RBI has issued a Master Direction on Digital Payment Security Controls in pursuance of the Statement on Developmental and Regulatory Policies of the Bi-monthly Monetary Policy Statement for 2020-21.
As per the said Master Direction its provisions shall apply to the following Regulated Entities (REs) :
(a) Scheduled Commercial Banks (excluding Regional Rural Banks);
(b) Small Finance Banks; c) Payments Banks; and
(d) Credit card issuing NBFCs
As per the Master Direction, Regulated Entities (REs) shall formulate a policy for digital payment products and services with the approval of their Board. REs shall incorporate appropriate processes into their governance and risk management programs for identifying, analysing, monitoring and managing the specific risks, including compliance risk and fraud risk, associated with the portfolio of digital payment products and services on a continual basis and in a holistic manner.
REs are required to ensure that communication protocol in the digital payment channels (especially over Internet) adhere to a secure standard. An appropriate level of encryption and security shall be implemented in the digital payment ecosystem.
REs shall conduct security testing including review of source code, Vulnerability Assessment (VA) and Penetration Testing (PT) of their digital payment applications to assure that the application is secure for putting through transactions while preserving confidentiality and integrity of the data that is stored and transmitted.
REs shall redact/ mask customer information such as account numbers/ card numbers/ other sensitive information when transmitted via SMS/ e-mails.
In view of the proliferation of cyber-attacks and their potential consequences, REs should implement, except where explicitly permitted/ relaxed, multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from ATMs/ micro-ATMs/ business correspondents, through digital payment applications.
Fraud analysis shall be conducted to identify the reason for fraud occurrence and determine mechanism to prevent such frauds. The staff, especially in the fraud control function, shall be educated about frauds and trained.
REs shall provide digital payment products and services, to a customer only at her/ his option based on specific written or authenticated electronic requisition along with a positive acknowledgement of the terms and conditions. They should provide a mechanism on their mobile and internet banking application for their customers to, with necessary authentication, identify/ mark a transaction as fraudulent.
For internet and banking security control purpose, REs shall implement additional levels of authentication to internet banking website for authentication-related attacks such as brute force/ DoS attacks etc. An online session shall be automatically terminated after a fixed period of inactivity.
The Master Directions also contain instruction on mobile payments application security controls, card payment security.
State Bank of India in its General Meeting of the Shareholders elected four Directors to the Central Board. The meeting…
Voluntary declaration of additional income by increasing WIP was not proper, as assessee will take the additional benefit in the…
Cash payment for purchase of land or property cannot be treated as violation of provisions of section 269SS or 269T…
Income Tax Department has released excel Utility for e-filing ITR-1 and ITR-4 for AY 2026-27 Excel utilities of ITR-1 and…
Amount of money received as Mediclaim not deductible from an award passed by MACT under the head of medical expenses.…
Location of the assessing officer who passed the order shall decide the jurisdiction of the Bench of the Tribunal In…