RBI Guidelines For System Of Security Controls For Digital Payments - Financial Services - India (2024)

The RBI has given Master Direction on February 18,2021¹, which provides necessary guidelines for theregulated entities to set up robust governance structure andimplement common minimum standards of security controls for digitalpayments products and services.

The Master Direction lays down guidelines for the internetbanking, mobile payments, card payments, customer protection, andgrievance redressal mechanism.

CHANGES IN DIGITAL PAYMENT SYSTEM- ADDING DIGITAL PAYMENTSECURITY CONTROL²

The directions shall be called as Reserve Bank of India (DigitalPayment Security Controls) directions, 2021.³ Theguidelines are in pursuance to Digital Payments mechanism and theMaster Direction paves the way for the Digital Payment SecurityControls

Digital Payment Market Statistics

The Payment landscape⁴ is seeing heightened activityacross multiple player categories ranging from:

1. Device Manufacturer
2. Technology Firms
3. Telecom Companies
4. Fintech Startups

STATISTICS⁵

The regulations shall play a critical role indetermining the nature and success of payment solutions. Themodernizing of payment infrastructure occurring in most countries,payments service providers can take advantage of the real- timesystems to offer cutting edge payment solution tocustomers.

Existing law⁶

1. The electronic payments were regulated by Payment andSettlement System Act, 2007 ('PSS'), the aim of the PSS Actwas to ensure a safe and effectual system of payments andsettlement. At the times, transactions were heavily dependent oncash or bank transfer.
2. Section 18⁷ - It lays down the policies relating tothe regulation of payment systems including which includeselectronic, non- electronic, domestic or internationalpayments.
3. Section 10 (2)-⁸ the RBI has the power to determineissue guidelines for the efficient management of paymentssystem.
4. The Intermediaries Directions issued by the Reserve Bank ofIndia vide notification dated 24.11.2009.

The Intermediaries Directions regulated the service providers.According to the Directions, banks were required to maintain anodal account of the intermediaries with permissible credit anddebits limit as also the settlement cycle for credit to themerchants. The guidelines were ultimately applicable to PaymentAggregators.

The Directions were applicable to Payment Gateways and PaymentAggregators.

Intermediary Directions are still in force and have not beenexpressly repealed, having both the Intermediary Directions andGuidelines regulating the digital payment system is only likely tocreate conflict;

APPLICABILITY OF DIGITAL PAYMENT SECURITY CONTROL

The provisions of these Directions shall be applicable over thefollowing Regulated entities:

1. Scheduled Commercial Banks (excluding Regional RuralBanks)
2. Small Finance Banks
3. Payment Banks
4. Credit Card Issuing NBFC

GUIDELINES FOR THE DIGITAL PAYMENTS ANDPRODUCTS⁹

It is put forward by the RBI to improve the security of thedigital payment channels, and also convenience for users. Thedirections contain certain minimum standards on common securitycontrols, for channels like internet, mobile banking and cardpayments etc.

The basic Tenets of the guidelines by RBI is as follows:

General controls

Registered entities must formulate the policy for the digitalpayments and products.

The policy must include the payment securityrequirements from the angles of functionality, securityand Performance angles, such as:

Confidentiality of Data

It must protect the confidentiality of customer data andintegrity of data.

Backup of Data

The infrastructure such as technology with necessary backup.

Assurance of Payment Product

Assurance that the payment product is built in a secure manneroffering robust performance ensuring safety, consistency and rolledout after necessary testing for achieving desired FSP.

High Customer Service

Minimal customer service disruption with high availability ofsystems/ channels (to have minimal technical declines)

Registered Entities to Formulate policies for theDigital Products and for its payment mechanism

Separate Policy for digital Products-Registered entity must formulate separate policy for its differentdigital products or include the same as part of their overallproduct policy. Further, the policy document should require thatevery digital payment product/ services offered addresses themechanics, clear definition of starting point, criticalintermittent stages/ points and end point in the digital paymentcycle, security aspects, validations till the digital payment issettled, clear pictorial representation of digital path andexception handling.

• UTAT-The entities must follow User AcceptanceTests (UAT) in multiple stages before roll out, sign off frommultiple stakeholders (post UAT) and data archival requirementsshall also be taken in to account.
• Risk Assessment with regard to safety and security ofthe digital payments products and associated processes andservices for the suitability of the target users. The riskassessment should include-
• Technology Bases solutions,
• Vulnerabilities attached to the digital products and remedialaction to be taken by the entity
• Checking the dependence on third party service providers
• Tracking the risk arising out of integration of digital paymentplatform with other systems both internal and external to the RE,which includes core systems and systems of payment systemsoperators, etc.
• Generic Security Controls
• The secure standard shall be followed for the communicationprotocol in the digital payment channel. There will be appropriatelevel of encryption and security in the digital paymentecosystem.
• The web applications providing the digital payments productsand services shall not store hidden HTML Cookies, or any otherclient side storage information.
• The RE shall provide Web Application Firewall solution and DDoSMitigation techniques to secure digital payment products andservices offered over internet.

Application Security Life Cycle (ASLC)

• Multi-Tier Mechanism- There shall beimplementation of multi-tier application architecture, whichsegregates application, database and presentation layer in thedigital payment products and services.
• Secure by design -There shall be a system of"secure by design" approach in thedevelopment of the digital payments, products or services. Thedigital payments applications need to be inherently secure byembedding security within their application.
• Security Objectives-Registered Entities shallexplicitly define security objectives (including protection ofcustomer information/ data) during:

(a) Requirements gathering, (b) designing, (c) development, (d)testing including source code review, (e) implementation,maintenance & monitoring and (f) decommissioning phases of thedigital payment applications.

1. 1. Escrow Account in case of Third PartyVendors -For digital payment applications that arelicensed by a third party vendor, Registered Entities shall have anescrow arrangement for the source code for ensuring continuity ofservices in case the vendor defaults or is unable to provideservices.
2. 2. Security Testing- REs shall conductsecurity testing including review of source code, VulnerabilityAssessment (VA) and Penetration Testing (PT) of their digitalpayment applications to assure that the application is secure forputting through transactions while preserving confidentiality andintegrity of the data that is stored and transmitted.
3. 3. Authentication Framework

The increased medium of "electronic mode of transfer",for this the notification of RBI has professed that RegisteredEntity must follow the multifactor authentication system in orderto break off the cyber-attacks.

1. Fraud Risk Management
2. Configuration of suspicion- The registeredentities must document the configuration aspect identifying thesuspicious transactional behavior and implement the respectiverules detective types of control, mechanism to alert the customerin case of failed authentication.
3. System Alerts- The system alerts shall beparametrized and monitored in terms of applicable parameters. Suchparameters are transaction velocity, (E.g.-fund transfers, cashwithdrawals, payments through electronic modes, adding newbeneficiaries, etc.) in a short period, more so in the accounts ofcustomers who've never used mobile app/ internet banking/ cardever (depending upon the type of payment channel), high riskmerchant category codes (MCC) parameters, counterfeit cardparameters (String of Invalid CVV/ PINs indicates an accountgeneration attack), new account parameters (excessive activity on anew account), time zones, geo-locations, IP address origin (inrespect of unusual patterns, prohibited zones/ rogue IPs),behavioral biometrics, transaction origination from point ofcompromise, transactions to mobile wallets/ mobile numbers/ VPAs onwhom vishing fraud or other types of fraud is/are registered/recorded, declined transactions, transactions with no approvalcode, etc.
4. Customer Protection, Awareness, and Grievance RedressalMechanism
5. Guidelines and Training Materials -RegisteredEntities shall incorporate secure, safe and responsible usageguidelines and training materials for end users within the digitalpayment applications. They shall also make it mandatory (i.e. notproviding any option to circumvent/ avoid the material) for theconsumer to go through secure usage guidelines (even in theconsumer's preferred language) while obtaining and recordingconfirmation during the on-boarding procedure in the first instanceand first use after each update of the digital payment applicationor after major updates to secure and safe usage guidelines.
6. Lodge Customer Grievance- Registered Entitiesshall incorporate a section on the digital payment applicationclearly specifying the process and procedure (with forms/ contactinformation, etc.) to lodge consumer grievances. The reportingfacility on the application shall provide an option for registeringa grievance. Customer dispute handling, reporting and resolutionprocedures, including the expected timelines for the RE'sresponse should be clearly defined.
7. Internet Banking Security Controls
8. Additional Level of Authentication- Internetbanking websites are vulnerable to authentication related bruteforce attacks/ application layer Denial of Service (DoS) attacks.Based on the RE's individual risk/ vulnerability assessment onauthentication-related attacks such as brute force/ DoS attacks,REs shall implement additional levels of authentication to internetbanking website such as adaptive authentication, strong CAPTCHA(preferably with anti-bot features) with server-side validation,etc., in order to plug this vulnerability and prevent itsexploitation. Appropriate measures shall be taken to prevent DNScache poisoning attacks and for secure handling of cookies. Virtualkeyboard option should be made available
9. Mobile Payment Application Control

Specific Controls for mobile applications include:

1. Device policy enforcement (allowing app installation/ executionafter baseline requirements are met);
2. Application secure download/ install;
3. Deactivating older application versions in a phased but timebound manner (not exceeding six months from the date of release ofnewer version) i.e., maintaining only one version (excluding theoverlap period while phasing out older version) of the mobileapplication on a platform/ operating system;
4. Storage of customer data;
5. Card Payment Security

Payment Card Standards- Registered Entity shall follow variouspayment card standards (over and above PCI-DSS and PA-DSS) as perPayment Card Industry (PCI) prescriptions for comprehensive paymentcard security as per applicability of updated versions of thestandards such as -

1. PCI-PIN (secure management, processing, and transmission ofpersonal identification number (PIN) data);
2. PCI-PTS (security approval framework addresses the logical and/or physical protection of cardholder and other sensitive data atpoint of interaction (POI) devices and hardware security modules(HSMs);
3. PCI-HSM (securing cardholder-authentication applications andprocesses including key generation, key injection, PINverification, secure encryption algorithm, etc.); and
4. PCI-P2PE (security standard that requires payment cardinformation to be encrypted instantly upon its initial swipe andthen securely transferred directly to the payment processor).

Conclusion

In view of the proliferation of cyber-attacks and theirpotential consequences, REs should implement, except whereexplicitly permitted/ relaxed, multi-factor authentication forpayments through electronic modes and fund transfers, includingcash withdrawals from ATMs/ micro-ATMs/ business correspondents,through digital payment applications. At least one of theauthentication methodologies should be generally dynamic ornon-replicable. [e.g., Use of One Time Password, mobile devices(device binding and SIM), biometric/ PKI/ hardware tokens, EMV chipcard (for Card Present Transactions) with server-side verificationcould be termed either in dynamic or non-replicablemethodologies.].

Footnotes

1 https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12032&Mode=0

2 https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12032&Mode=0

3 https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12032&Mode=0

4 https://image-src.bcg.com/BCG_COM/BCG-Google%20Digital%20Payments%202020-July%202016_tcm21-39245.pdf

5 https://image-src.bcg.com/BCG_COM/BCG-Google%20Digital%20Payments%202020-July%202016_tcm21-39245.pdf

6 https://www.mondaq.com/india/fin-tech/971558/a-perspective-on-the-current-regulations-on-payment-aggregators

7 https://indiankanoon.org/doc/126521356/

8 https://indiankanoon.org/doc/52109687/#:~:text=(2)%20Without%20prejudice%20to%20the,to%20any%20particular%20payment%20system.

9 https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12032&Mode=0

For further information please contact at S.S Rana &Co. email: info@ssrana.in or call at (+91- 11 4012 3000).Our website can be accessed at www.ssrana.in

The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circ*mstances.

Supreme Court's Clarifies The Treatment Of Compulsorily Convertible Debentures – Equity Or Debt?

Phoenix Legal

In a recent landmark judgment, the Supreme Court of India, in the matter of M/s. IFCI Limited vs. Sutanu Sinha & Ors., dealt with a vital issue, i.e., whether an instrument such as a CCD should be treated as debt or equity …

Navigating Regulatory Excellence: Establishing Alternative Investment Funds (AIFs) In Gift City

Dolce Vita Advisors

According to a recent study conducted by PMS Bazaar, the alternative investment landscape in India, which includes both Portfolio Management Services and Alternative Investment Funds ...

SEBI's New Consultation Paper – An Attempt To Ease Trading Plans By Company Insiders

Phoenix Legal

Securities Exchange Board of India (SEBI) released a consultation paper on November 24, 2023 to invite public comments from market players on the recommendation of a working group...

Indemnity Clauses In India: Enforceability And Important Judgments

Corrida Legal

In the ever-evolving landscape of business transactions, partnerships, and collaborations, uncertainty and unexpected challenges can arise at any moment.

Capital And Current Account Transactions Under FEMA: Transactional Perspective

Khaitan & Co LLP

For professionals working on corporate transactions involving acquisitions, investments and involving non-residents, situations arise where one needs to determine if a particular transaction...

Project Finance Comparative Guide

SunLegal

Project Finance Comparative Guide for the jurisdiction of India, check out our comparative guides section to compare across multiple countries