The volume of digital payments in India is increasing year by year, necessitating the implementation of security controls around digital payments. Important financial data, if fallen in wrong hands, can have terrible consequences. A security framework that requires businesses to follow best practices while handling customer data can significantly reduce security risks.

The RBI has therefore issued guidelines to regulate card payments, internet banking and mobile banking. This article will walk you through the RBI Direction on Payment Security Controls (DPSC) in detail.

RBI Master Direction on Digital Payment Security Controls (DPSC)

The Master Direction that establishes security controls for digital payments was released on 18th February, 2021. These security controls are applicable for regulated entities such as scheduled commercial banks, payment banks, small finance banks and credit card issuing NBFCs. RBI DPSC enables customers to securely conduct digital payments. The Master Direction covers areas such as Governance and Management of Security Risks, Generic Security Controls, Application Security Life Cycle (ASLC), Authentication Framework, Fraud Risk Management, Reconciliation Mechanism, Customer Protection, Awareness and Grievance Redressal Mechanism, specific controls related to Internet Banking, Mobile Payments Application Security Controls and Card Payments Security.

Applicability of RBI DPSC

Regulated Entities (REs) such as Scheduled Commercial Banks (excluding Regional Rural Banks), Small Finance Banks, Payments Banks and Credit card issuing NBFCs need to abide by the provisions of the Master Direction.

Purpose of RBI DPSC

The Master Direction is aimed at providing a framework for licensed banks, scheduled banks, primary dealers, authorized PSPs so they can securely obtain membership to the payment systems. The directions also outline specific requirements to be fulfilled by the applicants. 

General Guidelines Under RBI DPSC

Access criteria varies for both centralized and decentralized payment systems. Real Time Gross Settlement (RTGS), National Electronic Fund Transfer (NEFT) systems and any other systems as recognized by the RBI from time to time come under centralized payment systems. Clearing houses operating under RBI such as Cheque Truncation System Centers and other banks such as Express Cheque Clearing System Centers come under decentralized payment systems. 

All scheduled and licensed banks are open to apply for membership to the centralized and decentralized payment systems. These banks can obtain Type A Membership in RTGS with inter-bank, Own Account Transfer (OAT), customer and Intra-Day Liquidity (IDL) transactions and NEFT. Unlicensed banks will come under decentralized payment systems as sub-members. Co-operative societies are not eligible to become either direct members or sub-members in any payment system.

Post office savings banks however can be members of decentralized payment systems. Primary dealers can apply for Type B membership that covers OAT, IDL, inter-bank transactions. Prepaid Payment Instrument Issuers and White Label ATM Operators can be Type D members in RTGS and Card networks can apply for Type C membership in RTGS that covers multilateral net settlement batch transactions and OAT. Prepaid Payment Issuers can get membership to NEFT too. RBI decides whether clearing organizations and other entities are eligible for membership on a case to case basis. 

Access Criteria for Membership 

There is a set of requirements to be fulfilled by entities applying to centralized and decentralized payment systems. The criteria to gain membership in centralized payment systems are as follows:

1. Banks

Banks must have a minimum CRAR of 9% with net NPAs below 5% and minimum net-worth of Rs 25 crore. A core banking solution/centralized processing system should be available at the applicant’s end and banks must be technically competent in areas including cyber security. Banks should also comply with the instructions governing payment system data storage along with obtaining recommendations from the regulatory department.

2. Authorized non-bank PSPs

Non-bank PSPs must be authorized by the central bank under the Payment and Settlement Systems.. Non-bank PSPs must have a minimum net worth of Rs 25 crore or as prescribed by RBI in the certificate of authorization, whichever is higher. Entities should be incorporated in India under the Companies Act, 1956 / 2013. Entities that haven’t been incorporated should get their Indian subsidiaries to enter into requisite agreements with the RBI. A centralized processing system, cyber resilience and compliance with payment storage instructions are also mandatory requirements to be fulfilled. 

Access criteria for decentralized payment systems are as follows:

• Entities must have a minimum CRAR of 9% and net NPAs below 5% as per the latest audited balance sheet.
• A core  banking system at the applicant’s end as well as recommendation of the concerned regulatory/supervisory department is mandatory.

The recommendation is obtained independently and the entity need not present it while submitting the application. The recommendation can be useful for banks, authorized non-bank PSPs, and primary dealers to continue operations even during instances when the entity’s financials drop below the above mentioned thresholds. New licensed banks need no separate recommendation if the application has been submitted before starting operations.

General Controls under RBI DPSC

The Master Direction on Payment Security Controls covers key areas such as general controls, internet banking security controls, mobile payment application security control and card payment security. Let’s look at the key highlights of general controls one by one.

1. Governance and management of security

This pertains to identification, analysis, monitoring and management of fraud risk and compliance risk linked with digital payment products through risk governance and risk management programs. 

2. Application security life cycle

Regulated entities with digital payment applications must implement all the necessary security controls to handle, store and protect payment data. There are several standards and guidelines developed to ensure protection of applications such as OWASP, data protection guidelines in ISO 12812 and threat catalogs by NIST which must be adhered to right from the application development phase. 

3. Authentication Framework

REs should implement multi factor authentication for payments and fund transfers through electronic modes and payment applications. Appropriate authentication methodologies should be determined after risk assessment. It is recommended that entities use at least one authentication methodology that is generally dynamic or non-replicable. 

4. Fraud Risk Management

Entities need to implement security controls in terms of configuration aspects to identify any suspicious transactional behavior. Various parameters such as the ones mentioned below are established:

• Transaction velocity which includes fund transfers, withdrawals, payments and adding new beneficiaries in a short span of time mostly in customer accounts with zero transactions conducted through apps, internet banking or card.
• Parameters associated with high risk Merchant Category Codes (MCC) 
• Parameters linked with card counterfeiting (for instance, continuous unsuccessful attempts to enter PINs or CVV indicate fake account creation)
• New account parameters to detect unusual excess activity in new accounts
• Geo-locations, time zones,  IP address origin that indicate activity from prohibited zones 
• Transactions to mobile numbers or mobile wallets that have been blacklisted previously for fraud activities. 

Security Guidelines

Secure by design 

Adopting a ‘secure by design approach’ is a must for entities looking to strengthen their digital payment products with complete security. Implementing security features must start right at the development stage. Entities must operate with certain security objectives that emphasize safeguarding customer data during several stages such as requirements gathering, designing, development, testing, implementation, maintenance, monitoring and decommissioning of the application. 

Entities must always mask sensitive customer information such as card numbers and account numbers. Mobile applications should not be designed to store any sensitive information on the device. The application should be able to erase sensitive data from the memory without compromising the security. The number of temp files must  be restricted and any information, if stored in such files, must be protected with suitable methods such as encryption or masking. 

Adequate safeguards 

All entities are required to implement adequate safeguards when dealing with digital payment products and services. Web applications offering digital payment products and services should abstain from storing sensitive data in cookies, HTML, hidden fields, and client-side storage as they are not considered secure storage methods. Firewall solutions and Distributed Denial-of-Service mitigation techniques should be implemented to safeguard payment products and services delivered over the internet. 

Customer awareness and protection

The Master Direction on Digital Payment Security Controls requires entities to keep their customers well informed about their rights, obligations and responsibilities pertaining to digital payments. The customers should be aware of any risks associated with service unavailability or security violations. Customers should also have clarity on the terms and conditions regarding privacy and security and no product/service should be offered without the customer expressing explicit willingness to use the product. The customer’s consent should be obtained through a written or authenticated electronic requisition. Customers should be compulsorily made to read all the guidelines of secure usage in their preferred language so as to prevent security risks arising from ignorance or negligence. 

Final Thoughts

India has transitioned from a cash based economy to a cashless economy resulting in digital payment systems gaining more prominence. With more and more users opting for digital payments, cybers threats have raised some major concerns. The RBI published common security standards for digital payment products and services in view of the proliferation of cyber attacks. Mandating regulated entities to follow secure standards enables customers to use digital payments products and services in a safe and secure manner. RBI DPSC outlines data privacy and security guidelines to address cyber security risks prevalent in the digital payment landscape. 

Frequently Asked Questions

1. Does the RBI digital security framework mandate PCI PIN compliance for banks?

Banks managing any of the following domains need to adhere to PCI PIN standards:

1. PIN acquiring payment processing – POS and ATM
2. Remote key distribution with asymmetric keys
3. Key injection facilities 
4. Certification and registration 

The third party vendor too needs to be PCI compliant in case any of the above activities has been outsourced by the bank. 

2. What are PCI PTS, PCI HSM and PCI P2PE standards?

PCI PTS standards apply to POI/POS devices, HSMs, encryption PIN pads, and unattended payment terminals. Banks must ensure that the hardware vendor has adhered to PCI PTS standards when deploying these devices.  

PCI PTS HSM standards apply to HSM devices and outlines all physical, logical and security requirements to be fulfilled when deploying HSM devices. Hardware vendors must ensure the devices meet the security requirements and banks need to evaluate the same. 

PCI P2PE standards cover the security requirements to be fulfilled for point-to-point encryption solutions. It specifies encryption, decryption and key management requirements and requires banks to only use assets that are PCI P2PE compliant. Any third party vendors involved need to be PCI P2PE compliant as well. 

3. What do PCI P2PE solutions include?

PCI P2PE solutions include the following:

• Payment card data encryption at the POI
• Use of P2PE validated applications at the point of interaction 
• Managing encryption and decryption devices securely 
• Managing decryption environment and decrypted account data
• Applying secure encryption methodologies

4. Is it safe to migrate the PCI environment to cloud?

It is safe to move the PCI environment to cloud since a majority of the popular cloud platforms today are PCI DSS compliant. However, there are a few challenges and risks that come with moving data to the cloud which need to be addressed effectively. Banks may have to adopt a hybrid approach to achieve certain compliance requirements. Some data can be stored on-premise whereas some can be moved to the cloud so compliance isn’t compromised. 

Appsealing is a premier security solutions provider that facilitates zero coding protection for Android, iOS and Hybrid mobile apps. Protect your application from runtime attacks with scalable security and advanced threat analytics that provide snapshots of all hacking attempts. Our solutions are customized for apps across a wide range of industries including gaming, movies, fintech, ecommerce among others. Get in touch with us to protect your data from unauthorized access without compromising on app performance.