Reserve Bank of India (Digital Payment Security Controls) directions, 2021

Reserve Bank of India vide its statutory powers vested has issued the above directions which are applicable to all scheduled commercial banks (excluding Regional Rural Banks), Small finance banks, Payments banks and Credit card issuing NBFCs. They are reproduced from their website as under for those who intend referring to these complex technical directions.

https://taxguru.in/rbi/master-direction-digital-payment-security-controls.html

Following 5 chapters adorn these detailed technical directions.

Chapter 1. Preliminary

Chapter 2. General Controls.

Chapter 3. Internet Banking Security Controls.

Chapter 4. Mobile Payments Applications Security Controls.

Chapter 5. Card Payments security.

Regulated Entities (RE) are advised to formulate a policy for digital payment products and services with the approval of their Board. It has been emphasized that while discussing the parameters of any “new product” including its alignment with the overall business strategy and inherent risk of the product, risk management/ mitigation measures, compliance with regulatory instructions, customer experience, etc. the contours of the policy, should explicitly discuss about payment security requirements from Functionality, Security and Performance (FSP) angles.

a) Necessary controls to protect the confidentiality of customer data and integrity of data and processes associated with the digital product/ services offered;

b) Availability of basic infrastructure like human resources, technology with basic back-up, if need be.

c) Giving an assurance that the payment product is built in a secure manner.

d) Capacity building and expansion with scalability to meet increasing demand.

e) Minimal customer service disruption with high availability of systems/ channels

f) Efficient and effective dispute resolution mechanism and handling of customer grievance; and

g) An appropriate review mechanism followed by swift corrective action, in case any one of the above requirements is hampered.

Some of the following guidelines do merit the attention of Res.

• The Board and Senior Management shall be responsible for implementation of this policy.
• The policy shall be reviewed periodically, at least on a yearly basis.
• REs may formulate this policy separately for its different digital products or include the same as part of their overall product policy.
• How does the policy document contain for each digital payment/service offered?
• Yes, the policy document to clearly address the mechanics, clear definition of starting point, critical intermittent stages and the end point in the digital payment cycle, validation till digital payment is settled.
• Mechanism for carrying out User Acceptance Tests (UAT) in multiple stages before roll out, sign off from multiple stakeholders (post UAT) and data archival requirements shall also be taken in to account.

It is expected that REs shall incorporate necessary governance programs to take care of compliance risk, fraud risk, and have key monitoring/key performance indicators to assess the services or digital payment products offered.

In case of third-party service providers, adequate oversight and controls of monitoring in terms of RBI guidelines on outsourcing is a must.

The customer experience, convenience and technology adoption required to use such products, reconciliation process, Interoperability aspects, data storage, security and privacy protection as per extant laws/ instructions are other factors that need the attention of Res.

Let me entice technically oriented readers to refer to paras 12-50 to know extensively dealt with technical details on generic security controls, application security life cycle, authentication framework, fraud risk management, reconciliation mechanism, and customer protection, awareness and grievance redressal mechanism.

Being a banker with nearly 5 decades of banking relationship, let me deal with some details on fraud risk management from page 36-40 from pages 11 and 12 as under:

• Para 36 explains some. “The REs shall document and implement the configuration aspects for identifying suspicious transactional behavior in respect of rules, preventive, detective types of controls, mechanism to alert the customers in case of failed authentication, time frame for the same, etc.”
• One has a right to ask in which areas the staff need training related to frauds?

a) Fraud control tools and their usage;

b) Investigative techniques and procedures;

c) Cardholder and merchant education techniques to prevent fraud;

d) Scheme/ Card operating regulations;

e) Data processing and analysis and liaising or communicating with law enforcement agencies; and f) The requisite skills required to (i) set and update appropriate rules, (ii) monitor the exceptions thrown based on the rules on a continuous basis and take necessary actions promptly, (iii) communicate/ escalate wherever required to appropriate authorities, and (iv) differentiate false positives from the rest.

With the largest number of new mobile users from both rural and urban areas, customers of various age groups and in various modes like at home, office, in metros or some stupidly even while riding as a pillion rider in two wheelers, appropriate education of tools to be used, proper monitoring of usage of products and extension of help to cheated customers at the fastest means are urgently required.

Res may no longer be mute witness to criminals who specialize in this new frontier of payment products. The staff dealing with these modern and most UpToDate payment products need good training to overcome the crooks and safeguard the interests of customers.

What about the latest craze among the customers from internet banking, the most convenient banking tool to get the maximum attention?

MOBILE PAYMENTS APPLICATION SECURITY CONTROLS

The following instructions are related to mobile payments application security controls: (I have reproduced the actual wording from original RBI information since I could not simplify it and also the readers may appreciate the technical input of RBI)

• “On noticing detection of any anomalies for which the customer has not been accustomed, he will be advised to reinstall a copy of new application. RE s to verify the version of mobile application before its usage by customer.

Some of the controls for mobile applications include:

a) Device policy enforcement (allowing app installation/ execution after baseline requirements are met);

b) Application secure download/ install;

c) Deactivating older application versions in a phased but time bound manner (not exceeding six months from the date of release of newer version) i.e., maintaining only one version (excluding the overlap period while phasing out older version) of the mobile application on a platform/ operating system;

d) Storage of customer data;

e) Device or application encryption;

f) Ensuring minimal data collection/ app permissions;

g) Application sandbox;

h) Ability to identify remote access applications (to the extent possible) and prohibit login access to the mobile application, as a matter of precaution; and

i) Code obfuscation.”

Card payments security

It has been emphasized that REs shall follow various payment card standards (over and above PCI-DSS and PA-DSS6) as per Payment Card Industry (PCI) prescriptions for comprehensive payment card security as per applicability/ readiness of updated versions of the standards.

The instructions on security controls to be at HSM and the security posture of ATM have been amply explained on pages 18/19 vide paras at 67-73.

Let us do introspect on the instructions issued related to internet banking related security controls.

1. One often hears that websites are often subjected to brute force attacks or application layer Denial of Service (DoS) attacks from various rogue nations who want to disrupt operations in India.

2. RBI has recommended to REs to implement additional levels of authentication to internet banking website such as adaptive authentication, strong CAPTCHA (preferably with anti-bot features) with server-side validation, etc., in order to plug this vulnerability and prevent its exploitation.

3. We have seen automatic termination if we have not used the facility for a long time. This is an additional security feature. Secured delivery of password for login purposes, the validity of password sent for a limited period, and urging the user to have his/her own password are other routine features, we are all already aware of.

Conclusion

The purpose of writing this article is to throw some light on the complicated but the most useful instructions of RBI on Digital Payment Security Controls which will have to be compulsorily followed by all scheduled commercial banks, payment banks, small finance banks, credit card issuing NBFCs etc. With the emergence of a large number of frauds and usage of digital payments on a par with the largest number in the world, RBI has rightfully issued suitable directions. It is fervently expected that all stake holders would strictly follow the instructions and gain the benefit of offering the best secured products/service to their clients. We as clients must also be aware of the complicated security details to protect our interest. Yes, if you are entrepreneur, the sky is the limit for growth of your business if you take care security aspects as duly authorized by RBI.

Timely issuing of technical guidelines from RBI indicate their spirit of guiding our nation on the high technology field.