Skip to main content

Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators (PSOs)

Reserve Bank of India (RBI) has issued directions on cyber resilience and digital payment security controls for non-bank Payment System Operators (PSOs).

To whom are the directions applicable?

The directions shall apply to all authorised non-bank Payment System Operators (PSOs).

To effectively manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities (like payment gateways, third party service providers, vendors, etc.), PSOs shall ensure adherence to the directions by such unregulated entities as well, subject to mutual agreement. 

What are different categories of non-bank PSOs?

What are the timelines for complying with the directions?

To provide adequate time to put in place the necessary compliance structure, a phased implementation approach is prescribed as under –

Regulated Entity Timeline
Large non-bank PSOs April 1, 2025
Medium non-bank PSOs April 1, 2026
Small non-bank PSOs April 1, 2028

If a PPI Issuer moves to a higher category, the timeline of the category to which it moves into, would apply. For instance, if a small (or medium) PPI issuer moves into medium (or large) category, it will need to comply with the directions within 2 (or 1) years from the time of new categorisation.

What are some of the important directions on cyber resilience and digital payment security controls for non-bank PSOs?

  • The Board of Directors (Board) of the PSO shall be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience. However, primary oversight may be delegated to a sub-committee of the Board, headed by a member with experience in information / cyber security, which shall meet at least once every quarter.
  • The PSO shall formulate a Board approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised. The policy shall be reviewed annually.
  • The PSO shall prepare a distinct Board approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond and recover from cyber threats and cyber attacks.
  • The Board shall entrust the responsibility and accountability for implementing the IS policy and the cyber resilience framework as well as for continuously assessing the overall IS posture of PSO to a senior level executive with expertise in areas of information security including cyber security [e.g. Chief Information Security Officer (CISO)].
  • The PSO shall follow a ‘secure by design’ approach such as Secure-Software Development Life Cycle (S-SDLC) for design and development of products / services.
  • To safeguard applications against risks emanating from insecure Application Programming Interfaces (APIs), the PSO shall put in place, inter-alia, the following measures –
    • Authentication and Authorisation – Establish identity of the communicating applications.
    • Confidentiality – Ensure that the message content is not tampered with.
    • Integrity – Resources are reliably transferred.
    • Availability and Threat Protection – APIs are available when needed; anomalous activities identified and mitigative action taken.
  • Whenever there is a change in registered mobile number or email ID linked to the payment instrument there shall be a cooling period of minimum 12 hours before allowing any payment transaction through online modes / channels.
  • Audit logs shall be preserved for at least 5 years.

What are the reporting requirements?

  • Unusual incidents like cyber-attacks, outage of critical system / infrastructure, internal fraud, settlement delay, etc., shall be reported to RBI within 6 hours of detection. 
  • Any cyber security incident shall also be reported to Indian Computer Emergency Response Team (CERT-In).


References

Reserve Bank of India. (2024, July 30). 'Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12715&Mode=0


Follow at - Telegram   Instagram   LinkedIn   X   Facebook

Labels:

Comments

Post a Comment

Popular Posts

National Strategy for Financial Inclusion (NSFI) 2025-30

Reserve Bank of India (RBI) has published National Strategy for Financial Inclusion (NSFI) 2025-30. Financial Inclusion The Committee on Financial Inclusion (Chairman: Dr C Rangarajan, RBI, 2008) defined financial inclusion as “the process of ensuring access to financial services, timely and adequate credit for vulnerable groups such as weaker sections and low-income groups at an affordable cost”. The Committee on Medium-Term Path to Financial Inclusion (Chairman: Shri Deepak Mohanty, RBI, 2015) viewed financial inclusion as, “convenient access to a basket of basic formal financial products and services that should include savings, remittance, credit, government-supported insurance and pension products to small and marginal farmers and low income households at reasonable cost with adequate protection progressively supplemented by social cash transfers, besides increasing the access of small and marginal enterprises to formal finance with a greater reliance on technology to cut costs an...
Post a Comment
Read more

RBI’s Monetary Policy (December 05, 2025): In A Nutshell

The bi-monthly monetary policy of Reserve Bank of India (RBI) was announced on December 05, 2025. Here are some of the highlights of the monetary policy announcement. Rates   Change Rate Policy repo rate Reduced by 25 bps 5.25% Standing deposit facility (SDF) rate 5.00% Marginal standing facility (MSF) rate 5.50% Bank rate 5.50% Monetary policy stance Monetary policy stance unchanged as ‘neutral’. Domestic Economy  Real Gross Domestic Product (GDP) growth accelerated to 8.2% in Q2, buoyed by strong spending during the festive season which was further facilitated by the rationalisation of the goods and services tax (GST) rates.  Real GDP growth for 2025-26 is projected at 7.3%. For the first time since the adoption of flexible inflation targeting (FIT), average headline inflation for a quarter at 1.7% in Q2, breached the lower tolerance threshold (2%) of the inflation target (4%). It dipped further to an all-time low of 0.3% in October 2025. The underlying inflation pressu...
Post a Comment
Read more

Export / Import of Currency and Possession / Retention of Foreign Currency

Reserve Bank of India (RBI) has updated the guidelines on export and import of currency. What are the guidelines on export and import of Indian currency? Transferor Transfer from Transfer to Nature of currency Maximum limit Person resident in India India Countries other than Nepal and Bhutan Currency notes of Government of India (GoI) and RBI notes ₹25000 per person Commemorative coins 2 coins Person resident in India gone out of India on temporary visit, on his return Countries other than Nepal and Bhutan India Currency notes of GoI and RBI notes ₹25000 per person Person resident outside India (not citizen of Pakistan / Bangladesh) visiting India India Any country Currency notes of GoI and RBI notes ₹25000 per person Any country India Person (not citizen of Pakist...
Post a Comment
Read more

Rupee Interest Rate Derivatives

Reserve Bank of India (RBI) has issued directions on rupee interest rate derivatives. What is Interest Rate Derivative (IRD)? Interest Rate Derivative (IRD) means a financial derivative contract whose value is derived from one or more Rupee interest rates, prices of Rupee interest rate instruments, or Rupee interest rate indices. To which transactions shall the directions be applicable? The directions shall be applicable to Rupee IRD transactions undertaken in the over-the-counter (OTC) market and on recognised stock exchanges in India. Forward Contracts in Government Securities shall be undertaken in the OTC market in terms of the Reserve Bank of India (Forward Contracts in Government Securities) Directions, 2025, dated February 21, 2025. Who are eligible participants in IRD markets? Resident Non-resident, through its central treasury or its group entity, where applicable.  What are the directions on trading of IRDs on recognised stock exchanges? A recognised stock exchange is per...
Post a Comment
Read more

What are Government Securities (G-Secs)?

Governments raise / borrow funds by issuing government securities to finance a variety of projects and activities. What is Government Security (G-Sec)? Government Security (G-Sec) is a tradeable instrument issued by the Central Government or the State Governments.  G-Secs carry practically no risk of default and, hence, are called risk-free gilt-edged instruments. What are the tenures of G-Secs? G-Secs can be short-term securities (with original maturities of less than 1 year) or long-term securities (with original maturity of 1 year or more).  In India, the Central Government issues both short-term and long-term securities while the State Governments issue only long-term securities. What are the types of G-Secs? Government security Term Issued by Treasury Bills (T-bills) Short-term Central Government Cash Management Bills (CMBs) Short-term Central Government Bonds or Dated G-Secs ...
Post a Comment
Read more