RBI has issued a Master Direction on Digital Payment Security Controls in pursuance of the Statement on Developmental and Regulatory Policies of the Bi-monthly Monetary Policy Statement for 2020-21.
As per the said Master Direction its provisions shall apply to the following Regulated Entities (REs) :
(a) Scheduled Commercial Banks (excluding Regional Rural Banks);
(b) Small Finance Banks; c) Payments Banks; and
(d) Credit card issuing NBFCs
As per the Master Direction, Regulated Entities (REs) shall formulate a policy for digital payment products and services with the approval of their Board. REs shall incorporate appropriate processes into their governance and risk management programs for identifying, analysing, monitoring and managing the specific risks, including compliance risk and fraud risk, associated with the portfolio of digital payment products and services on a continual basis and in a holistic manner.
REs are required to ensure that communication protocol in the digital payment channels (especially over Internet) adhere to a secure standard. An appropriate level of encryption and security shall be implemented in the digital payment ecosystem.
REs shall conduct security testing including review of source code, Vulnerability Assessment (VA) and Penetration Testing (PT) of their digital payment applications to assure that the application is secure for putting through transactions while preserving confidentiality and integrity of the data that is stored and transmitted.
REs shall redact/ mask customer information such as account numbers/ card numbers/ other sensitive information when transmitted via SMS/ e-mails.
In view of the proliferation of cyber-attacks and their potential consequences, REs should implement, except where explicitly permitted/ relaxed, multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from ATMs/ micro-ATMs/ business correspondents, through digital payment applications.
Fraud analysis shall be conducted to identify the reason for fraud occurrence and determine mechanism to prevent such frauds. The staff, especially in the fraud control function, shall be educated about frauds and trained.
REs shall provide digital payment products and services, to a customer only at her/ his option based on specific written or authenticated electronic requisition along with a positive acknowledgement of the terms and conditions. They should provide a mechanism on their mobile and internet banking application for their customers to, with necessary authentication, identify/ mark a transaction as fraudulent.
For internet and banking security control purpose, REs shall implement additional levels of authentication to internet banking website for authentication-related attacks such as brute force/ DoS attacks etc. An online session shall be automatically terminated after a fixed period of inactivity.
The Master Directions also contain instruction on mobile payments application security controls, card payment security.
CBIC has issued a Standard Operating Procedure (SoP) for wearing Body Cam by Custom officers responsible for Baggage Clearance According…
MCA amends rules regarding Directors KYC and updation MINISTRY OF CORPORATE AFFAIRSNOTIFICATION New Delhi, the 31st December, 2025 G.S.R. 943(E).—In…
Deferment of ICAI Phase IV Peer Review Mandate to 31.12.2026 The ICAI has decided that Phase IV of the Peer…
When foundation of reopening does not survive, no addition can be made in respect of other issues - ITAT In…
GSTN Advisory & FAQs related to Electronic Credit Reversal and Re-claimed Statement and RCM Liability/ITC Statement To ensure correct and…
It is well settled that if any receipt cannot be subjected to tax being exempt under law, negligence of any…