RBI issues Draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators
Introduction
Recently, the Reserve Bank of India (‘RBI’) pursuant to its power under s. 10(2) read with s. 18 of the Payment and Settlement Systems Act, 2007[i], issued a draft of Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators (‘PSOs’) and has invited comments on the same. These Directions aim to improve the safety and security of the payment systems operated by authorized non-bank PSOs by providing a framework for overall information security preparedness with a focus on cyber resilience. They cover inter alia governance mechanisms for identifying, assessing, monitoring, and managing cyber security risks. To provide adequate time for implementation, the RBI has laid down different[ii] compliance timelines as follows:
For large, non-bank PSOs: April 1, 2024.
For medium, non-bank PSOs: April 1, 2026.
For small, non-bank PSOs: April 1, 2028
Key Highlights of the Draft Directions
The draft on Master Directions, inter alia, provides for the following:
Governance framework for cybersecurity: The board of directors of PSOs (the board) holds the responsibility for effective oversight of information security risks, including cyber risks and cyber resilience. PSOs are also required to formulate a board-approved Information Security (‘IS’) policy that covers roles and responsibilities, cyber risk management, and security controls along with processes for training and awareness of employees/stakeholders. PSOs are further required to develop a board-approved Cyber Crisis Management Plan (‘CCMP’) to detect, contain, respond, and recover from cyber threats and attacks.
Risk assessment and management: The board must designate a senior-level executive, such as a Chief Information Security Officer (‘CISO’), to be responsible for implementing the IS policy and cyber resilience framework. The PSOs should also establish Key Risk Indicators (‘KRIs’) and Key Performance Indicators (‘KPIs’) to identify potential risk events and for assessing the effectiveness of security controls. Moreover, a cyber risk assessment exercise should be conducted by PSOs before launching new products/services or making significant changes to existing infrastructure or processes.
Information security controls: PSOs are required to implement several measures to enhance information security. These measures include:
Maintaining an inventory of key roles and information assets: This helps to identify the most important assets that need to be protected, as well as the people who have access to them.
Establishing identity and access management policies: These policies should define who has access to what information, and how that access is controlled.
Ensuring network security: This includes configuring networks securely, monitoring them for suspicious activity, and using intrusion detection mechanisms to detect attacks.
Following secure application development practices: This includes using secure coding practices, testing applications for security vulnerabilities, and deploying them securely.
Conducting rigorous security testing: PSOs must follow secure development practices and conduct security testing for their applications including penetration testing, vulnerability scanning, and other security assessments.
Managing vendor risks: This includes conducting due diligence on vendors, managing their access to sensitive information, and enforcing security requirements.
Implementing data security measures: This includes encrypting data, using strong passwords, and adhering to the Payment Card Industry-Date Security Standard (‘PCI-DSS’) guidelines for obtaining its certification.
Patching and changing of the management life cycle: This includes the identification of patches in security policies and systems and their application and implementation in the production environment after testing.
Incident response and recovery: In order to respond to any cyber security incident, PSOs must have a board-approved incident response mechanism to promptly notify senior management, relevant stakeholders, and other regulatory authorities of any cyber security incidents. PSOs should also develop a comprehensive business continuity plan (‘BCP’) to manage cybersecurity incidents to enable rapid recovery and safe resumption of critical operations. The aim should be to achieve a near-zero recovery point objective (‘RPO’). The adoption of secure application programming interfaces (‘APIs’), global API security standards, and employee awareness and training programs are also encouraged.
Compliance and reporting: PSOs that provide, process, or facilitate digital or electronic transactions must duly comply with all security practices and risk mitigation. They must ensure that all the participants follow the proper instructions and requirements. The draft consists of specific guidelines for PSOs regarding card payments, device binding and session termination pertaining to mobile payments, and prepaid payment products. Card networks shall institute an alert mechanism on a 24x7x365 basis, triggering alerts to card issuers in case of any suspicious incidents. Prepaid payment instrument (‘PPI’) issuers are encouraged to communicate one-time password (‘OTP’) and transaction alerts in users’ preferred languages. Further, if there is a change in the registered mobile number or email ID linked to a payment instrument, a cooling period of at least 12 hours before allowing transactions through online modes or channels is required.
How to Comment on the Draft Directions
Comments/Feedback, if any, may be sent by email to dpssfeedback@rbi.org.in or by post to the Chief General Manager, Department of Payment and Settlement Systems, Central Office, RBI, 14th Floor, Central Office Building, Shahid Bhagat Singh Road, Mumbai - 400 001, on or before 30th June 2023.
Conclusion
The RBI's draft Master Directions on Cyber Resilience and Digital Payment Security Controls for PSOs represent a significant stride in fortifying the safety and security of digital payment systems. By introducing a comprehensive framework for information security preparedness and emphasizing cyber resilience, the RBI aims to improve the overall governance mechanisms for identifying, assessing, monitoring, and managing cyber security risks. The draft Directions underscore the critical importance of governance, risk assessment, information security controls, incident response, and compliance in ensuring the robustness of payment systems. PSOs must adhere to these guidelines to enhance their cyber resilience and contribute to a secured digital payment ecosystem in India.
End Notes:
[i] Act 51 of 2007
[ii] Categorisation of authorised non-bank PPI Issuers into small, medium and large is as per the Oversight Framework for Financial Market Infrastructures (FMIs) and Retail Payment Systems (RPSs). If a PPI Issuer moves to a higher category, the timeline of the category to which it moves into would apply. For instance, if a small (or medium) PPI issuer moves into the medium category (or large), it will need to comply with these Directions within a period of two years from the time of new categorisation.
Authored by Jitin Bharadwaj, Advocate at Metalegal Advocates. The views expressed are personal and do not constitute legal opinion.