The Reserve Bank of India (RBI) has introduced a set of stringent new regulations designed to enhance cybersecurity and resilience within India’s digital payments ecosystem. Announced on July 30, the ‘Master Directions on Cyber Resilience and Digital Payment Security Controls’ establish comprehensive guidelines for non-bank Payment System Operators (PSOs), which include payment gateways, third-party service providers, and related vendors. These regulations are aimed at fortifying the security framework for digital transactions and protecting consumer data against rising cyber threats.
Under the new rules, all authorized non-bank PSOs are required to ensure their associated unregulated entities comply with enhanced security measures. This involves implementing online alert systems to detect and prevent fraudulent activities based on transaction anomalies, geographic data, and behavioral biometrics. The RBI mandates that sensitive information, such as bank account and card numbers, be redacted in notifications, and that transactions display clear details about merchants and amounts. Additionally, PSOs must provide features for instant fraud reporting through their mobile apps or websites.
The guidelines also address specific security practices for mobile and card payments. Mobile payment services must adhere to rigorous security protocols, including encryption, authenticated sessions, and mechanisms to prevent unauthorized access during remote control. For card payments, PSOs are required to use validated POS terminals and comply with PCI security standards to ensure the highest levels of data protection. These measures are designed to prevent security breaches and maintain the integrity of payment systems.
Moreover, the RBI emphasizes the importance of strong governance and cyber risk management. PSOs must establish a Board-approved Information Security policy and a Cyber Crisis Management Plan, which includes strategies for detecting, containing, and recovering from cyber incidents. Business continuity planning is also mandated to prepare for various cyber threat scenarios. This comprehensive approach underscores the RBI’s commitment to safeguarding the digital payment infrastructure and ensuring robust defenses against evolving cyber threats.
Reference:
