RBI Digital Payment Security Controls

Given the proliferating cybercrimes in the Banking and Financial industry, RBI has finally released guidelines to secure and strengthen the digital payment ecosystems in the industry. This is to improve the security, and governance of payment gateways, wallets, and other digital payment transactions through channels like the internet, mobile banking, and card payments to name a few.

The guidelines issued will help in setting up a robust digital payment system and ensure the implementation of effective standards of security controls for non-cash, digital payments. While the aim is to strengthen the regulations and supervision, it is also expected that entities like banks and NBFC’s prioritize and focus their quality of governance, risk management, and internal security controls for a safer digital payment environment. 

The guidelines come at the time when the financial industry is thriving on the digital ecosystem with most of their operations and financial transactions now going completely digital.  The guidelines issued will be technological and application-based, creating an enhanced environment for customers to adopt and use digital payment platforms and applications securely. The issued guidelines specify security protocols to be implemented in mobile applications, internet banking, and card payments by scheduled commercial banks, small financial and payment banks, and card issuing institutes. 

The guideline laid down contains requirements for robust governance, implementation, and monitoring of certain standards on security controls. Further, RBI has also placed a comprehensive framework for addressing grievance redressals in banks. This is to strengthen and improve the internal grievance redress mechanism with enhanced disclosures on customer complaints and monetary disincentive in the form of recovery cost for customer complaints. With the intensive review of grievance redress mechanism and supervisory action against banks failing to improve the redress mechanism promptly, RBI aims to push the financial institutes and NBFC’s to improve the overall operations and customer care services.  

The guidelines which will also be called the Reserve Bank of India’s directions will apply to the already regulated entities including Scheduled Commercial Banks (excluding Regional Rural Banks), Small Finance Banks, Payments Banks, and Credit card issuing NBFCs.

The directions will also have implications on third-party payment applications such as Google Pay, PhonePe, etc. on the way how they interact with their banking partners and store customer data. So, typically speaking it will affect the business models of several payment gateways that rely on the delayed settlement of merchant funds to banking partners. More so, since the rules now specify that the payment operator or banks cannot delay settlements beyond 24 hours to the nodal settlement accounts. 

All entities to whom the directions are applicable will be given six months to achieve Compliance. The detailed 21-page master circular issued by the RBI includes specifications on diverse areas, including important security controls concerning the Governance and Management of Security Risks, Generic Security Controls, Application Security Life Cycle (ASLC), Authentication Framework, Fraud Risk Management, Reconciliation Mechanism, Customer Protection, Awareness and Grievance Redressal Mechanism related to Internet Banking, Mobile Payments Application Security Controls, and Card Payments Security.

The Chapter V of the issued guidelines especially emphasizes on card payment security which calls for regulated entities to follow various payment card security standards as per Payment Card Industry (PCI). The comprehensive payment card security standards to be implemented should be as per the applicability and readiness of updated versions of the standards. This includes standards like PCI DSS, PA DSS, and PCI PIN that regulated entities need to comply with. 

The regulated entities shall ensure compliance with various PCI standards based on the applicability for establishing a robust payment card security measure. They are expected to incorporate necessary control measures as required to operate a secure payment environment. The aim is to ensure secure online payment transactions and prevent incidents of a data breach, theft, or data leakage of sensitive customer information.

The Board of Directors and Senior Management will be responsible for the implementation of the RBI directions and build relevant policies around them. The policy will be reviewed periodically, at least once a year to ensure its effectiveness. It is to be seen in the coming months as to how regulated entities will work towards achieving compliance in line with issued guidelines and secure digital payments for years to come.  To know more about the RBI directions, you can click on the link to access the full 21-page document https://rbidocs.rbi.org.in/rdocs/notification/PDFs/MD7493544C24B5FC47D0AB12798C61CDB56F.PDF 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.