Reserve Bank of India (RBI), on June 2, 2023, released a set of draft "Master Directions" for the payment system operators (PSOs) to ramp up their cyber resilience and digital payment security controls. The aim is to protect customer information and enhance their digital payment security.
India saw a 50 per cent growth rate in digital retail payments driven by the Unified Payments Interface (UPI), outpacing the US, the UK, and Europe. Consequently, the circulation of low denomination notes has reduced.
Draft Directions
The draft directions lay out governance mechanisms to identify, assess, monitor, and manage cybersecurity risks and baseline security measures for digital payments. In addition to ensuring the safety of payment systems, RBI aims to enhance the resilience of PSOs to cyber threats.
It has invited stakeholders to give feedback on the proposals by June 30, 2023.
Securing Digital Payments
Any unusual incidents, including cyber-attacks, system outages, fraud, etc., must be reported to RBI within six hours of detection. Cybersecurity incidents should also be reported to CERT-In, RBI said.
PSOs must implement multi-factor authentication for all transactions conducted through electronic modes. In addition, PSOs must appoint nodal officers to promptly resolve unauthorized or fraudulent transactions reported by customers 24/7 and assist law enforcement agencies.
They must also create mechanisms for online alerts based on parameters like failed transactions, transaction velocity, unusual patterns, etc. They should also ensure secure communication of SMS/email alerts to customers, masking confidential information, including transaction details.
PSOs must provide a facility on their mobile application/website for customers to promptly identify and report fraudulent transactions to the payment instrument issuer.
PSOs must validate terminals installed at merchants and comply with PCI-P2PE and PCI-PTS programs for capturing card details.
In addition, card networks should implement transaction limits and alert mechanisms for suspicious incidents and store customer card details in encrypted form.
PPI issuers are encouraged to communicate OTP and transaction alerts in vernacular languages.
Enhancing PSOs' Cyber Resilience
RBI has asked the PSOs to implement various governance controls to ensure cyber resilience oversight. The Board of Directors or a designated sub-committee should provide primary oversight and meet at least once a quarter. In addition, they should prepare a cyber crisis management plan (CCMP), with board approval, to address the cyber threats and attacks.
Digital identities should be assigned to individuals accessing the PSO's IT environment. Default authentication settings should be deactivated and changed before going live. Privileged accounts should require multi-factor authentication and monitoring regularly.
The PSO should develop a Business Continuity Plan (BCP), reviewed annually based on cyber threat scenarios, to ensure rapid recovery and safe resumption of critical operations. In addition, disaster recovery drills should be conducted regularly, and any deviations from recovery objectives should be addressed promptly.
Employee awareness and training programs on information security should be conducted periodically for PSO employees and vendors responsible for managing information assets, the draft directions read.
