On July 30, 2024, the Reserve Bank of India (“RBI”) issued the Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators (“Master Directions”) with the aim of strengthening the security and resilience of the digital payment ecosystem in India.
The said Master Directions shall apply to all non-bank payment system operators (“non-bank PSO”) authorised by the RBI. The Master Directions emphasize that for unregulated entities who are part of the digital payments ecosystem of PSOs (like payment gateways, third-party service providers, vendors, etc.), PSOs shall ensure their adherence to the Master Directions as well, subject to mutual agreement.
The relevant compliance obligations of the non-bank PSOs are summarized into three categories (i) governance-related measures; (ii) baseline information security measures/controls; and (iii) measures for the security of digital payment transactions.
Some of the key measures are summarised below:
- Develop a Board approved Information Security policy (IS Policy) which shall inter alia state the roles and responsibilities of the Board and its sub-committees and procedures and measures to recognize, evaluate, control and mitigate cyber security risk. Such policy shall be subject to annual review;
- Develop an efficient Board approved Cyber Crisis Management Plan (CCMP) to identify, address, neutralise and recover from cyber threats and cyber-attacks;
- Appoint a senior level executive with expertise in areas of information security such as Chief Information Security Officer, for efficient implementation and continual assessment of the IS Policy and cyber resilience framework;
- Establish subcommittees of the Board to oversee the effective monitoring of information security risks, including cyber risk and cyber resilience. The committee will meet once every three months and shall be led by a person with experience in information security or cyber security;
- The sub-committee of the Board shall define and monitor Key Risk Indicators, Key Performance Indicators and evaluate the IT assessment reports in order to identify possible risk events and evaluate the efficacy of security procedures; and
- Conduct a cyber risk assessment prior to the launch of new product/ services/technologies or undertaking major changes to their infrastructure or processes of existing product/services.
- Inventory Management: PSOs shall, inter alia, document and classify all key roles, information assets, critical functions, processes and third-party services based on their usage, criticality, and business value.
- Network Security: Various network security measures such as anti-malware solutions have been stipulated.
- Access to data and information: Various measures regarding access and privilege to individuals have been stipulated including that anyone having access to the IT environment of the PSO shall have a monitored digital identity and access to such environment is given on a need to have or need to know basis and measures for multi-factor authentication systems in scenarios like work from home.
- Security Testing: PSOs shall ensure all its applications undergo rigorous security testing (such as source code review) and any deficiencies are resolved in a time-bound manner and reported to the Sub-committee in case of recurrence. Importantly, where source code is not owned by the PSOs, they must obtain a certificate from the application developer stating the application is vulnerability and virus free in cases when the source code is not owned by the PSO.
- Application Security Life Cycle (ASLC): PSOs shall follow a ‘secure by design’ approach such as Secure-Software Development Life Cycle (S-SDLC) for design and development of products/services to eliminate any security flaws; these ASLC guidelines shall apply to procured products / services as well and most importantly, PSOs must mandatorily obtain the source code of all critical applications procured from third party vendors and where it is not possible, maintain an escrow arrangement.
- Vendor Risk Management: The PSOs shall comply to the Framework for Outsourcing of Payment and Settlement related Activities by PSOs issued by the RBI; and the PSO must obtain certified assurance from an independent auditor on the vendor’s cyber resilience capabilities when the vendor is involved in any critical activity.
- Data Security: The PSOs must have an extensive data leak prevention policy with focus on Personally Identifiable Information (PII), engage appropriate mechanisms to provide data asset visibility and traceability and implement an Information Security Management System. The PSO storing card data must mandatorily obtain PCI-DSS certification and comply to PCI-DSS guidelines.
- Incident Response and reporting: The PSOs shall develop a Board approved incident response mechanism for immediately notifying any cyber security incident to senior management, relevant employees, regulatory, supervisory and relevant public authorities. PSOs are required to report any cyber-attacks, outage of critical system/infrastructure, internal fraud, settlement delay, etc to the RBI within 6 hours of detection in the Incident Reporting Format and report any cyber security incident to both RBI and Indian Computer Emergency Response Team (CERT-In).
- Business Continuity Plan: The PSOs shall develop a Business Continuity Plan based on different cyber threat scenarios, subject to an annual review; and set up a Disaster Recovery (DR) facility in a different seismic zone than the Primary Data Centre and DR drills shall be conducted on a half-yearly or more frequent basis.
- Employee Awareness: The PSOs shall ensure periodic repeated training of all employees inclusive of board members and key senior management personnel and vendors.
- Cloud Security: The IS policy should be inclusive of a cloud operation policy highlighting, inter-alia, activities that can be located in cloud servers, clearly identified roles and responsibilities for cloud service provider, data localisation, protection and recoverability requirements. PSOs shall ensure that the Cloud Service Provider (CSP) is subjected to periodic (minimum annually) independent information and cyber security audits, reports of which shall be reviewed by the Board sub-committee.
- The Bank account number, card number, and other sensitive information must be redacted or concealed as much as possible when sending clients an SMS, email alert, or other message, whether from PSOs or payment system participants;
- Any online payment transaction shall mention the name of the merchant and the transaction amount; the name of the beneficiary and debit amount shall be mentioned for fund transfers;
- The PSOs shall provide facility to customers on its application/ website to identify/ mark a fraudulent transaction; and
- In addition, the Directions provide for various security and risk mitigation measures for mobile payment transactions, card payment transactions and PPI transactions.
With the rapid advancement in technology and the global shift towards digital payments, the introduction of these provisions became the need of the hour. The implementation of these Master Directions will inevitably lead to an increase in business operation costs for PSOs for placement of various technology related measures, as well as a heightened compliance burden in terms of assuring compliance with various policies which inter alia includes the Information Security Policy, Cyber Crisis Management Plan, Business Continuity Plan etc., and reporting requirements like incident reporting to the RBI and the CERT-In etc. This means that while the regulations aim to enhance security and efficiency, they also require PSOs to invest more resources into ensuring compliance and maintaining robust operational standards. This would require PSOs to collaborate with their vendors and other stakeholders in the payment system. PSOs must, therefore, study these Directions carefully and prepare for the implementation by the cut-off dates applicable to them.
