Digital Payment Security Controls by Reserve Bank of India
Legal wpadmin April 30, 2021
Executive Summary:
Digital payments are payments that are conducted over the internet and mobile channels and hence, any payment that is sent online or through mobile computing and internet-enabled devices is digital payment.
Reserve Bank of India (RBI) being one of the key regulatory bodies under the jurisdiction of the Ministry of Finance that governs the banking industry in India, has issued a master circular on 28th February 2021 called as the Reserve Bank of India (Digital Payment Security Controls) Directions 2021 for regulated entities.
Key highlights of the direction – covering areas under general security, authentication framework, fraud risk management, internal banking, mobile banking, card payment security, grievance redressal mechanism etc.
Introduction:
In recent years, all of us have heard about the term “cashless economies” and the general trend among policymakers worldwide is to move the economies of the world to a digital and information enabled system. In order to compete and sustain in global economy development, the Government of India aimed to create ‘Digitally Empowered’ economy that is faceless, paperless and cashless and to step ahead in making India ‘Less- Cash Society’, laid emphasis on digital payments and the digitization of commerce.
Digital Payment – Overview:
Digital payments are payments that are conducted over the internet and mobile channels and hence, any payment that is sent online or through mobile computing and internet-enabled devices is digital payment. There are various types and modes of digital payments. Some of these include the use of debit/credit cards, internet banking, mobile wallets, digital payment apps, unified payments interface (UPI) service, unstructured supplementary service data (USSD), bank prepaid cards, mobile banking, etc. Post demonetization, people slowly started embracing digital payments more especially, when the Government of India taking into consideration the unwillingness of the society to opt for digital payments due to increasing cyber- crimes, executed protection and security laws for making its backbone stronger in respect of digital economy development.
The Reserve Bank of India (RBI) has issued a Master Circular on 28th February 2021 called the Reserve Bank of India (Digital Payment Security Controls) Directions 2021 for regulated entities (to be enforced after 6 months from the date of publication on RBI site) to set up a robust governance structure for such systems and implement common minimum standards of security controls for channels like internet, mobile banking, card payments etc.
Reserve Bank of India (Digital Payment Security Controls) Directions 2021
Regulated Entities (RE’s) such as scheduled commercial banks (excluding Regional Rural Banks), small finance banks, payments banks, and credit card issuing Non-Banking Financial Companies are covered under the scope of these directions.
Glance at Key Highlights of the Directions –
A. General Security
RE’s shall:
Formulate a policy for digital payment products and services with the approval of their board with requirements from functionality, security and performance (FSP) angles.
Provide requisite infrastructure to protect the confidentiality of customer data and integrity of data and processes associated with the digital product/ services offered.
Incorporate appropriate processes for governance and risk management programs for identifying, analyzing, monitoring and managing the specific risks, including compliance risk and fraud risk, associated with the portfolio of digital payment products and services on a continual basis.
Implement multi-tier application architecture, segregating application, database and presentation layer in the digital payment products and services,
Adopt ‘secure by design’ approach in the development of digital payment products and service.
Conduct security testing including review of source code, Vulnerability Assessment (VA) and Penetration Testing (PT) of their digital payment applications.
B. Authentication Framework:
RE’s should:
Implement, multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from ATMs/ micro-ATMs/ business correspondents, through digital payment applications. e.g., Use of one time password, mobile devices (device binding and SIM), biometric etc.
Set down the maximum number of failed log-in or authentication attempts after which access to the digital payment product/ service is blocked and customer to be notified of the same.
C. Fraud Risk Management:
RE’s shall:
Conduct fraud analysis to identify the reason for fraud occurrence and determine mechanism to prevent such frauds.
Maintain updated contact details of service providers, intermediaries, external agencies and other stakeholders (including other REs) for coordination in incident response.
A mechanism to monitor the implementation and effectiveness of a real time/ near-real time (not later than 24 hours from the time of receipt of settlement file(s)) reconciliation framework for all digital payment transactions between RE and all other stakeholders.
D. Internet Banking:
RE’s shall:
Implement additional levels of authentication to internet banking website such as adaptive authentication, strong CAPTCHA (preferably with anti-bot features) with server-side validation, etc., in order to plug this vulnerability and prevent its exploitation. Appropriate measures shall be taken to prevent DNS cache poisoning attacks and for secure handling of cookies. Virtual keyboard option should be made available.
An online session shall be automatically terminated after a fixed period of inactivity; secure delivery of password for login purpose shall be ensured.
E. Specific Controls for Mobile Applications Include:
a. Device policy enforcement (allowing app installation/ execution after baseline requirements are met);
b. Application secure download/ install;
c. Deactivating older application versions in a phased but time bound manner.
d. Storage of customer data.
e. Device or application encryption;
f. Ensuring minimal data collection/ app permissions;
g. Application sandbox/ containerization;
h. Ability to identify remote access applications (to the extent possible) and prohibit login access to the mobile application, as a matter of precaution; and
i. Code obfuscation.
F. Card Payments Security:
RE’s shall follow various payment card standards over and above Payment Card Industry Data Security Standard (PCI-DSS) and Payment Application Data Security Standard (PA-DSS)) as per Payment Card Industry (PCI) prescriptions for comprehensive payment card security as per applicability/ readiness of updated versions of the standards such as –
a). Payment Card Industry Personal Identification Number (PCI-PIN) (secure management, processing, and transmission of PIN data);
b). Payment Card Industry Point of Sale (PCI-PTS) (security approval framework addresses the logical and/ or physical protection of cardholder and other sensitive data at point of interaction (POI) devices and hardware security modules (HSMs);
c). Payment Card Industry Hardware Security Module (PCI-HSM) (securing cardholder-authentication applications and processes including key generation, key injection, PIN verification, secure encryption algorithm, etc.); and
d). Payment Card Industry Point-To-Point-Encryption (PCI-P2PE) (security standard that requires payment card information to be encrypted instantly upon its initial swipe and then securely transferred directly to the payment processor).
G. Customer Protection, Awareness and Grievance Redressal Mechanism:
RE’s shall:
Incorporate secure, safe and responsible usage guidelines and training materials for end users within the digital payment applications.
Educate customers about the need to maintain the physical and logical security of their devices accessing digital payment products and services and provide information about the risks, benefits and liabilities of using digital payment products and its related services before they subscribe to them.
Provide a mechanism on their mobile and internet banking application for their customers with necessary authentication.
Conclusion:
In changing trend of e – business, the implementation of RBI (Digital Payment Security Controls) Directions 2021 will prevail as wings to fly with in global economy development thereby providing a major change in respect of security towards digital payments.