Please click here to download the Prism as PDF.

Draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators

On June 2, 2023, the Reserve Bank of India (“RBI”) published the Draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators (“Draft MD”) and has invited comments from the stakeholders on or before June 30, 2023. Notably, the RBI had introduced a similar framework of security controls for banks and NBFCs in 2021, called the Master Directions on Digital Payment Security Controls. In its Statement on Developmental and Regulatory Policies dated April 8, 2022 – the RBI expressed its intention to issue similar directions for payment system operators (“PSOs”), covering robust governance mechanisms for identification, assessment, monitoring, and management of cybersecurity risks. In this regard, the RBI has introduced the draft MD, which intends to regulate:

1. Large non-bank PSOs (such as, card payment networks, National Payments Corporation of India, Bharat Bill Payment Operating Units, payment aggregators, large prepaid payment instrument (“PPIs”) issuers) by April 1, 2024;
2. Medium non-bank PSOs (such as, medium sized PPI issuers, cross border (in-bound) money transfer operators under the Money Transfer Service Scheme) by April 1, 2026; and
3. Small non-bank PSOs (such as small PPI issuers and instant money transfer operators) by April 1, 2028.

Some key provisions of the Draft MD are:

1. Governance controls: Requirement for board oversight over information security risks has been introduced. The PSOs must formulate a board-approved information security policy; implement a Cyber Crisis Management Plan; and an overarching cyber resilience framework.
2. Baseline information security measures: The Draft MD introduces some specified baseline controls to be adopted by the PSO such as – need-based access; usage of privileged accounts using multi-factor authentication; and measures to protect network security. Among other requirements, PSOs must – (a) conform to Application Security Life Cycle guidelines for development of products/services; (b) conform to PSO outsourcing framework; (c) develop and annually review its business continuity plan; and (d) store card details in accordance with Payment Card Industry – Data Security Standard framework.

Digital Payment Security Controls: PSO must ensure that any email/SMS alert to customers must mention the merchant name (not the payment gateway/aggregator) and the amount. (a) For mobile payments – PSO must ensure that mobile applications are free from anomalies; and device binding of mobile apps with the device and SIM card are in place; (b) For card payments – PSO must validate merchant card payment terminals against the Payment Card Industry – Point-to-Point Encryption program. Card networks must facilitate implementation of transaction limits at card, Bank Identification Number as well as at card issuer level; and (iii) For PPIs -PPI issuers should communicate one time password and transaction alerts with users in language of their choice.

This Prism has been prepared by:

Probir Roy Chowdhury Partner

Yajas Setlur Partner

Shivani Bhatnagar Associate

For more details, please contact [email protected]