Cyber Crime
RBI Warns of License Cancellation for Non-Banking PSOs Lacking Robust Cybersecurity Measures
The Reserve Bank of India (RBI) has unveiled new master directions on cyber resilience and digital payment security controls specifically for non-bank payment system operators (PSOs). According to the RBI circular, PSOs must establish a board-approved information security policy to address potential information security risks across all applications and payment system products. This policy is required to undergo an annual review.
The policy must detail, at a minimum, the roles and responsibilities of the board, subcommittees, senior management, and key personnel. It should include measures for identifying, assessing, managing, and monitoring cyber security risks, incorporating various security controls to ensure cyber resilience, and processes for employee and stakeholder training and awareness.
The Board of Directors (Board) of the PSO will hold ultimate responsibility for overseeing information security risks, including cyber risks and cyber resilience. However, primary oversight may be delegated to a sub-committee of the Board, led by an experienced member in information and cyber security, which must convene at least quarterly. Additionally, PSOs must develop a distinct Board-approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond to, and recover from cyber threats and attacks, referring to guidelines from CERT-In, NCIIPC, IDRBT, and other agencies for guidance.
A senior executive with expertise in information security and cyber security, such as a Chief Information Security Officer (CISO), will be responsible for implementing the IS policy and cyber resilience framework and for continuously assessing the overall IS posture of the PSO.
The PSO must establish appropriate Key Risk Indicators (KRIs) to identify potential risk events and Key Performance Indicators (KPIs) to evaluate the effectiveness of security controls.
Digital Payment Security Measures
RBI mandates that PSOs provide their members/participants with mechanisms for online alerts based on various parameters such as failed transactions, transaction velocity, time zone, geo-location, IP address origin, behavioural biometrics, and more. Alerts should also be triggered by transactions originating from points of compromise, transactions involving mobile wallets, mobile numbers, or VPAs with recorded fraud incidents, declined transactions, and transactions lacking approval codes.
When sending SMS/e-mail alerts or any other notifications to customers, PSOs or payment system participants must ensure that sensitive information like bank account numbers, card numbers, or other confidential data is redacted or masked to the extent possible. Additionally, online payment transaction notifications must include the merchant name and amount, and for fund transfers, the name of the beneficiary and debit amount should be clearly mentioned. The PSO must ensure that beneficiary names are sourced from the entity maintaining the beneficiary account.
For transactions requiring an OTP as an authentication factor, the OTP must be placed at the end of the notification message, which should also reference the specific transaction.