RBI has released the Master Direction on Digital Payment Security Controls- focusing on the governance structure of the digital payments regime, and minimum standards of security controls thereof. Given the wide use of digital payment systems post demonetization, this move was imperative. It will provide a common minimum standard for payment systems like mobile banking, card payments, etc.
The direction shall come into effect six months from today. It is applicable to Scheduled Commercial Banks, Small Finance Banks, Payments Banks, and Credit Cared issuing NBFCs.
The directions are divided into five chapters and talk about general controls, internet banking security controls, mobile payments application security controls, and card payments security controls. Here are some of the focal points of the digital payment security controls directions.
General Functionality, Security, and Performance Policy
- Regulated Entities will have to formulate a policy for digital payment products and services with the approval of their board. The policy shall take into account the inherent risk of the product, risk management/ mitigation measures, compliance with regulatory instructions and customer experience.
- The policy should explicitly discuss cyber security controls, the required infrastructure including back-ups, assurance that the payment product is secure by design and has been tested to achieve desired functionality, security, and performance.
- The policy shall also discuss scalability, ways to achieve minimum technical declines, a review mechanism of the product, as well as a consumer grievance resolution mechanism.
- A clear pictorial representation of the transaction, from beginning to settlement, shall be created for each product.
The Board and the Senior Management shall be responsible for implementation of this policy. They shall also review it annually.
General Risk Management and Fraud Mitigation
- The Regulated entities shall incorporate appropriate processes into their governance and risk management programs for identifying, analysing, monitoring, and managing the specific risks associated with their portfolio of digital payment products. The board of the entities should be able to monitor the key performance indicators of such products.
- The desired security controls and performance shall be documented and they shall be quantitatively benchmarked to detect concerns and address them in a timely manner.
- The Regulated entities shall conduct risk assessment of their products and services (including server and client side) based on various several factors including dependence on third party service providers, integration with other systems, interoperability risks, privacy protection as per law, business continuity, etc.
- Most importantly, the regulated entities shall develop internal controls and conduct a risk assessment before offering digital payment products and related services.
Generic Cyber Security Controls
- The communication protocol must be encrypted at an appropriate level and shall adhere to a secure standard. Encryption protocols shall adhere to internationally accepted and published standards.
- Web applications providing products shall not store sensitive information in cookies or any client-side storage to avoid compromise of data.
- Entities shall use Web Application Firewall and DDoS mitigation techniques for security.
- Mobile and internet banking applications should have logging and monitoring capabilities to track user activity, security changes, and identify anomalous behaviour and transactions.
Further, for digital applications that are licensed by any third-party vendor, the regulated entity shall have a source code escrow arrangement to ensure business continuity. Regulated entities shall also conduct regular vulnerability assessment and penetration testing for their payment applications. They shall refer to OWASP standards and security and data protection guidelines as per ISO 12812, as well as guides developed by NIST.
Taking into account the proliferation of cyber-attacks, the direction also discusses transactional authentication framework. It says that regulated entities may adapt the right authentication factors depending on their risk assessment and user risk profile. These measures would help in deterring cyber frauds arising out of phishing, keylogging, spyware/ malware, etc. e.g. Device binding and SIM would prohibit frauds caused by SIM cloning.
The directions mandate a real time reconciliation framework for all digital payment transactions for better detection and prevention of suspicious transactions. However, this framework is not aimed at consumers. For consumer grievance redressal, the regulated entities shall clearly specify the process and procedure to lodge a complaint. The application shall also show an expected timeline for grievance redressal. The regulated entities shall provide a mechanism to mark a transaction as fraudulent within the application.
The complete policy can be found here.