RBI has issued a Master Direction on Digital Payment Security Controls in pursuance of the Statement on Developmental and Regulatory Policies of the Bi-monthly Monetary Policy Statement for 2020-21.
As per the said Master Direction its provisions shall apply to the following Regulated Entities (REs) :
(a) Scheduled Commercial Banks (excluding Regional Rural Banks);
(b) Small Finance Banks; c) Payments Banks; and
(d) Credit card issuing NBFCs
As per the Master Direction, Regulated Entities (REs) shall formulate a policy for digital payment products and services with the approval of their Board. REs shall incorporate appropriate processes into their governance and risk management programs for identifying, analysing, monitoring and managing the specific risks, including compliance risk and fraud risk, associated with the portfolio of digital payment products and services on a continual basis and in a holistic manner.
REs are required to ensure that communication protocol in the digital payment channels (especially over Internet) adhere to a secure standard. An appropriate level of encryption and security shall be implemented in the digital payment ecosystem.
REs shall conduct security testing including review of source code, Vulnerability Assessment (VA) and Penetration Testing (PT) of their digital payment applications to assure that the application is secure for putting through transactions while preserving confidentiality and integrity of the data that is stored and transmitted.
REs shall redact/ mask customer information such as account numbers/ card numbers/ other sensitive information when transmitted via SMS/ e-mails.
In view of the proliferation of cyber-attacks and their potential consequences, REs should implement, except where explicitly permitted/ relaxed, multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from ATMs/ micro-ATMs/ business correspondents, through digital payment applications.
Fraud analysis shall be conducted to identify the reason for fraud occurrence and determine mechanism to prevent such frauds. The staff, especially in the fraud control function, shall be educated about frauds and trained.
REs shall provide digital payment products and services, to a customer only at her/ his option based on specific written or authenticated electronic requisition along with a positive acknowledgement of the terms and conditions. They should provide a mechanism on their mobile and internet banking application for their customers to, with necessary authentication, identify/ mark a transaction as fraudulent.
For internet and banking security control purpose, REs shall implement additional levels of authentication to internet banking website for authentication-related attacks such as brute force/ DoS attacks etc. An online session shall be automatically terminated after a fixed period of inactivity.
The Master Directions also contain instruction on mobile payments application security controls, card payment security.
Assessing Officer had taken a reasonable stand that 25 kg written in WhatsApp chat/text message was 25 lakh - ITAT…
Shareholders are only owners of the shares of the company therefore, income from properties earned by the company cannot be…
When approval for reassessment was granted by unauthorised authority, such jurisdictional error cannot be shielded by the law of limitation…
ITAT on presumption of bogus purchases ought to have remanded case to AO to reconsider the whole matter instead of…
Where proceedings u/s 153C are barred by limitation, AO can not reopen the case invoking section 148 and 148A of…
Corporate guarantees executed by the corporate debtor constitute “financial debt” under IBC and banks to be recognized as financial creditors…