RBI has issued a Master Direction on Digital Payment Security Controls in pursuance of the Statement on Developmental and Regulatory Policies of the Bi-monthly Monetary Policy Statement for 2020-21.
Master Direction on Digital Payment Security Controls
The said Master directions are called the Reserve Bank of India (Digital Payment Security Controls) directions, 2021
As per the said Master Direction its provisions shall apply to the following Regulated Entities (REs) :
(a) Scheduled Commercial Banks (excluding Regional Rural Banks);
(b) Small Finance Banks; c) Payments Banks; and
(d) Credit card issuing NBFCs
As per the Master Direction, Regulated Entities (REs) shall formulate a policy for digital payment products and services with the approval of their Board. REs shall incorporate appropriate processes into their governance and risk management programs for identifying, analysing, monitoring and managing the specific risks, including compliance risk and fraud risk, associated with the portfolio of digital payment products and services on a continual basis and in a holistic manner.
REs are required to ensure that communication protocol in the digital payment channels (especially over Internet) adhere to a secure standard. An appropriate level of encryption and security shall be implemented in the digital payment ecosystem.
REs shall conduct security testing including review of source code, Vulnerability Assessment (VA) and Penetration Testing (PT) of their digital payment applications to assure that the application is secure for putting through transactions while preserving confidentiality and integrity of the data that is stored and transmitted.
REs shall redact/ mask customer information such as account numbers/ card numbers/ other sensitive information when transmitted via SMS/ e-mails.
In view of the proliferation of cyber-attacks and their potential consequences, REs should implement, except where explicitly permitted/ relaxed, multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from ATMs/ micro-ATMs/ business correspondents, through digital payment applications.
Fraud analysis shall be conducted to identify the reason for fraud occurrence and determine mechanism to prevent such frauds. The staff, especially in the fraud control function, shall be educated about frauds and trained.
REs shall provide digital payment products and services, to a customer only at her/ his option based on specific written or authenticated electronic requisition along with a positive acknowledgement of the terms and conditions. They should provide a mechanism on their mobile and internet banking application for their customers to, with necessary authentication, identify/ mark a transaction as fraudulent.
For internet and banking security control purpose, REs shall implement additional levels of authentication to internet banking website for authentication-related attacks such as brute force/ DoS attacks etc. An online session shall be automatically terminated after a fixed period of inactivity.
The Master Directions also contain instruction on mobile payments application security controls, card payment security.
Download Complete Master Direction Click Here >>
- Whether AO applied his mind or not is question of fact not law – SC dismisses SLP of Department
- No Prohibition on travelling abroad if proceedings u/s 10 of Black Money Act initiated
- Partnership firms/companies not eligible to be a registered valuer if not member of RVO
- Challenged to IBC by a CA refused by Supreme Court for want of locus and bonafide.
- Date of initiation of penalty in assessment order is the relevant date u/s 275(1)(c) for limitation