Cyber Resilience And Digital Payment Security Governance: A Step Towards Secured Payments Systems

1

Large PSOs

(i) Clearing Corporation of India Limited;

(ii) National Payments Corporation of India (NPCI);

(iii) NPCI Bharat Bill Pay Limited;

(iv) Card Payment Networks;

(v) Non-bank ATM Networks, White Label ATM Operators;

(vi) Large PPI issuers;

(vii) Trade Receivables Discounting System (TReDS) Operators;

(viii) Bharat Bill Payment Operating Units (BBPOUs); and

(ix) Payment Aggregators.

1 April 2025

2

Medium PSOs

(i) Cross-border (in-bound) Money Transfer Operators under Money Transfer Service Scheme (MTSS); and

(ii) Medium PPI issuers.

1 April 2026

3

Small PSOs

(i) Instant Money Transfer Operators; and

(ii) Small PPI issuers.

1 April 2028

1

Large PPI issuers

(i) Number of outstanding PPIs is greater than 2 crores as on 31 March of the preceding year; or

(ii) Total amount outstanding for all issued PPIs is greater than INR 50 crores as on 31 March of the preceding year; or

(iii) Total value of all PPI transactions processed during the preceding financial year is greater than INR 5000 crores.

2

Medium PPI issuers

(i) Number of outstanding PPIs is between 10 lakhs and 2 crores as on 31 March of the immediately preceding year; or

(ii) Total amount outstanding for all issued PPIs is between INR 10 lakhs and INR 50 crores as on 31 March of the immediately preceding year; or

(iii) Total value of all PPI transactions processed during the preceding financial year is between INR 1,000 crores and INR 5,000 crores.

3

Small PPI issuers

(i) Number of outstanding PPIs is less than 10 lakhs as on 31 March of the immediately preceding year; or

(ii) Total amount outstanding for all issued PPIs is less than INR 10 lakhs as on 31 March of the immediately preceding year; or

(iii) Total value of all PPI transactions processed during the preceding financial year is less than INR 1,000 crores.

1

Board of Directors (Board)

(i) Oversee information security risks, including cyber risk and resilience.

(ii) Primary oversight may be delegated to a sub-committee of a board headed by a member experienced in information / cyber security.

(iii) Approve and implement information security policy covering roles and responsibilities of the Board / sub-committees, senior management and key personnel.

(iv) Approve and implement measures to identify, assess, manage and monitor cyber security risks, with security controls and training processes for employees / stakeholders.

(v) Approve and implement a cyber crisis management plan in line with guidelines from agencies such as Indian Computer Emergency Response Team (CERT-In), National Critical Information Infrastructure Protection Centre, or Institute for Development and Research in Banking Technology.

2

Chief Information Security Officer (CISO) or equivalent senior-level executive

(i) Implement information security policy and cyber resilience framework.

(ii) Oversee action points while conducting cyber risk assessments for new products / services or major changes.

3

IT oversight sub-committee

Review the information technology assessment reports presented to it.

1

Inventory management

(i) Retain records related to key roles, information assets, critical functions, processes, Service Providers, classifying their usage, criticality and business value.

(ii) A comprehensive process flow diagram of network resources, inter-connections and data flows with third-party systems is required.

(iii) Asset information should include identifiers, network addresses, asset locations, owner names and end of life support status.

2

Identity and access management

(i) Adoption of policies and procedures to manage access privileges and rights of all individuals accessing the IT environment.

(ii) Maintain and monitor user's digital identity.

(iii) Follow the principle of 'least privilege' for system access, with privileged accounts utilising multi-factor authentication.

(iv) Implement safeguards for removable media and portable devices, remote work precautions and session termination after pre-determined period of inactivity.

3

Network security

(i) Configure network devices and check periodically their compliance with the established security rules.

(ii) Put in place security operations centre to provide centralised monitoring and management of security incidents, including automated systems that correlate all anomalous activities to prevent multi-faceted attacks.

(iii) Implement anti-malware solutions and multi-layered boundary defences.

(iv) Implement network segmentation based on data criticality and whitelisting solutions for applications and services.

(v) Follow a secure-by-design approach like Secure-Software Development Life Cycle and implement a multi-tier application architecture.

(vi) Conduct periodic security testing of applications, including source code review, vulnerability assessments, and penetration testing.

4

Vendor risk management and data security

(i) Adherence to RBI's 'Framework for Outsourcing of Payment and Settlement-related Activities by PSOs' dated 3 August 2021.

(ii) Implement measures to ensure security controls for preventing network infiltration from vendor environments.

(iii) Adopt comprehensive data leak prevention policies, information security management systems and obtain PCI-DSS certification for storing card-data.

(iv) Mitigate risks associated with insecure application programming interfaces by adhering to globally recognised standards.

(v) Carry out periodic employee awareness and training programmes.

(vi) Implement incident response mechanisms to ensure prompt notification and post-incident analysis, with cyber incident reporting to CERT-In.

(vii) Develop robust business continuity plan.

(viii) Include multi-factor authentication for transactions, secure IT-infrastructure configurations, real-time fraud monitoring and systematic audit log management.

(ix) Maintain a manned facility to function on a 24x7x365 basis for facilitating swift resolution of unauthorised / fraudulent transactions and assisting law enforcement agencies.

1

General

(i) Enable online alerts for transaction parameters, such as failed transactions, new account activity, geo-location, and IP address origin.

(ii) Ensure that customer notifications are pushed after redacting sensitive information and financial data for online payments.

(iii) Provide a feature for immediate marking of fraudulent transactions to customers.

2

Mobile payments

Maintain encryption during customer interactions, auto-terminating inactive sessions, limiting failed login attempts, and prohibit remote access applications during live sessions.

3

Card payments

(i) Validate merchant terminals against Payment Card Industry Point to Point Encryption (PCI-P2PE) and Payment Card Industry PIN Transaction Security (PCI-PTS) programs.

(ii) Implement transaction limits and alert mechanisms for suspicious incidents.

(iii) Store and process card details securely.

4

Prepaid payment instruments

(i) Communicate OTP and transaction alerts in the user's preferred language, including vernacular languages.

(ii) Implement a cooling period for funds transfer and cash withdrawal after electronic loading of funds.