Digital Payments RBI Notification

RBI (Digital Payments Security Controls) Directions, 2021

The Reserve Bank recently issued master direction for banks and card issuing entities prescribing minimum standards to ensure digital payments security. These directions have been issued to all scheduled commercial banks, small finance banks, payments banks, credit card issuing NBFCs. In this article, we will have a look at these directions issued by the RBI.

Digital Payments Security Controls: Governance and Management of Security Risks

Regulated entities have been advised to formulate a policy for the digital payments products and services with the Board’s approval.

It is emphasized that while discussing the parameters of any “new product” including its alignment with the overall business strategy and with inherent risk of the product, risk management/mitigation measures, regulatory instructions compliance, customer experience, etc., the contours of the policy, must discuss regarding the payment security requirements from functionality, security and performance angles like the following:

• Necessary controls to protect the customer data confidentiality and data integrity and processes associated with the digital product or services offered;
• Availability of infrastructure such as human resources, technology, with necessary back up;
• An assurance that the payment product is made in a secure way providing robust performance;
• Capacity building and expansion with scalability to meet demand;
• Minimum customer service disruption with increased availability of systems channels;
• Effective and efficient dispute resolution mechanism and customer grievance resolution; and
• An appropriate review mechanism followed by swift corrective action.

Digital Payments Security Controls: Guidelines for Regulated entities

The RBI has laid down the following guidelines for Regulated entities:

• The Board and senior management will be responsible for implementing this policy.
• The policy will be reviewed periodically that is at least on a yearly basis.
• Regulated entities can formulate this policy for its different digital products or include it as part of their overall product policy.
• Further, the policy document shall require that every digital payment product or services offered address the mechanics, clear definition of starting point, critical intermittent stages, and the end point in the digital payment cycle, validations until digital payment is settled.
• A mechanism for conducting User Acceptance Test in multiple stages before roll-out, sign off from multiple stakeholders, and data archival requirements will also be taken into consideration.

It is expected from the regulated entities that they will incorporate necessary governance programs to take care of compliance risk, fraud risk and have key monitoring indicators to assess the digital payment products or services offered.   

Performing risk assessments by Regulated entities

Regulated entities shall conduct risk assessments with respect to the safety and security of digital payment products and associated processes and services.

The risk assessment shall take the following things into account:

• The technology stack and solutions used;
• Vulnerabilities known at each touchpoint of the digital product and the action taken by the entity;
• Dependence on the third-party service providers and oversight on such providers;
• Risk from integration of digital payment platform with other systems, including core systems and systems of payment system operators, etc.
• Customer experience, convenience, and technology adoption needed to use such products;
• Reconciliation process;
• Interoperability aspects;
• Operational risk;
• Data storage, security, and privacy protection;
• Business continuity and service availability;
• Compliance with extant cyber security needs; and
• Compatibility aspects.

Digital Payments Security Controls: Mobile Payments Activity Controls

The following instructions pertain to the mobile payments activity control:

RBI has stated, in its notification related to Digital Payments Security Controls, that if a customer notices any anomalies for which the customer is not accustomed to then he would be advised to reinstall a copy of new application. The regulated entities shall verify the version of mobile application before its use by customer. 

Specific controls for mobile applications are:

• Device policy enforcement;
• Secure download or install of application;
• Deactivating older application version in a phased manner but time-bound manner that means maintaining just one version of the mobile application in a platform/operating system;
•  Storage of customer data;
• Encryption of device or application;
• Ensuring minimum data collection/ app permissions;
• Application sandbox/containerization;
• Ability to identify remote access applications and prohibit login access to mobile application ; and
• Code obfuscation.

Digital Payments Security Controls: Card Payments Security

Regulated entities are required to follow various payment card standards according to the payment card industry prescriptions for the security of payment card as per applicability and readiness of updated versions of the standards.

Regulated entities shall make sure that terminals at merchants for capturing card details for payments or otherwise are detailed against the PCI-P2PE program to use PCI approved P2PE solutions.

Further, RBI^[1] has also asked regulated entities to implement the following to improve security posture of ATM:

• Implementation of security measures like BIOS password, disabling USB ports, disabling facility of auto-run, applying the latest patches of operating system and other software, terminal security solution, etc.
• Implementation of anti-skimming and whitelisting solution.
• Upgradation of all ATMs with supported versions of operating system.
• Using ATMs having unsupported operating systems shall be prohibited.

Regulated entities should ensure that robust surveillance/monitoring of card transactions and setting up of rules and limits commensurate with their risk appetites.  

Regulated entities shall ensure that the customer card details are not stored in plain text at the regulated entity and its vendors locations, systems, and applications. They shall also ensure that the processing of card details in readable format is conducted in a secure way to avoid data leakage of sensitive information of customers.

Safety measures to be used by regulated entities that use card data scanning tools to identify unencrypted payments card data

The safety measures are as follows:

• Any tool to scan an unencrypted card data should first be tested in a test environment to know the scope and impact of the capabilities of the tool;
• The scanning tool shall be installed only in the regulated entities premises on their devices;
• Card data scanning will not be done remotely;
• The discovered data should reside in the scanning tool. Exportable card data should be masked appropriately; and
• Limited access to service providers to conduct scan or analyse data should be provided only on the Regulated entity’s device.

Conclusion

The instructions by the Reserve Bank on digital payments security controls should compulsorily be followed by all scheduled commercial banks, payments banks, small finance banks, etc. Due to the increasing number of fraudulent activities and usage of digital payments at par with the largest number in the world, the Reserve bank has rightfully issued these directions.

Read our article:Instant Payments: Challenges and Considerations for its Implementation

MD7493544C24B5FC47D0AB12798C61CDB56F