{"id":4180,"date":"2021-04-16T07:00:42","date_gmt":"2021-04-16T07:00:42","guid":{"rendered":"https:\/\/swaritadvisors.com\/blog\/?p=4180"},"modified":"2021-04-16T09:28:44","modified_gmt":"2021-04-16T09:28:44","slug":"rbi-introduced-digital-payment-security-controls-directions-2021","status":"publish","type":"post","link":"https:\/\/swaritadvisors.com\/blog\/rbi-introduced-digital-payment-security-controls-directions-2021\/","title":{"rendered":"RBI Introduced (Digital Payment Security Controls) Directions 2021"},"content":{"rendered":"\n<p class=\"has-drop-cap\">Going by the well-known role being played by the digital payment mechanisms in India, RBI (Reserve Bank of India) gives the highest standing to the security controls around it. As a result, it has issued the <strong>RBI (Digital Payment Security Controls) Directions 2021<\/strong><sup><a rel=\"noreferrer noopener\" href=\"https:\/\/rbidocs.rbi.org.in\/rdocs\/notification\/PDFs\/MD7493544C24B5FC47D0AB12798C61CDB56F.PDF\" target=\"_blank\"><strong>[1]<\/strong><\/a><\/sup> to allow the regulated entities to establish a robust governance structure for these systems and implement common minimum criteria of security controls for the channels such as internet card payments, mobile banking, among others. <\/p>\n\n\n\n<p>The said directions are issued by way of notification no RBI\/2020-21\/\n74 DoS.CO.CSITE.SEC.No.1852\/31.01.015\/2020-21, issued on 18.02.2021.<\/p>\n\n\n\n<p>Further,\nit shall be noted that the guidelines will be both platform and technology agnostic\nand will create an enabling and enhanced environment for the customers to use\ndigital payment products in a more secure and safe manner.<\/p>\n\n\n\n<p>Also,\nit is fervently expected that all the stake holders will strictly follow the guidelines\nand instructions and will gain the benefit of providing the best secured\nproducts or service to their clients.<\/p>\n\n\n\n<p>In this learning article, we will have a deep discussion on the RBI (Digital Payment Security Controls) Directions 2021 issued by the RBI.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-light-blue ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3a1f9590763\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3a1f9590763\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/swaritadvisors.com\/blog\/rbi-introduced-digital-payment-security-controls-directions-2021\/#Government_and_Management_Security_Risks\" title=\"Government and Management Security Risks\">Government and Management Security Risks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/swaritadvisors.com\/blog\/rbi-introduced-digital-payment-security-controls-directions-2021\/#Guidelines_for_Regulated_Entities_provided_by_Digital_Payment_Security_Controls\" title=\"Guidelines for Regulated Entities provided by Digital Payment Security Controls\">Guidelines for Regulated Entities provided by Digital Payment Security Controls<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/swaritadvisors.com\/blog\/rbi-introduced-digital-payment-security-controls-directions-2021\/#Performing_of_Risk_Assessments_by_Registered_Entities\" title=\"Performing of Risk Assessments by Registered Entities\">Performing of Risk Assessments by Registered Entities<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/swaritadvisors.com\/blog\/rbi-introduced-digital-payment-security-controls-directions-2021\/#Mobile_Payment_Activity_Controls\" title=\"Mobile Payment Activity Controls\">Mobile Payment Activity Controls<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/swaritadvisors.com\/blog\/rbi-introduced-digital-payment-security-controls-directions-2021\/#Guidelines_for_Card_Payment_Security_by_Digital_Payment_Security_Controls\" title=\"Guidelines for Card Payment Security by Digital Payment Security Controls\">Guidelines for Card Payment Security by Digital Payment Security Controls<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/swaritadvisors.com\/blog\/rbi-introduced-digital-payment-security-controls-directions-2021\/#Safety_Measures_to_be_implemented_by_Regulated_Entities_concerning_Card_Data_Scanning_Tools\" title=\"Safety Measures to be implemented by Regulated Entities concerning Card Data Scanning Tools\">Safety Measures to be implemented by Regulated Entities concerning Card Data Scanning Tools<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/swaritadvisors.com\/blog\/rbi-introduced-digital-payment-security-controls-directions-2021\/#Conclusion\" title=\"Conclusion\">Conclusion<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/swaritadvisors.com\/blog\/rbi-introduced-digital-payment-security-controls-directions-2021\/#Official_RBI_Notification_on_Digital_Payment_Security_Controls_Directions_2021\" title=\"Official RBI Notification on Digital Payment Security Controls Directions 2021\">Official RBI Notification on Digital Payment Security Controls Directions 2021<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Government_and_Management_Security_Risks\"><\/span>Government and Management Security Risks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>All the Regulated\nEntities have been advised to draft a policy for the digital payments services\nand products with the Board\u2019s approval.<\/p>\n\n\n\n<p>Also, it is highlighted\nthat while discussing the criteria of any \u2018new product\u2019 comprising its\nalignment with the complete business strategy and with the inherent risk of the\nproduct, risk management or mitigation measures, customer experience, regulatory\ninstructions compliance, etc., the outlines of the policy, must discuss about\nthe payment security requirements from the viewpoint of functionality, security,\nand performance, such as the following:<\/p>\n\n\n\n<ol><li>Necessary security controls to protect and secure the confidentiality and integrity of the customer data and processes related to the digital services or product offered;<\/li><li>Availability of the infrastructure, such as technology, human resources, with the required back up;<\/li><li>An assurance that the payment service or product is made in a secure and safe way by providing robust performance;<\/li><li>An appropriate review system followed by a swift corrective action;<\/li><li>Capacity of building and expanding with scalability to meet regular demands;<\/li><li>Minimum disruption of customer service that, too, with increased availability of the system\u2019s channels;<\/li><li>Efficient and effective customer grievance resolution and dispute resolution system; and<\/li><li>An appropriate review mechanism followed by swift corrective action;<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Guidelines_for_Regulated_Entities_provided_by_Digital_Payment_Security_Controls\"><\/span>Guidelines for Regulated Entities provided by Digital Payment Security Controls<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The\nguidelines concerning regulated entities provided by the Digital Payment\nSecurity Controls are as follows:<\/p>\n\n\n\n<ol><li>The Board and\nthe senior management will solely be responsible for implementing this policy;<\/li><li>It shall be\nnoted that the said policy will bereviewed on a yearly basis by the board;<\/li><li>Regulated Entities\nare authorised to formulate the said policy for their different digital\nproducts or services and need to include the same as a part of their overall\nproduct policy;<\/li><li>Further, the\npolicy document will need that every digital payment service or product offered\nmust address the mechanics, critical intermittent stages, clear definition of both\nthe starting and end point in the digital payment cycle, and authentications\nuntil the digital payment is settled;<\/li><li>A mechanism\nfor undertaking\u201cUser Acceptance Test\u201d in multiple stages prior toroll-out,\nsign off from various stakeholders, and data archival necessities will also be\ntaken into due consideration;<\/li><\/ol>\n\n\n\n<p>It is estimated from the regulated entities that they all will integrate the necessary governance programs in order to take care of the fraud risk, compliance risk and will have key monitoring indicators to evaluate the digital payment services or products offered.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Performing_of_Risk_Assessments_by_Registered_Entities\"><\/span>Performing of Risk Assessments by Registered Entities<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>All the Regulated\nEntities will need to conduct risk assessments with regard to the security and\nsafety of digital payment products and the associated services and processes.<\/p>\n\n\n\n<p>Further, the risk\nassessment will take the following listed things into account:<\/p>\n\n\n\n<ol><li>The technology stack &amp; solutions used;<\/li><li>Vulnerabilities and Weaknesses are known at every touch point of the digital product and the actions under taken by the entity;<\/li><li>Dependence on the third party service providers;<\/li><li>Supervision on third party service providers;<\/li><li>Risk from integrating of digital payment platforms with other mechanisms, comprising of core systems and mechanism of payment system operators, etc.<\/li><li>Customer convenience, experience, and technology adoption required to use such digital products;<\/li><li>Operational risk;<\/li><li>Interoperability aspects;<\/li><li>Reconciliation process;<\/li><li>Business continuity;<\/li><li>Service availability;<\/li><li>Data storage, security, integrity, and privacy protection;<\/li><li>Compliance with extant cyber security requirements; and<\/li><li>Compatibility aspects;<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Mobile_Payment_Activity_Controls\"><\/span>Mobile Payment Activity Controls<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The\ninstructions that relate to the mobile payment activity controls are as\nfollows:<\/p>\n\n\n\n<p>RBI has clearly\nstated in its notification concerning&nbsp;<strong>Digital Payments<\/strong>&nbsp;Security\nControls that if in case a customer notices any irregularities for which the said\ncustomer is not accustomed to, then, in that case, he\/ she would be advised to\nre-install a copy of the new application. Further, the regulated entities will\nverify and cross check the version of the mobile application prior to its use\nby the customer.<\/p>\n\n\n\n<p>The specific\ncontrols for mobile applications can be summarised as:<\/p>\n\n\n\n<ol><li>Secure download or install the mobile application;<\/li><li>Device policy enforcement;<\/li><li>Deactivation of the older application version in a phased\nmanner, but in a time-bound manner, which means maintaining just one mobile\napplication version in a platform or operating system;<\/li><li>Encryption of the device or application;<\/li><li>Storage of the customer data;<\/li><li>Confirming minimum data collection or app permissions;<\/li><li>Application sandbox or containerization;<\/li><li>Ability to recognise remote access applications &amp;\nrestrict login access to the mobile application; and<\/li><li>Code obfuscation;<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Guidelines_for_Card_Payment_Security_by_Digital_Payment_Security_Controls\"><\/span>Guidelines for Card Payment Security by Digital Payment Security Controls<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>All the Regulated\nEntities need to abide by various payment card standards, in accordance with\nthe payment card industry recommendations for the security of the payment card\nas per readability and applicability of the updated versions of the standards.<\/p>\n\n\n\n<p>Further, it shall\nbe noted that all the Regulated Entities will make sure that the terminals at\nthe merchants for capturing card details for the payments or otherwise are\ncomprehensive against the PCI &#8211; P2PE program to use the PCI approved P2PE\nsolutions.<\/p>\n\n\n\n<p>Further, the\nReserve Bank of India has also asked the regulated entities to carry out the\nfollowing listed to improve and boost the security posture of ATM:<\/p>\n\n\n\n<ol><li>Implementation of the security measures, such as disabling\nUSB ports, BIOS password, applying the latest patches of the operating system, disabling\nfacility of the auto-run, other software, and terminal security solution, etc.;<\/li><li>Implementation of the anti-skimming and white-listing\nsolution;<\/li><li>Up gradation of all the ATMs (Automated Teller Machines) with\nsupported versions of the operating system;<\/li><li>Use of the ATMs with unsupported operating systems will be\nprohibited;<\/li><\/ol>\n\n\n\n<p>Further, it shall be noted that the Regulated entities must ensure a robust and strong surveillance and monitoring of card dealings and setting-up of rules and thresholds proportionate with their risk appetites.<\/p>\n\n\n\n<p>Also,\nall the Regulated entities need to confirm that the details of the customer\ncard are not kept in plain text at the regulated entity and at their vendors\u2019\nlocations, systems, and applications. <\/p>\n\n\n\n<p>Moreover,\nthey shall also confirm that the processing of the card details in a readable\nformat is conducted in a safe and secure way so as to avoid data leakage of the\nprice sensitive information of the customers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Safety_Measures_to_be_implemented_by_Regulated_Entities_concerning_Card_Data_Scanning_Tools\"><\/span>Safety Measures to be implemented by Regulated Entities concerning Card Data Scanning Tools<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The safety\nmeasures that are to be implemented by the registered entities concerning card\ndata scanning tools are as follows:<\/p>\n\n\n\n<ol><li>Any tool or mechanism to scan unencrypted card data must be first be checked in a test environment to understand the scope and effect of the capabilities of the said tool;<\/li><li>The scanning tool must be installed only in the premises of the regulated entities on their devices;<\/li><li>It shall be noted that card data scanning shall not be done remotely;<\/li><li>Also, the discovered data must be kept in the scanning tool;<\/li><li>Exportable card data must be appropriately masked; and<\/li><li>Limited access to the service providers to undertake scanning;<\/li><li>Analysis of data must be provided only on the regulated entity\u2019s device;<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>In a\nnutshell, the instructions notified by the apex bank, i.e., the Reserve Bank on\nthe digital payments security controls, must compulsorily be abided by all the\nscheduled commercial banks, small finance banks, payments banks, etc. <\/p>\n\n\n\n<p>Further, due to the increasing number of fraudulent activities and usages of the digital payments at par with the largest number in the world, the apex bank has rightfully issued these security control directions.<\/p>\n\n\n\n<p><strong>Also, Read:<\/strong> <mark style=\"background: #fffd03 !important;\"><a href=\"https:\/\/swaritadvisors.com\/blog\/extended-time-for-authorisation-under-umbrella-entity-of-retail-payments\/\">RBI Extends Time Limit for Authorisation under Umbrella Entity of Retail Payments<\/a><\/mark><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Official_RBI_Notification_on_Digital_Payment_Security_Controls_Directions_2021\"><\/span>Official RBI Notification on Digital Payment Security Controls Directions 2021<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n<a href=\"https:\/\/swaritadvisors.com\/blog\/wp-content\/uploads\/2021\/04\/MD7493544C24B5FC47D0AB12798C61CDB56F.pdf\" class=\"pdfemb-viewer\" style=\"\" data-width=\"max\" data-height=\"max\"  data-toolbar=\"bottom\" data-toolbar-fixed=\"off\">MD7493544C24B5FC47D0AB12798C61CDB56F<br\/><\/a>\n<p class=\"wp-block-pdfemb-pdf-embedder-viewer\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Going by the well-known role being played by the digital payment mechanisms in India, RBI (Reserve Bank of India) gives the highest standing to the security controls around it. As a result, it has issued the RBI (Digital Payment Security Controls) Directions 2021[1] to allow the regulated entities to establish a robust governance structure for [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":4181,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[50,56],"tags":[582],"acf":[],"_links":{"self":[{"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/posts\/4180"}],"collection":[{"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/comments?post=4180"}],"version-history":[{"count":6,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/posts\/4180\/revisions"}],"predecessor-version":[{"id":4195,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/posts\/4180\/revisions\/4195"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/media\/4181"}],"wp:attachment":[{"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/media?parent=4180"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/categories?post=4180"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/swaritadvisors.com\/blog\/wp-json\/wp\/v2\/tags?post=4180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}