Skip to main content

Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators (PSOs)

Reserve Bank of India (RBI) has issued directions on cyber resilience and digital payment security controls for non-bank Payment System Operators (PSOs).

To whom are the directions applicable?

The directions shall apply to all authorised non-bank Payment System Operators (PSOs).

To effectively manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities (like payment gateways, third party service providers, vendors, etc.), PSOs shall ensure adherence to the directions by such unregulated entities as well, subject to mutual agreement. 

What are different categories of non-bank PSOs?

What are the timelines for complying with the directions?

To provide adequate time to put in place the necessary compliance structure, a phased implementation approach is prescribed as under –

Regulated Entity Timeline
Large non-bank PSOs April 1, 2025
Medium non-bank PSOs April 1, 2026
Small non-bank PSOs April 1, 2028

If a PPI Issuer moves to a higher category, the timeline of the category to which it moves into, would apply. For instance, if a small (or medium) PPI issuer moves into medium (or large) category, it will need to comply with the directions within 2 (or 1) years from the time of new categorisation.

What are some of the important directions on cyber resilience and digital payment security controls for non-bank PSOs?

  • The Board of Directors (Board) of the PSO shall be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience. However, primary oversight may be delegated to a sub-committee of the Board, headed by a member with experience in information / cyber security, which shall meet at least once every quarter.
  • The PSO shall formulate a Board approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised. The policy shall be reviewed annually.
  • The PSO shall prepare a distinct Board approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond and recover from cyber threats and cyber attacks.
  • The Board shall entrust the responsibility and accountability for implementing the IS policy and the cyber resilience framework as well as for continuously assessing the overall IS posture of PSO to a senior level executive with expertise in areas of information security including cyber security [e.g. Chief Information Security Officer (CISO)].
  • The PSO shall follow a ‘secure by design’ approach such as Secure-Software Development Life Cycle (S-SDLC) for design and development of products / services.
  • To safeguard applications against risks emanating from insecure Application Programming Interfaces (APIs), the PSO shall put in place, inter-alia, the following measures –
    • Authentication and Authorisation – Establish identity of the communicating applications.
    • Confidentiality – Ensure that the message content is not tampered with.
    • Integrity – Resources are reliably transferred.
    • Availability and Threat Protection – APIs are available when needed; anomalous activities identified and mitigative action taken.
  • Whenever there is a change in registered mobile number or email ID linked to the payment instrument there shall be a cooling period of minimum 12 hours before allowing any payment transaction through online modes / channels.
  • Audit logs shall be preserved for at least 5 years.

What are the reporting requirements?

  • Unusual incidents like cyber-attacks, outage of critical system / infrastructure, internal fraud, settlement delay, etc., shall be reported to RBI within 6 hours of detection. 
  • Any cyber security incident shall also be reported to Indian Computer Emergency Response Team (CERT-In).


References

Reserve Bank of India. (2024, July 30). 'Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12715&Mode=0


Follow at - Telegram   Instagram   LinkedIn   X   Facebook

Labels:

Comments

Post a Comment

Popular Posts

Digital Payments – E-mandate Framework 2026

Reserve Bank of India (RBI) has issued e-mandate framework for digital payments. What is an e-mandate?  A mandate is a standard instruction that a customer provides to his / her issuing bank and other institutions allowing them to automatically debit the mentioned amount from his / her bank account. e-mandate is the electronic version of it. To whom shall the framework be applicable? The framework shall be applicable to Payment System Providers and Payment System Participants. To which transactions shall the framework be applicable? The framework shall be applicable to processing of recurring transactions, domestic or cross-border, using cards / Prepaid Payment Instrument (PPI) / Unified Payments Interface (UPI). What are the guidelines for registration and revocation of e-mandate? A customer desirous of opting for e-mandate facility shall undertake a one-time registration process. The mandate shall be registered only after successful validation of additional factor of authenticati...
Post a Comment
Read more

Guidelines to facilitate faster cross-border inward payments

Reserve Bank of India (RBI) has issued guidelines to facilitate faster cross-border inward payments. What is the rationale behind the guidelines? The RBI’s Payments Vision 2025 aims to bring efficiency in the cross-border payments aligning with the G20 roadmap for cross-border payments that has set targets for achieving cheaper, faster, more transparent, and more accessible cross-border payments. One of the challenges with speed of cross-border payments is experienced at the beneficiary leg i.e., the time taken from receipt of the payment at the beneficiary bank till credit to the beneficiary account. What are the guidelines to facilitate faster cross-border inward payments? Banks shall inform their customer of the receipt of cross-border inward transactions immediately on receipt of inward message. Messages received after close of operating hours of banks shall be informed to customer immediately at the start of the next business day. Banks shall undertake reconciliation and confirmat...
Post a Comment
Read more

Guidelines on Money Changing Activities (Updated as on April 02, 2026)

Reserve Bank of India (RBI) has updated the guidelines on money changing activities. Who is Authorised Person? Authorised Person means an authorised dealer, money changer, off-shore banking unit or any other person authorised under section 10(1) of Foreign Exchange Management Act, 1999 (FEMA) to deal in foreign exchange or foreign securities. What are the categories of Authorised Persons? Authorised Dealer (AD) Category-I – entities which are authorised by RBI to carry out all permissible current and capital account transactions. Authorised Dealer (AD) Category-II – entities which are authorised by RBI to carry out specified non-trade related current account transactions, all the activities permitted to Full Fledged Money Changers (FFMC) and any other activity as decided by RBI, and include (i) Upgraded FFMCs; (ii) Select Regional Rural Banks (RRBs); (iii) Select Urban Cooperative Banks (UCBs); and (iv) Other entities. Authorised Dealer (AD) Category-III – entities which are authorised...
Post a Comment
Read more

Continuous Clearing and Settlement on Realisation in Cheque Truncation System (CTS) (Updated as on December 24, 2025)

Reserve Bank of India (RBI) has issued direction on continuous clearing and settlement on realisation in Cheque Truncation System (CTS). What is Cheque Truncation System (CTS)? Cheque Truncation System (CTS) involves halting the physical movement of the cheque and its replacement by images of the instrument and the corresponding data contained in the MICR line.  In CTS, 3 images are taken of each cheque – front Gray Scale, front Black & White and back Black & White. MICR (Magnetic Ink Character Recognition) is a 9-digit code printed at the bottom of cheques using magnetic ink – first 3 digits indicate City Code, middle 3 digits indicate Bank Code and the last 3 digits indicate Bank Branch Code. Only CTS-2010 standards compliant instruments can be presented for clearing through CTS. The presenting banks which truncates the cheques need to preserve the physical instruments for 10 years. From when will the continuous clearing and settlement on realisation in CTS be implemented...
Post a Comment
Read more

FEMA - Borrowing and Lending [including External Commercial Borrowing (ECB) and Trade Credit (TC)]

Reserve Bank of India (RBI) has amended the regulations for borrowing and lending under the Foreign Exchange Management Act, 1999 (FEMA). What are the regulations for External Commercial Borrowing (ECB)? External Commercial Borrowing (ECB) means borrowing by an eligible borrower from a recognised lender. Eligible borrowers – Any person resident in India (other than an individual) that is incorporated, established or registered under a Central or State Act is an eligible borrower, provided such person is permitted for ECB in terms of applicable Acts. An eligible borrower that is under a restructuring scheme or corporate insolvency resolution process may raise ECB only if specifically permitted under the restructuring or resolution plan. An eligible borrower against whom any investigation, adjudication or appeal by a law enforcement agency for contravention of any rule, regulation or direction issued under FEMA is pending, may raise ECB notwithstanding the pending investigation or adjudi...
Post a Comment
Read more