The Reserve Bank of India (“RBI”) had issued draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators (“DPSC Directions”) on June 02, 2023 pursuant to powers granted under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007), inviting comments from all stakeholders. The DPSC Directions covers the robust governance mechanisms for identification, assessment, monitoring and management of these risks. It also extensively covers baseline security measures for ensuring system resiliency as well as safe and secure digital payment transactions.
The intent herein is to improve safety and security of the payment systems operated by for Payment System Operators ("PSOs") by providing a framework for overall information security preparedness with an emphasis on cyber resilience. The Payment and Settlement Systems Act, 2007 defines ‘payment system’ as a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange. From this inference, credit card operations, debit card operations, smart card operations, money transfer operations or similar operations would come under the ambit of ‘payment system’. Hence it is understood that a PSO is a person who operates an authorized payment system. The DPSC Directions shall be implemented in a phased manner, categorizing the PSOs as (a) Large non-bank PSOs (operational from April 01, 2024); (b) Medium non-bank PSOs (operational from April 01, 2026); and (c) Small non-bank PSOs (operational from April 01, 2028).
DPSC Directions holds the Board of Directors (“Board”) of the PSO responsible for ensuring information security risks, including cyber risk and cyber resilience. Further, formation of a sub-committee of the Board who will have primary oversight for these requirements, and they shall meet at least once every quarter. It also focuses on formulation of an Information Security (IS) policy by PSO approved by the Board covering roles and responsibilities of Board/ sub-committees of the Board, senior management and other key personnel and measures to identify, assess, manage and monitor cyber security risk.
The following are the key highlights of the Governance Controls:
Cyber Security Preparedness
The draft DPSC Directions lays down preparation of Cyber Crisis Management Plan (CCMP) approved by Board and refer to relevant guidelines for guidance from CERT-In / National Critical Information Infrastructure Protection Centre (NCIIPC) / IDRBT and other agencies.
Risk Assessment and Monitoring
An emphasis on the need for a strong governance structure with clearly defined roles and responsibilities for managing cyber risks has been made. PSO’s are expected to appoint a senior level executive as Chief Information Security Officer (CISO) and shall also define appropriate Key Risk Indicators (KRIs) to identify potential risk events and Key Performance Indicators (KPIs) to assess the effectiveness of security controls. The Board shall implement IS policy and the cyber resilience. The PSO’s have to conduct regular risk assessments, develop incident response plans, and establish a cyber crisis management framework. Further, the Board and Key Senior Management are required Information System trained.
In view of the need for robust security measures, the DPSC Directions lays down the following baseline information security measures and controls :
Further, the DPSC Directions emphasizes the need for maintenance of record of all the key roles, information assets, critical functions, processes, third party service providers and their inter-connections and classify and document their levels of usage, criticality, and business value by PSO.
Identity and Access Management
The draft DPSC Directions emphasizes the need of establishment of policies, procedures and controls addressing access privileges and rights and assignment of digital identity to all individuals having access to the IT environment of the PSO. The access to systems and different environments shall be based on need-to-have, need-to-know and based on the principle of least privilege. Further, authentication and monitoring of privileged accounts and appropriate controls, including rotation policy, to be implemented. It mandates putting security controls, including centralised mechanism to whitelist/ blacklist, to ensure secure use of removable media and portable devices. Adoption of multifactor authentication mechanism in case of remote/ work from home situations.
A few measures have been laid down which are to be undertaken by PSO to protect its network and systems from external threats. It states configuring and monitoring of network devices periodically. It emphasizes on implementation of anti-malware solutions to prevent malware attacks and network segmentation of critical intensity as per role, location and environment. It states establishment of automated mechanisms units to detect multi-faceted network and system alerts and any other anomalous activity across its business and incorporation of multi-layered boundary defenses into IS systems to efficiently monitor the network traffic and filter the flow of data in and out of the organization and whitelisting solutions shall be in place to ensure that only permitted applications and services with validated needs are running.
Application Security Life Cycle (ASLC)
A focus has been laid on importance for SOs to follow a secure-by-design approach and implement secure software development life cycle ("S-SDLC") practices and by implementing a multi-tier application architecture, that ensures segregation of database layer from other layers and ensure continuity of services. It further ensures that PSO shall have an escrow arrangement for the source code of applications procured from third-party vendors.
All applications are subjected to rigorous security testing, such as source code review. All deficiencies shall be resolved in a time bound manner and recurring observation to be reported to the Board sub-committee. Further, to obtain a certificate from application developer, if the source code is not owned by the PSO stating that the application is free of vulnerabilities and malwares.
Vendor Risk Management
Vendor risk management by excepting PSO’s to keep necessary security controls in order to prevent infiltration into its network from vendor environments and by ensuring vendor compliance and regulatory requirements. Further, PSO shall obtain certified assurance of the vendor’s cyber resilience capabilities.
Requirement for specific data security controls by forming a comprehensive data leak prevention policy by PSO. Further the payment system operators should implement to protect their systems and customer data. This includes measures like access controls, encryption, secure coding practices, network security, secure configuration, and regular security testing. Application and database security controls shall focus on secure handling, storage and protection of data, in particular, personally identifiable information (PII).
Patch and Change Management Life Cycle
The draft DPSC Directions emphasizes on Patch and Change Management Life Cycle by forming documented policy to identify patches to technology, application of security patches in relevant systems in appropriate time frame and implementing changes post testing.
Further, a requirement for payment system operators to promptly report any cybersecurity incidents to the RBI and establish a robust incident response mechanism has been established. This involves conducting forensic investigations, notifying affected parties, and taking appropriate remedial measures. Further, PSO is expected to introduce Board approved incident response mechanism and to include provisions notifying its senior management, relevant employees and regulatory, supervisory and relevant public authorities, of cyber incidents.
Business Continuity Plan (BCP)
The draft DPSC Directions states that PSOs will also be required to develop a Business Continuity Plan ("BCP") that includes comprehensive cyber incident response, resumption, and recovery plans. Setting up of a Disaster Recovery (DR) facility in a different geographical area than the Primary Data Centre ("PDC") and conducting DR drills on a half-yearly or more frequent basis.
Application Programming Interfaces (APIs)
PSOs are required to adhere to relevant standards and globally recognised frameworks on API security and to safeguard applications against risks emanating from insecure APIs, the PSO shall put in place, authentication, authorization, confidentiality, integrity and threat protection.
Employee Awareness / Training
The draft DPSC Directions state that employee awareness and training programs will play a vital role in ensuring information security and mitigating cyber risks. Regular evaluations of cyber security awareness among employees will be conducted. They also address network security, data security, patch and change management, incident response, and the secure use of application programming interfaces.
Other Security Measures
Further, the PSO is expected ensure that all payment transactions are conducted through electronic modes and shall put in place a fraud monitoring system and appoint a dedicated nodal officer(s) to function on 24x7x365 basis. It also lays down that the sub-committee of the Board must ensure and review that the payment architecture operated by them is robust, scalable and commensurate with the transaction volumes. Further, employment of secure mail and messaging systems to ensure that inbound and outbound traffic through mail, messages or any other media are secure and subscribing to anti-phishing / anti-rogue app services for identifying and taking down phishing websites / rogue applications.
In addition to the extant instructions applicable to PSOs, the DPSC Directions lays down guidelines pertaining to digital payment transactions. The PSO will assist its members/participants in implementing online alert mechanisms that are triggered by various factors, including failed transactions, transaction velocity, and conditions related to new accounts such as excessive activity. These alerts will consider parameters such as time zone, geographical location, IP address origin (especially for unusual patterns or suspicious IPs), behavioral biometrics, compromised sources, transactions involving mobile wallets or numbers associated with fraud, declined transactions, and transactions without approval codes. When sending alerts via SMS or email, whether by the PSO or PSPs, precautions should be taken such as concealing or removing confidential information, including relevant details like merchant name and transaction amount, and clearly indicating any OTP required for authentication along with the specific transaction reference.
PSOs are to be involved in mobile payment services must comply with a set of security practices and risk mitigation measures, ensuring that participants in its payment system also follow these guidelines. Measures include verifying the mobile application for anomalies, maintaining an authenticated and encrypted session with customers, implementing device binding and fingerprinting for mobile applications, terminating inactive sessions, setting limits for failed login attempts, detecting and preventing remote access, and imposing a cooling period of 12 hours for any changes to registered mobile numbers or email IDs before allowing payment transactions. These measures aim to safeguard the integrity and security of mobile payment transactions and protect customers from unauthorized access or fraudulent activities. DPSC Directions outlines that the PSO shall ensure that the terminals used by merchants to capture card details for payments or other purposes go through the PCI-P2PE program and the PoS terminals installed at merchants for card payments to be approved by the PCI-PTS program. The card networks must facilitate the implementation of transaction limits at various levels. A 24x7x365 alert mechanism should be established to notify the card issuer of any suspicious incidents. The card networks must also ensure that customer card details are stored in encrypted form at all server locations and vendor systems, and that the processing of card details in readable format is conducted securely.
These draft DPSC Directions offer organizations a basis for enhancing their cybersecurity and resilience capabilities. By embracing these suggestions and customizing them to suit their particular requirements, organizations can bolster their capacity to thwart, identify, address, and rebound from cyber threats. In an ever-evolving digital landscape, it is vital to consistently adapt and refine cybersecurity measures in order to stay ahead of emerging risks in the digital arena.
Please find a copy of the RBI Directions, here.
This update has been contributed by Jitendra Soni (Partner), Esha Dinesh and Harsh Garg (Associates).
Argus Knowledge Centre is now on WhatsApp! Send us a message on +91 8433523504 to receive updates from our Knowledge Centre.
11, 1st Floor, Free Press House
215, Nariman Point
Mumbai – 400021
9 – 10 Bahadur Shah Zafar Marg
Delhi – 110002
+91 11 23701284/5/7
155, ESC House, 2nd floor,
Okhla Industrial Estate, Phase 3,
New Delhi – 110020
68 Nandidurga Road
Bengaluru – 560046
3rd Floor, 27B Camac Street
Kolkata – 700016
The rules of the Bar Council of India do not permit advocates to solicit work or advertise in any manner. This website has been created only for informational purposes and is not intended to constitute solicitation, invitation, advertisement or inducement of any sort whatsoever from us or any of our members to solicit any work in any manner. By clicking on 'Agree' below, you acknowledge and confirm the following:
a) there has been no solicitation, invitation, advertisement or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
b) you are desirous of obtaining further information about us on your own accord and for your use;
c) no information or material provided on this website is to be construed as a legal opinion and use of this website will not create any lawyer-client relationship;
d) while reasonable care has been taken in ensuring the accuracy of the contents of the website, Argus Partners shall not be responsible for the results of any actions taken on the basis of information provided in this website or for any error or omission in the website; and
e) in cases where the user has any legal issues, the user must seek independent legal advice.