Skip to main content

Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators (PSOs)

Reserve Bank of India (RBI) has issued directions on cyber resilience and digital payment security controls for non-bank Payment System Operators (PSOs).

To whom are the directions applicable?

The directions shall apply to all authorised non-bank Payment System Operators (PSOs).

To effectively manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities (like payment gateways, third party service providers, vendors, etc.), PSOs shall ensure adherence to the directions by such unregulated entities as well, subject to mutual agreement. 

What are different categories of non-bank PSOs?

What are the timelines for complying with the directions?

To provide adequate time to put in place the necessary compliance structure, a phased implementation approach is prescribed as under –

Regulated Entity Timeline
Large non-bank PSOs April 1, 2025
Medium non-bank PSOs April 1, 2026
Small non-bank PSOs April 1, 2028

If a PPI Issuer moves to a higher category, the timeline of the category to which it moves into, would apply. For instance, if a small (or medium) PPI issuer moves into medium (or large) category, it will need to comply with the directions within 2 (or 1) years from the time of new categorisation.

What are some of the important directions on cyber resilience and digital payment security controls for non-bank PSOs?

  • The Board of Directors (Board) of the PSO shall be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience. However, primary oversight may be delegated to a sub-committee of the Board, headed by a member with experience in information / cyber security, which shall meet at least once every quarter.
  • The PSO shall formulate a Board approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised. The policy shall be reviewed annually.
  • The PSO shall prepare a distinct Board approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond and recover from cyber threats and cyber attacks.
  • The Board shall entrust the responsibility and accountability for implementing the IS policy and the cyber resilience framework as well as for continuously assessing the overall IS posture of PSO to a senior level executive with expertise in areas of information security including cyber security [e.g. Chief Information Security Officer (CISO)].
  • The PSO shall follow a ‘secure by design’ approach such as Secure-Software Development Life Cycle (S-SDLC) for design and development of products / services.
  • To safeguard applications against risks emanating from insecure Application Programming Interfaces (APIs), the PSO shall put in place, inter-alia, the following measures –
    • Authentication and Authorisation – Establish identity of the communicating applications.
    • Confidentiality – Ensure that the message content is not tampered with.
    • Integrity – Resources are reliably transferred.
    • Availability and Threat Protection – APIs are available when needed; anomalous activities identified and mitigative action taken.
  • Whenever there is a change in registered mobile number or email ID linked to the payment instrument there shall be a cooling period of minimum 12 hours before allowing any payment transaction through online modes / channels.
  • Audit logs shall be preserved for at least 5 years.

What are the reporting requirements?

  • Unusual incidents like cyber-attacks, outage of critical system / infrastructure, internal fraud, settlement delay, etc., shall be reported to RBI within 6 hours of detection. 
  • Any cyber security incident shall also be reported to Indian Computer Emergency Response Team (CERT-In).


References

Reserve Bank of India. (2024, July 30). 'Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12715&Mode=0


Follow at - Telegram   Instagram   LinkedIn   X   Facebook

Labels:

Comments

Post a Comment

Popular Posts

Modified Interest Subvention Scheme for Agricultural Loans

Reserve Bank of India (RBI) has published the modified interest subvention scheme (MISS) for short term loans for agriculture and allied activities availed through Kisan Credit Card (KCC) during the financial year 2025-26. Which loans are covered under modified interest subvention scheme (MISS)? The short-term crop loans and short-term loans for allied activities including animal husbandry, dairy, fisheries, bee keeping etc. up to an overall limit of ₹3 lakh to farmers through KCC during the year 2025-26 will be covered for interest subvention. Which lending institutions are covered under MISS? The MISS is applicable to the lending institutions viz. Public Sector Banks (PSBs) and Private Sector Banks (in respect of loans given by their rural and semi-urban branches only), Small Finance Banks (SFBs) and computerized Primary Agriculture Cooperative Societies (PACS) ceded with Scheduled Commercial Banks (SCBs), on use of their own resources.  How much is the interest subvention? The a...
Post a Comment
Read more

Internal Ombudsman for Regulated Entities (Banks, NBFCs, PPI Issuers and CICs)

Reserve Bank of India (RBI) has issued directions on Internal Ombudsman for regulated entities. To whom shall the directions on Internal Ombudsman (IO) be applicable? The directions on IO shall be applicable to the following Regulated Entities (REs) – Commercial Banks (other than Small Finance Banks, Payment Banks, and Local Area Banks) having 10 or more banking outlets in India as on March 31, 2025, whether such bank is incorporated in / outside India Small Finance Banks having 10 or more banking outlets in India as on March 31, 2025 Payments Banks having 10 or more banking outlets in India as on March 31, 2025 Non-Banking Financial Companies (NBFCs) fulfilling the following criteria as on March 31, 2025 – Deposit-taking NBFCs (NBFCs-D) with 10 or more branches Non-Deposit taking NBFCs (NBFCs-ND) with asset size of ₹5,000 crore and above and having public customer interface Non-Bank Prepaid Payment Instruments Issuers having more than 1 crore Prepaid Payment Instruments (PPIs) outstan...
Post a Comment
Read more

Digital Payments Awareness Week 2026

Reserve Bank of India (RBI) is observing digital payments awareness week from March 09 to 15, 2026. Digital Payments Awareness Week (DPAW) Digital Payments Awareness Week (DPAW) is an initiative to highlight the impact and importance of digital payments and to create awareness about safe usage of digital payment products.  Digital Payments Awareness Week (DPAW) 2026 Reserve Bank of India (RBI) is observing DPAW 2026 from March 09 to 15, 2026.  Under the mission ‘Har Payment Digital’, the theme for the current year is ‘Thoda Dhyan Se’ (be alert/ be careful). The theme emphasises the safe use of digital payments. ‘Har Payment Digital’ mission RBI had launched the mission ‘Har Payment Digital’ on the occasion of the DPAW 2023. This is part of RBI’s endeavour to make every person in India a user of digital payments. Previous Digital Payments Awareness Weeks (DPAWs) Year Theme 2025 ‘India Pays Digitally’ under the mission ‘Har Payment Digital’ ...
Post a Comment
Read more

Export and Import of Goods and Services

Reserve Bank of India (RBI) has issued regulations on export and import of goods and services. What are the regulations for declaration of exports? An exporter of goods shall furnish to the specified authority, a declaration in the Export Declaration Form (EDF) specifying the amount representing the full export value of goods, at the time of export. EDF will be deemed to be submitted as part of shipping bill for goods exported through Electronic Data Interchange (EDI) port. An exporter of services shall furnish to the specified authority, a declaration in EDF specifying the amount representing the full export value of services, within 30 days from the end of month in which invoice for services has been raised. The exporter of services who has exported services to one or more recipients in a month, may submit a single EDF for all such exports. The exporter of services other than software, may submit an EDF on or before the date of receipt of payment. In the case of a non-EDI port for ex...
Post a Comment
Read more

FEMA - Regulations on Guarantees

Reserve Bank of India (RBI) had issued regulations governing guarantees under the Foreign Exchange Management Act, 1999 (FEMA). What is a guarantee? A guarantee, including a counter-guarantee, means a contract, by whatever name called, to perform the promise, or discharge a debt, obligation or other liability (including a portfolio of debts, obligations or other liabilities), in the event of default by the principal debtor. Who are the participants in a guarantee transaction? Principal debtor – a person in respect of whose default the guarantee is given. Surety – a person who gives a guarantee. Creditor – a person to whom the guarantee is given. When can a person resident in India act as surety / principal debtor? A person resident in India may act as a surety / principal debtor for a guarantee, subject to conditions that – The underlying transaction for which the guarantee is being given or arranged is not prohibited under FEMA guidelines. The surety and the principal debtor are eligi...
Post a Comment
Read more