RBI Guidelines For System Of Security Controls For Digital Payments - Financial Services - India (2024)

To print this article, all you need is to be registered or login on Mondaq.com.

The RBI has given Master Direction on February 18,20211, which provides necessary guidelines for theregulated entities to set up robust governance structure andimplement common minimum standards of security controls for digitalpayments products and services.

The Master Direction lays down guidelines for the internetbanking, mobile payments, card payments, customer protection, andgrievance redressal mechanism.


The directions shall be called as Reserve Bank of India (DigitalPayment Security Controls) directions, 2021.3 Theguidelines are in pursuance to Digital Payments mechanism and theMaster Direction paves the way for the Digital Payment SecurityControls

Digital Payment Market Statistics

The Payment landscape4 is seeing heightened activityacross multiple player categories ranging from:

  1. Device Manufacturer
  2. Technology Firms
  3. Telecom Companies
  4. Fintech Startups


RBI Guidelines For System Of Security Controls For Digital Payments - Financial Services - India (1)

The regulations shall play a critical role indetermining the nature and success of payment solutions. Themodernizing of payment infrastructure occurring in most countries,payments service providers can take advantage of the real- timesystems to offer cutting edge payment solution tocustomers.

Existing law6

  1. The electronic payments were regulated by Payment andSettlement System Act, 2007 ('PSS'), the aim of the PSS Actwas to ensure a safe and effectual system of payments andsettlement. At the times, transactions were heavily dependent oncash or bank transfer.
  2. Section 187 - It lays down the policies relating tothe regulation of payment systems including which includeselectronic, non- electronic, domestic or internationalpayments.
  3. Section 10 (2)-8 the RBI has the power to determineissue guidelines for the efficient management of paymentssystem.
  4. The Intermediaries Directions issued by the Reserve Bank ofIndia vide notification dated 24.11.2009.

The Intermediaries Directions regulated the service providers.According to the Directions, banks were required to maintain anodal account of the intermediaries with permissible credit anddebits limit as also the settlement cycle for credit to themerchants. The guidelines were ultimately applicable to PaymentAggregators.

The Directions were applicable to Payment Gateways and PaymentAggregators.

Intermediary Directions are still in force and have not beenexpressly repealed, having both the Intermediary Directions andGuidelines regulating the digital payment system is only likely tocreate conflict;


The provisions of these Directions shall be applicable over thefollowing Regulated entities:

  1. Scheduled Commercial Banks (excluding Regional RuralBanks)
  2. Small Finance Banks
  3. Payment Banks
  4. Credit Card Issuing NBFC


It is put forward by the RBI to improve the security of thedigital payment channels, and also convenience for users. Thedirections contain certain minimum standards on common securitycontrols, for channels like internet, mobile banking and cardpayments etc.

The basic Tenets of the guidelines by RBI is as follows:

General controls

Registered entities must formulate the policy for the digitalpayments and products.

The policy must include the payment securityrequirements from the angles of functionality, securityand Performance angles, such as:

Confidentiality of Data

It must protect the confidentiality of customer data andintegrity of data.

Backup of Data

The infrastructure such as technology with necessary backup.

Assurance of Payment Product

Assurance that the payment product is built in a secure manneroffering robust performance ensuring safety, consistency and rolledout after necessary testing for achieving desired FSP.

High Customer Service

Minimal customer service disruption with high availability ofsystems/ channels (to have minimal technical declines)

Registered Entities to Formulate policies for theDigital Products and for its payment mechanism

Separate Policy for digital Products-Registered entity must formulate separate policy for its differentdigital products or include the same as part of their overallproduct policy. Further, the policy document should require thatevery digital payment product/ services offered addresses themechanics, clear definition of starting point, criticalintermittent stages/ points and end point in the digital paymentcycle, security aspects, validations till the digital payment issettled, clear pictorial representation of digital path andexception handling.

  • UTAT-The entities must follow User AcceptanceTests (UAT) in multiple stages before roll out, sign off frommultiple stakeholders (post UAT) and data archival requirementsshall also be taken in to account.
  • Risk Assessment with regard to safety and security ofthe digital payments products and associated processes andservices for the suitability of the target users. The riskassessment should include-
  • Technology Bases solutions,
  • Vulnerabilities attached to the digital products and remedialaction to be taken by the entity
  • Checking the dependence on third party service providers
  • Tracking the risk arising out of integration of digital paymentplatform with other systems both internal and external to the RE,which includes core systems and systems of payment systemsoperators, etc.
  • Generic Security Controls
  • The secure standard shall be followed for the communicationprotocol in the digital payment channel. There will be appropriatelevel of encryption and security in the digital paymentecosystem.
  • The web applications providing the digital payments productsand services shall not store hidden HTML Cookies, or any otherclient side storage information.
  • The RE shall provide Web Application Firewall solution and DDoSMitigation techniques to secure digital payment products andservices offered over internet.

Application Security Life Cycle (ASLC)

  • Multi-Tier Mechanism- There shall beimplementation of multi-tier application architecture, whichsegregates application, database and presentation layer in thedigital payment products and services.
  • Secure by design -There shall be a system of"secure by design" approach in thedevelopment of the digital payments, products or services. Thedigital payments applications need to be inherently secure byembedding security within their application.
  • Security Objectives-Registered Entities shallexplicitly define security objectives (including protection ofcustomer information/ data) during:

(a) Requirements gathering, (b) designing, (c) development, (d)testing including source code review, (e) implementation,maintenance & monitoring and (f) decommissioning phases of thedigital payment applications.

  1. 1. Escrow Account in case of Third PartyVendors -For digital payment applications that arelicensed by a third party vendor, Registered Entities shall have anescrow arrangement for the source code for ensuring continuity ofservices in case the vendor defaults or is unable to provideservices.
  2. 2. Security Testing- REs shall conductsecurity testing including review of source code, VulnerabilityAssessment (VA) and Penetration Testing (PT) of their digitalpayment applications to assure that the application is secure forputting through transactions while preserving confidentiality andintegrity of the data that is stored and transmitted.
  3. 3. Authentication Framework

The increased medium of "electronic mode of transfer",for this the notification of RBI has professed that RegisteredEntity must follow the multifactor authentication system in orderto break off the cyber-attacks.

  1. Fraud Risk Management
  2. Configuration of suspicion- The registeredentities must document the configuration aspect identifying thesuspicious transactional behavior and implement the respectiverules detective types of control, mechanism to alert the customerin case of failed authentication.
  3. System Alerts- The system alerts shall beparametrized and monitored in terms of applicable parameters. Suchparameters are transaction velocity, (E.g.-fund transfers, cashwithdrawals, payments through electronic modes, adding newbeneficiaries, etc.) in a short period, more so in the accounts ofcustomers who've never used mobile app/ internet banking/ cardever (depending upon the type of payment channel), high riskmerchant category codes (MCC) parameters, counterfeit cardparameters (String of Invalid CVV/ PINs indicates an accountgeneration attack), new account parameters (excessive activity on anew account), time zones, geo-locations, IP address origin (inrespect of unusual patterns, prohibited zones/ rogue IPs),behavioral biometrics, transaction origination from point ofcompromise, transactions to mobile wallets/ mobile numbers/ VPAs onwhom vishing fraud or other types of fraud is/are registered/recorded, declined transactions, transactions with no approvalcode, etc.
  4. Customer Protection, Awareness, and Grievance RedressalMechanism
  5. Guidelines and Training Materials -RegisteredEntities shall incorporate secure, safe and responsible usageguidelines and training materials for end users within the digitalpayment applications. They shall also make it mandatory (i.e. notproviding any option to circumvent/ avoid the material) for theconsumer to go through secure usage guidelines (even in theconsumer's preferred language) while obtaining and recordingconfirmation during the on-boarding procedure in the first instanceand first use after each update of the digital payment applicationor after major updates to secure and safe usage guidelines.
  6. Lodge Customer Grievance- Registered Entitiesshall incorporate a section on the digital payment applicationclearly specifying the process and procedure (with forms/ contactinformation, etc.) to lodge consumer grievances. The reportingfacility on the application shall provide an option for registeringa grievance. Customer dispute handling, reporting and resolutionprocedures, including the expected timelines for the RE'sresponse should be clearly defined.
  7. Internet Banking Security Controls
  8. Additional Level of Authentication- Internetbanking websites are vulnerable to authentication related bruteforce attacks/ application layer Denial of Service (DoS) attacks.Based on the RE's individual risk/ vulnerability assessment onauthentication-related attacks such as brute force/ DoS attacks,REs shall implement additional levels of authentication to internetbanking website such as adaptive authentication, strong CAPTCHA(preferably with anti-bot features) with server-side validation,etc., in order to plug this vulnerability and prevent itsexploitation. Appropriate measures shall be taken to prevent DNScache poisoning attacks and for secure handling of cookies. Virtualkeyboard option should be made available
  9. Mobile Payment Application Control

Specific Controls for mobile applications include:

  1. Device policy enforcement (allowing app installation/ executionafter baseline requirements are met);
  2. Application secure download/ install;
  3. Deactivating older application versions in a phased but timebound manner (not exceeding six months from the date of release ofnewer version) i.e., maintaining only one version (excluding theoverlap period while phasing out older version) of the mobileapplication on a platform/ operating system;
  4. Storage of customer data;
  5. Card Payment Security

Payment Card Standards- Registered Entity shall follow variouspayment card standards (over and above PCI-DSS and PA-DSS) as perPayment Card Industry (PCI) prescriptions for comprehensive paymentcard security as per applicability of updated versions of thestandards such as -

  1. PCI-PIN (secure management, processing, and transmission ofpersonal identification number (PIN) data);
  2. PCI-PTS (security approval framework addresses the logical and/or physical protection of cardholder and other sensitive data atpoint of interaction (POI) devices and hardware security modules(HSMs);
  3. PCI-HSM (securing cardholder-authentication applications andprocesses including key generation, key injection, PINverification, secure encryption algorithm, etc.); and
  4. PCI-P2PE (security standard that requires payment cardinformation to be encrypted instantly upon its initial swipe andthen securely transferred directly to the payment processor).


In view of the proliferation of cyber-attacks and theirpotential consequences, REs should implement, except whereexplicitly permitted/ relaxed, multi-factor authentication forpayments through electronic modes and fund transfers, includingcash withdrawals from ATMs/ micro-ATMs/ business correspondents,through digital payment applications. At least one of theauthentication methodologies should be generally dynamic ornon-replicable. [e.g., Use of One Time Password, mobile devices(device binding and SIM), biometric/ PKI/ hardware tokens, EMV chipcard (for Card Present Transactions) with server-side verificationcould be termed either in dynamic or non-replicablemethodologies.].


1 https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12032&Mode=0

2 https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12032&Mode=0

3 https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12032&Mode=0

4 https://image-src.bcg.com/BCG_COM/BCG-Google%20Digital%20Payments%202020-July%202016_tcm21-39245.pdf

5 https://image-src.bcg.com/BCG_COM/BCG-Google%20Digital%20Payments%202020-July%202016_tcm21-39245.pdf

6 https://www.mondaq.com/india/fin-tech/971558/a-perspective-on-the-current-regulations-on-payment-aggregators

7 https://indiankanoon.org/doc/126521356/

8 https://indiankanoon.org/doc/52109687/#:~:text=(2)%20Without%20prejudice%20to%20the,to%20any%20particular%20payment%20system.

9 https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12032&Mode=0

For further information please contact at S.S Rana &Co. email: info@ssrana.in or call at (+91- 11 4012 3000).Our website can be accessed at www.ssrana.in

The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circ*mstances.

POPULAR ARTICLES ON: Finance and Banking from India

Supreme Court's Clarifies The Treatment Of Compulsorily Convertible Debentures – Equity Or Debt?

Phoenix Legal

In a recent landmark judgment, the Supreme Court of India, in the matter of M/s. IFCI Limited vs. Sutanu Sinha & Ors., dealt with a vital issue, i.e., whether an instrument such as a CCD should be treated as debt or equity …

Navigating Regulatory Excellence: Establishing Alternative Investment Funds (AIFs) In Gift City

Dolce Vita Advisors

According to a recent study conducted by PMS Bazaar, the alternative investment landscape in India, which includes both Portfolio Management Services and Alternative Investment Funds ...

SEBI's New Consultation Paper – An Attempt To Ease Trading Plans By Company Insiders

Phoenix Legal

Securities Exchange Board of India (SEBI) released a consultation paper on November 24, 2023 to invite public comments from market players on the recommendation of a working group...

Indemnity Clauses In India: Enforceability And Important Judgments

Corrida Legal

In the ever-evolving landscape of business transactions, partnerships, and collaborations, uncertainty and unexpected challenges can arise at any moment.

Capital And Current Account Transactions Under FEMA: Transactional Perspective

Khaitan & Co LLP

For professionals working on corporate transactions involving acquisitions, investments and involving non-residents, situations arise where one needs to determine if a particular transaction...

Project Finance Comparative Guide


Project Finance Comparative Guide for the jurisdiction of India, check out our comparative guides section to compare across multiple countries

I am an expert in the field of digital payments, particularly with a focus on the regulatory landscape in India. My expertise is grounded in a deep understanding of the Reserve Bank of India's (RBI) policies and guidelines related to digital payment security controls, as evident from the article you provided.

The article discusses the Master Direction issued by the RBI on February 18, 2021, which outlines guidelines for regulated entities to establish robust governance structures and implement minimum security standards for digital payment products and services. These guidelines cover various aspects, including internet banking, mobile payments, card payments, customer protection, and grievance redressal mechanisms.

The key concepts covered in the article include:

  1. Master Direction on Digital Payment Security Controls (DPSD), 2021:

    • Issued by the RBI on February 18, 2021, providing guidelines for regulated entities.
  2. Digital Payment Market Statistics:

    • Highlights the increased activity in the payment landscape involving device manufacturers, technology firms, telecom companies, and fintech startups.
  3. Existing Law - Payment and Settlement System Act, 2007:

    • Regulates electronic payments, ensuring a safe and efficient system.
  4. Applicability of Digital Payment Security Control:

    • Applicable to scheduled commercial banks, small finance banks, payment banks, and credit card issuing NBFCs.
  5. Guidelines for Digital Payments and Products:

    • Focus on improving security and convenience, with minimum standards for security controls.
  6. Basic Tenets of the Guidelines:

    • Policies for digital payments and products, separate policies for different products, user acceptance tests, risk assessment, and generic security controls.
  7. Application Security Life Cycle (ASLC):

    • Multi-tier mechanism, secure-by-design approach, security objectives, escrow account for third-party vendors, and security testing.
  8. Authentication Framework:

    • Implementation of a multifactor authentication system to enhance security.
  9. Fraud Risk Management:

    • Configuration of suspicion, system alerts, and measures to prevent cyber-attacks.
  10. Customer Protection, Awareness, and Grievance Redressal Mechanism:

    • Incorporation of guidelines and training materials, lodging customer grievances, and clear dispute handling procedures.
  11. Internet Banking Security Controls:

    • Additional levels of authentication, adaptive authentication, CAPTCHA, and measures to prevent DNS cache poisoning attacks.
  12. Mobile Payment Application Control:

    • Device policy enforcement, secure download/install, deactivating older application versions, and storage of customer data.
  13. Payment Card Security:

    • Adherence to payment card standards such as PCI-DSS, PA-DSS, PCI-PIN, PCI-PTS, PCI-HSM, and PCI-P2PE.

The article concludes by emphasizing the importance of multi-factor authentication in the context of the growing threat of cyber-attacks.

This overview demonstrates my comprehensive understanding of the regulatory framework and security measures in the digital payments ecosystem in India.

RBI Guidelines For System Of Security Controls For Digital Payments - Financial Services - India (2024)
Top Articles
Latest Posts
Article information

Author: Ouida Strosin DO

Last Updated:

Views: 6329

Rating: 4.6 / 5 (56 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Ouida Strosin DO

Birthday: 1995-04-27

Address: Suite 927 930 Kilback Radial, Candidaville, TN 87795

Phone: +8561498978366

Job: Legacy Manufacturing Specialist

Hobby: Singing, Mountain biking, Water sports, Water sports, Taxidermy, Polo, Pet

Introduction: My name is Ouida Strosin DO, I am a precious, combative, spotless, modern, spotless, beautiful, precious person who loves writing and wants to share my knowledge and understanding with you.