RBI has issued a Master Direction on Digital Payment Security Controls in pursuance of the Statement on Developmental and Regulatory Policies of the Bi-monthly Monetary Policy Statement for 2020-21.
As per the said Master Direction its provisions shall apply to the following Regulated Entities (REs) :
(a) Scheduled Commercial Banks (excluding Regional Rural Banks);
(b) Small Finance Banks; c) Payments Banks; and
(d) Credit card issuing NBFCs
As per the Master Direction, Regulated Entities (REs) shall formulate a policy for digital payment products and services with the approval of their Board. REs shall incorporate appropriate processes into their governance and risk management programs for identifying, analysing, monitoring and managing the specific risks, including compliance risk and fraud risk, associated with the portfolio of digital payment products and services on a continual basis and in a holistic manner.
REs are required to ensure that communication protocol in the digital payment channels (especially over Internet) adhere to a secure standard. An appropriate level of encryption and security shall be implemented in the digital payment ecosystem.
REs shall conduct security testing including review of source code, Vulnerability Assessment (VA) and Penetration Testing (PT) of their digital payment applications to assure that the application is secure for putting through transactions while preserving confidentiality and integrity of the data that is stored and transmitted.
REs shall redact/ mask customer information such as account numbers/ card numbers/ other sensitive information when transmitted via SMS/ e-mails.
In view of the proliferation of cyber-attacks and their potential consequences, REs should implement, except where explicitly permitted/ relaxed, multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from ATMs/ micro-ATMs/ business correspondents, through digital payment applications.
Fraud analysis shall be conducted to identify the reason for fraud occurrence and determine mechanism to prevent such frauds. The staff, especially in the fraud control function, shall be educated about frauds and trained.
REs shall provide digital payment products and services, to a customer only at her/ his option based on specific written or authenticated electronic requisition along with a positive acknowledgement of the terms and conditions. They should provide a mechanism on their mobile and internet banking application for their customers to, with necessary authentication, identify/ mark a transaction as fraudulent.
For internet and banking security control purpose, REs shall implement additional levels of authentication to internet banking website for authentication-related attacks such as brute force/ DoS attacks etc. An online session shall be automatically terminated after a fixed period of inactivity.
The Master Directions also contain instruction on mobile payments application security controls, card payment security.
FCRA specifies list of purposes to be selected for which registration is applied. The Ministry of Home Affairs has notified…
Assessee was not liable to withhold tax at source u/s 40(a)(i) on cost-to-cost reimbursement made to parent company In a…
Temporarily blocking public access to Telegram App under section 69A of IT Act 2000 is not disproportionate - Delhi HC…
High Court explains the meaning of term ‘enterprise’ appearing in section 80IA to means a project or an undertaking owned…
Addition deleted as assessee was only a carrier of cash and the real owner had come forward owning the cash…
Lokayukta Police not an ‘intelligence and security’ organisation and hence not exempt from disclosure of information under RTI Act 2005…