- INTRODUCTION
The Reserve Bank of India (“RBI”) issued the “Master Direction on Cyber Resilience and Digital Payment Security Control for non-bank Payment System Operators” dated July 30, 2024 (“Master Direction”)[1] in lieu of the powers conferred under Section 10(2) read with Section 18 of the Payment and Settlement System Act, 2007 (“PSS Act”)[2], to provide for a robust governance mechanism for the early identification, assessment, monitoring and control of the risks associated with the linkages of Payment System Operators (“PSOs”) with unregulated entities who are part of their digital payment ecosystem which inter alia includes payment gateways, third party services providers, vendors among others.
This Master Directionhas been issued pursuant to the comments and discussions over the “Draft Master Direction on Cyber Resilience and Digital payment Security Controls for Payment System Operators” (“Draft MD”)[3] which provided the bedrock for the early identification, assessment, monitoring and management of the risks, while securing digital payment transactions.
The intent was to provide for an improvement of the payment structure and security over payments processed through the PSOsand ensure that efforts are channelized to create and prepare for a strong governance control with proper risk assessment and monitoring, sturdy and elaborative baseline information security measures to safeguard the network security and vendor risk management, and control over the digital payment security measures.
- THE NEW MASTER DIRECTION
This Master Directionis applicable to all authorized non-bank PSOs to effectively manage, monitor and control the cyber and technology related risks emanating from the interaction of the PSOs with the unregulated entities, including payment gateways, third party service providers, vendors among others, so as to ensure that these directions are adhered by such unregulated entities as well, so that a safe, robust and secure payment system could be established with overall security preparedness.
Through this Master Direction, the following will be considered as large non-bank PSOs: (i) Clearing Corporation of India Limited (“CCIL”), (ii) National Payments Corporation of India (“NPCI”), (iii) NPCI Bharat Bill Pay Limited, Card Payment Networks, (iv) Non-bank ATM Networks, White Label ATM Operators (“WLAOs”), (v) Large Pre-Payment Instruments(“Large-PPI”) Issuers, (vi) Trade Receivables Discounting System (“TReDS”) Operators, (vii) Bharat Bill Payment Operating Units (“BBPOUs”) and (viii) Payment Aggregators (“PAs”). At the same time, cross-border (in-bound) money transfer operators and medium-PPIs are to be considered as medium non-bank PSOs. Further, small-PPI issuers and instant money transfer operators who were to be classified as small non-bank PSOs, with the Master Direction in place would also fall within this framework.
By virtue of the Master Direction, key efforts have been made to ensure that a rigid compliance framework is adhered, which inter alia includes use of multi-factor authentication and tight monitoring in PSOs, multi-layered boundary defenses in Information-Security System ( “IS System”) to efficient monitoring of network traffic and flow of data within the organization, proper encryption protocol in matters of mobile payment, among others.
Thereby, under the present Master Directionthere has been a structured compliance timeline based on the size of the PSOs to ensure that significant focus is laid over to manage cyber resilience effectively. Further, with inclusion of the Rapid Incident Reporting (“RIR”) efforts have been made to enhance the responsiveness over cyber threats, with a board-approved policy to effectively deal with risk management and crisis response. Additionally, with the increasing use of mobile payments, the new directions specify to address the vulnerabilities associated with these platforms, to enable trust in the digital payment system.
- KEY GUIDELINES
| Sl No. | Introduction | Description | Analysis |
| Compliance Timelines | Specific Compliance deadlines based on PSOs size: Large PSOs: April 1, 2025;Medium PSOs: April 1, 2026; andSmall PSOs: April 1, 2028. | RBI established size-based timelines for a structured and phased approach to compliance. Larger entities with greater volumes of data are prioritized to enhance their cyber resilience first, while ensuring that effective monitoring is conducted from the end of RBI. | |
| Governance Control & Cyber Security Preparedness | Board of Directors to oversee information security and cyber risk management with: Board-approved IS policy requirement;Establishment of a board sub-committee with cyber security expertise to meet quarterly; andMandatory Cyber Crisis Management Plan (“CCMP”) approved by the board. These policies shall be assessed by a senior level executive with expertise in the area of informational security, and shall be up to the PSOsto define the key risk indicators as well as the key performance indicators. | This ensures that cyber security threats are catered responsibly, thus formalization of the responsibilities, creating clear accountability standards and planned response to cyber threats. Further, with each PSOs holding their own metric to determine the potential risk and performance indicators, would facilitate autonomy within the PSOsitself. | |
| Inventory Management | The Master Directionmandates that the PSOs shall maintain a record of all the key roles, information assets, third party service providers and shall complete the process flow diagram of network resources, and data flows. | This is essential as effective inventory management is crucial for tracking assets and ensuring that all the components are secured and protected. | |
| Identity and Access Management | The Direction mandates that policies and procedures shall be made to address access-privileges as well as the administrative rights over use of privileged-accounts , with systems having need-to-have, need-to-know and follow the least privilege principle, where the accounts shall be with multi-factor authentication and tight monitoring. | The use of multi-factor authentication and tight monitoring would reduce the risk of unauthorized access and data breaches. | |
| Network Security | The Master Directionmandates that the PSOs shall put in place measures to protect its network and system from external threats, by establishing multi-layered boundary defenses, network segmentations and anti-malware solutions. | Strong network security measures to protect against unauthorized access, with regular testing will ensure that the vulnerabilities are identified and mitigated before the same is exploited. | |
| Application Security Life Cycle (“ASLC”) & Security Testing | The Master Direction have mandated the integration of security measures throughout the application development life cycle (“SDLC”), ensuring segregation of database layers from other layers. Further, there shall be rigorous security testing with deficiencies reported to be resolved in a time bound manner. | This would further incorporate security measures to reduce the likelihood of vulnerabilities in the production environment. | |
| Vendor Risk Management | The Master Directions mandate that the PSOs shall be governed by the Framework of “Outsourcing of Payment and Settlement-related Activities by PSOs”[4] for the establishment of a vendor risk management framework to assess and monitor third-party risks. At the same time regular audits and assessments of vendor security practices shall be conducted by PSOs themselves. The RBI emphasizes that while outsourcing certain activities, the PSOs retain full responsibility for the effective governance and management of risk associated with their third-party relationships. | This ensures that third-party vendor risks are managed and all the partners adhere to the security standards protecting the PSOs from the potential breaches. However, the same might be cumbersome to an extent since it would be the obligation of PSOs to make sure that the third-party adhere to security measures, and hence is likely going to increase the compliance cost and further would shift the burden to PSOs to maintain the security protocol. | |
| Data Security, Control & Business Continuity Plan (“BCP”) | Under the Master Direction, a comprehensive data protection policy is to be made to safeguard sensitive information, and based on the different cyber threats and plausible events, develop aBusiness Continuity Plan (“BCP”) which is to be reviewed annually. This would be designed to enable a rapid recovery in adverse situations. Specific security control mandated, which would include: Data leak Prevention Policy: Ensuring that availability of data and encryption is preserved. Real-time Fraud Monitoring: Detects and prevents suspicious transactions. 24/7 Manned facility: To facilitate swift resolution of unauthorized/ fraudulent transactions reported by customers to provide for prompt response towards Law Enforcement Agencies(“LEAs”). Secured Online Sessions: Now PSOs are required to define and implement procedures that would limit, lock and terminate system and remote sessions after a pre-defined period of inactivity. PCI-DSS Compliance: Under the Master Directionthe PSOs storing card data shall adhere to the Payment Card Industry-Data Security Standards. (“PCI-DSS”) | With this, the RBI proposes to foster resilience and ensure that the operators can maintain their operations and protect the customer data in adversities. This provides for the introduction of the detailed baseline operational security standards across all the PSOs, thus further ensuring that all the entities implement robust measures to protect against the evolving cyber threats, enhancing the overall security of the payment ecosystem. | |
| Incident Response | The Master Directionhas mandated that reporting of cyber incidents have to be reported to the RBI within 6-hours of detection, including reporting to Indian Computer Emergency Response Team (“CERT-In”) for significant cyber security incidents. Further, post-incident analysis, including forensic analysis shall be conducted to determine the impact and the root cause of the incidents. | Rapid reporting enables the regulatory framework for a quick response to cyber threats, while ensuring that PSOsmaintain vigilance and accountability in crisis situations. | |
| Application Programming Interfaces (APIs) & Cloud Security | The Master Directionmandates that in order to strengthen the APIs interface and security, PSOs have to establish identity of the communicating application to provide for authentication and authorization, while ensuring integrity for resources to reliably be transferred. Further, the Master Directionmandates that PSOs subscribing to cloud services implement cloud security measures, including data encryption and access control with periodic cyber security audits. | APIs are critical for the digital payment system. Regular assessment and constant monitoring would ensure that the safety standards are adhered to. Further, considering the number PSOs utilize cloud services, security from any unauthorized access becomes paramount. Thus, this control and assessment would help protect sensitive data stored in the cloud. However, implementing and maintaining security measures in a multi-tenancy environment to maintain data commingling might be cumbersome. | |
| Digital payment Security Measures/ Control | The Master Direction mandates that PSOs shall facilitate online alerts based on parameters like failed transaction, transaction velocity, etc. and shall redact the bank account number and other details to the extent possible while sending the SMS or e-alerts. Additionally, the PSOs shall foster a mechanism to enable customers with authentication to mark a fraudulent transaction for immediate notification to the issuer of the payment instrument. | This will ensure a faster process of identifying and marking the fraudulent transaction. This allows for robust customer participation towards ensuring maximum securitization of PSOs within the digital payment space. | |
| Mobile Payments Security | Stringent security practices are made for mobile payments, which inter alia includes for: (i) Session termination after a period of inactivity. (ii) Notification for failed login attempt to enhance user security. | This helps to facilitate the small non-bank PSOs, to protect users from unauthorized access and foster overall security. | |
| Card Payments & Prepaid Payment Instruments (“PPI”) | The Master Directionsnow mandate that PSOs have to ensure that the terminals installed at merchants, capturing card details for payments are to be validated against the Payment Card Industry-Point to Point Encryption (“PCI-P2P”) program, while the card network shall facilitate implementation of transaction limits at card, as well as at the card issuer level. Additionally, PPI issuers shall have to place a suitable cooling period for the fund transfer and cash withdrawal after such funds are loaded on to the PPIs. | This protocol would help to limit the risk associated with payment cards and PPIs. However, by placing a cooling period for fund transfer and cash withdrawal though would help in system integration and fraud prevention, it might lead to customer dissatisfaction for their inability to access funds instantaneously. |
- CONCLUSION
The Master Directionon the security measures for non-bank PSOs offers a robust framework for the effective monitoring, control and management of cyber and technology related risk arising out of linkages of PSOswith the unregulated entities. Through this, the RBI will be stimulating channelized efforts towards cyber resilience, stronger incident response and accountability standards, and ultimately strengthening the overall regulatory framework. However, there lie some potential challenges as well with respect to its implementation. This may include third-party vendor compliance, as the directives now require PSOs to ensure that the third-party service comply with the same security measures, which may complicate the vendor management process, as now an added layer of complexity exists overPSOsoperation. Thus, this might lead to administrative burden and eventually call for higher cost for technology update. Therefore, though these directions are well-focused and attempt to address the regulatory gaps relating to cyber security effectively, its implementation is to be viewed in and processed continuously.
[1] Reserve Bank of India, “Master Direction on Cyber Resilience and Digital payment Security Control for non-bank Payment System Operator”, July 30th, 2024. Available at: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12715&Mode=0
[2] The Payment and Settlement Systems Act, 2007, Act No. 51 of 2007.
[3] Reserve Bank of India, “ Draft Master Directions on Cyber Resilience and Digital Payment Security Control for Payment System Operators”, June 2nd, 2024. Available at: https://rbi.org.in/scripts/Bs_viewcontent.aspx?Id=4267
[4] Reserve bank of India, “Framework for Outsourcing of Payment and Settlement-related Activities By Payment System Operators”, August 3, 2021. Available at: Reserve Bank of India – Notifications (rbi.org.in)
