RBI Introduced (Digital Payment Security Controls) Directions 2021
Going by the well-known role being played by the digital payment mechanisms in India, RBI (Reserve Bank of India) gives the highest standing to the security controls around it. As a result, it has issued the RBI (Digital Payment Security Controls) Directions 2021 to allow the regulated entities to establish a robust governance structure for these systems and implement common minimum criteria of security controls for the channels such as internet card payments, mobile banking, among others.
The said directions are issued by way of notification no RBI/2020-21/ 74 DoS.CO.CSITE.SEC.No.1852/31.01.015/2020-21, issued on 18.02.2021.
Further, it shall be noted that the guidelines will be both platform and technology agnostic and will create an enabling and enhanced environment for the customers to use digital payment products in a more secure and safe manner.
Also, it is fervently expected that all the stake holders will strictly follow the guidelines and instructions and will gain the benefit of providing the best secured products or service to their clients.
In this learning article, we will have a deep discussion on the RBI (Digital Payment Security Controls) Directions 2021 issued by the RBI.
Government and Management Security Risks
All the Regulated Entities have been advised to draft a policy for the digital payments services and products with the Board’s approval.
Also, it is highlighted that while discussing the criteria of any ‘new product’ comprising its alignment with the complete business strategy and with the inherent risk of the product, risk management or mitigation measures, customer experience, regulatory instructions compliance, etc., the outlines of the policy, must discuss about the payment security requirements from the viewpoint of functionality, security, and performance, such as the following:
- Necessary security controls to protect and secure the confidentiality and integrity of the customer data and processes related to the digital services or product offered;
- Availability of the infrastructure, such as technology, human resources, with the required back up;
- An assurance that the payment service or product is made in a secure and safe way by providing robust performance;
- An appropriate review system followed by a swift corrective action;
- Capacity of building and expanding with scalability to meet regular demands;
- Minimum disruption of customer service that, too, with increased availability of the system’s channels;
- Efficient and effective customer grievance resolution and dispute resolution system; and
- An appropriate review mechanism followed by swift corrective action;
Guidelines for Regulated Entities provided by Digital Payment Security Controls
The guidelines concerning regulated entities provided by the Digital Payment Security Controls are as follows:
- The Board and the senior management will solely be responsible for implementing this policy;
- It shall be noted that the said policy will bereviewed on a yearly basis by the board;
- Regulated Entities are authorised to formulate the said policy for their different digital products or services and need to include the same as a part of their overall product policy;
- Further, the policy document will need that every digital payment service or product offered must address the mechanics, critical intermittent stages, clear definition of both the starting and end point in the digital payment cycle, and authentications until the digital payment is settled;
- A mechanism for undertaking“User Acceptance Test” in multiple stages prior toroll-out, sign off from various stakeholders, and data archival necessities will also be taken into due consideration;
It is estimated from the regulated entities that they all will integrate the necessary governance programs in order to take care of the fraud risk, compliance risk and will have key monitoring indicators to evaluate the digital payment services or products offered.
Performing of Risk Assessments by Registered Entities
All the Regulated Entities will need to conduct risk assessments with regard to the security and safety of digital payment products and the associated services and processes.
Further, the risk assessment will take the following listed things into account:
- The technology stack & solutions used;
- Vulnerabilities and Weaknesses are known at every touch point of the digital product and the actions under taken by the entity;
- Dependence on the third party service providers;
- Supervision on third party service providers;
- Risk from integrating of digital payment platforms with other mechanisms, comprising of core systems and mechanism of payment system operators, etc.
- Customer convenience, experience, and technology adoption required to use such digital products;
- Operational risk;
- Interoperability aspects;
- Reconciliation process;
- Business continuity;
- Service availability;
- Data storage, security, integrity, and privacy protection;
- Compliance with extant cyber security requirements; and
- Compatibility aspects;
Mobile Payment Activity Controls
The instructions that relate to the mobile payment activity controls are as follows:
RBI has clearly stated in its notification concerning Digital Payments Security Controls that if in case a customer notices any irregularities for which the said customer is not accustomed to, then, in that case, he/ she would be advised to re-install a copy of the new application. Further, the regulated entities will verify and cross check the version of the mobile application prior to its use by the customer.
The specific controls for mobile applications can be summarised as:
- Secure download or install the mobile application;
- Device policy enforcement;
- Deactivation of the older application version in a phased manner, but in a time-bound manner, which means maintaining just one mobile application version in a platform or operating system;
- Encryption of the device or application;
- Storage of the customer data;
- Confirming minimum data collection or app permissions;
- Application sandbox or containerization;
- Ability to recognise remote access applications & restrict login access to the mobile application; and
- Code obfuscation;
Guidelines for Card Payment Security by Digital Payment Security Controls
All the Regulated Entities need to abide by various payment card standards, in accordance with the payment card industry recommendations for the security of the payment card as per readability and applicability of the updated versions of the standards.
Further, it shall be noted that all the Regulated Entities will make sure that the terminals at the merchants for capturing card details for the payments or otherwise are comprehensive against the PCI – P2PE program to use the PCI approved P2PE solutions.
Further, the Reserve Bank of India has also asked the regulated entities to carry out the following listed to improve and boost the security posture of ATM:
- Implementation of the security measures, such as disabling USB ports, BIOS password, applying the latest patches of the operating system, disabling facility of the auto-run, other software, and terminal security solution, etc.;
- Implementation of the anti-skimming and white-listing solution;
- Up gradation of all the ATMs (Automated Teller Machines) with supported versions of the operating system;
- Use of the ATMs with unsupported operating systems will be prohibited;
Further, it shall be noted that the Regulated entities must ensure a robust and strong surveillance and monitoring of card dealings and setting-up of rules and thresholds proportionate with their risk appetites.
Also, all the Regulated entities need to confirm that the details of the customer card are not kept in plain text at the regulated entity and at their vendors’ locations, systems, and applications.
Moreover, they shall also confirm that the processing of the card details in a readable format is conducted in a safe and secure way so as to avoid data leakage of the price sensitive information of the customers.
Safety Measures to be implemented by Regulated Entities concerning Card Data Scanning Tools
The safety measures that are to be implemented by the registered entities concerning card data scanning tools are as follows:
- Any tool or mechanism to scan unencrypted card data must be first be checked in a test environment to understand the scope and effect of the capabilities of the said tool;
- The scanning tool must be installed only in the premises of the regulated entities on their devices;
- It shall be noted that card data scanning shall not be done remotely;
- Also, the discovered data must be kept in the scanning tool;
- Exportable card data must be appropriately masked; and
- Limited access to the service providers to undertake scanning;
- Analysis of data must be provided only on the regulated entity’s device;
In a nutshell, the instructions notified by the apex bank, i.e., the Reserve Bank on the digital payments security controls, must compulsorily be abided by all the scheduled commercial banks, small finance banks, payments banks, etc.
Further, due to the increasing number of fraudulent activities and usages of the digital payments at par with the largest number in the world, the apex bank has rightfully issued these security control directions.