several kinds of business hereinafter specified, namely – 17(1) – Accept deposit without interest from the Central / State Government, local authorities, banks and any other persons. 17(1A) – Accept deposit, repayable with interest, from banks or any other person under the Standing Deposit Facility Scheme, as approved by the Central Board, for the purposes of liquidity management.   Bills of Exchange (B/E) & Promissory Note (PN) Bearing 2 or more good signatures, one of which shall be of B/E & PN arising out of Maturing within 17(2)(a) Purchase, sale and rediscou...
Post a Comment
Read more

Reserve Bank of India Act, 1934 – Part-I – Preamble and Section 1 to 13

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the first article in the series. Preamble of the Act RBI to – Regulate the issue of bank notes. Keep reserves for monetary stability in India. Operate currency and credit system of the country to its advantage. The primary objective of the monetary policy is to maintain price stability while keeping in mind the objective of growth. Chapter I – Preliminary Section 1 – Short title, extent and commencement 1(1) – This Act may be called the Reserve Bank of India Act, 1934. 1(2) – The Act extends to whole of India. Chapter II - Incorporation, Capital, Management and Business Section 3 – Establishment and incorporation of Reserve Bank 3(1) – RBI to take over management of the currency from the Central Government. 3(2) – RBI to have perpetual succession, common seal, and shall by...
Post a Comment
Read more

Reserve Bank of India Act, 1934 – Part-III – Section 20 to 40

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the third article in the series.  Chapter III - Central Banking Functions Section 20 – Obligation of the Bank to transact Government business RBI shall undertake – To accept monies for account of the Central Government and to make payments up to the amount standing to the credit of its account, and to carry out its exchange, remittance and other banking operations. Management of the public debt of the Union. Section 21 – Bank to have the right to transact Government business in India The Central Government shall entrust RBI with – All its money, remittance, exchange and banking transactions in India, and shall deposit free of interest all its cash balances with RBI. The Central Government may carry on money transactions at places where RBI has no branches or agencies and m...
Post a Comment
Read more

Reserve Bank of India Act, 1934 – Part-IV – Section 42 to 45

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the fourth article in the series.  Section 42 – Cash reserves of scheduled banks to be kept with the Bank 42(1) – Every bank included in the Second Schedule shall maintain with RBI an average daily balance at a percent (notified by RBI) of its total demand and time liabilities in India. 42(1A) – RBI may direct every scheduled bank to maintain with RBI, in addition to the balance prescribed under Section 42(1), an additional average daily balance at a rate (specified by RBI). 42(1C) – RBI may specify any transaction or class of transactions to be regarded as liability in India of a scheduled bank. If any question arises as to whether any transaction or class of transactions shall be regarded as liability in India of a schedule bank, the decision of RBI thereon shall be fina...
Post a Comment
Read more

Reserve Bank of India Act, 1934 – Part-V – Section 45B to 45JA

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the fifth article in the series.  Chapter IIIA - Collection and Furnishing of Credit Information Section 45B – Power of Bank to collect credit information RBI may collect credit information from banking companies and furnish it to any banking company in accordance with section 45D. Section 45C – Power to call for returns containing credit information RBI may direct any banking company to submit statements relating to credit information. Section 45D – Procedure for furnishing credit information to banking companies A banking company may apply to RBI to provide credit information. RBI shall furnish the requested credit information without disclosing the names of the banking companies which have submitted the information. RBI may levy fees of up to Rs.25 for furnishing credit...
Post a Comment
Read more