RBI issues draft directions on digital payment security controls

RBI issued a draft master direction on cyber resilience and digital payment security controls for payment system operators

New Delhi: The Reserve Bank of India (RBI) on Friday issued a draft master direction on cyber resilience and digital payment security controls for payment system operators.

The central bank has sought comments on the draft guidelines till June 30. These can be sent through email or post to the Chief General Manager, Department of Payment and Settlement Systems, Central Office, RBI in Mumbai.

---

The draft guidelines cover governance mechanisms for the identification, assessment, monitoring, and management of cybersecurity risks including information security risks and vulnerabilities, and specify baseline security measures for ensuring safe and secure digital payment transactions.

On April 8, the RBI had announced that it will issue directions on cyber resilience and payment security controls of payment system operators (PSOs).

“To effectively identify, monitor, control and manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities who are part of their digital payments ecosystem (like payment gateways, third-party service providers, vendors, merchants, etc.), PSOs shall ensure adherence to these Directions by such unregulated entities as well, subject to mutual agreement. An organisational policy in this respect, approved by the Board, shall be put in place,” the guidelines say.

It is the board of directors of PSOs who will be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience. However, primary oversight may be delegated to a sub-committee of the board which shall meet at least once every quarter.

Also, the PSO shall formulate a Board approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised, they said further.

The policy is to be reviewed annually.

It shall cover the roles and responsibilities of board or sub-committees of the board, senior management, and other key personnel; measures to identify, assess, manage, and monitor cyber security risks which shall also include various types of security controls for ensuring cyber resiliency along with processes for training and awareness of employees or stakeholders.

Also, the RBI has asked PSOs to prepare a distinct Board-approved cyber crisis management plan (CCMP) to detect, contain, respond, and recover from cyber threats and cyber-attacks.

Relevant guidelines from CERT-In or National Critical Information Infrastructure Protection Centre (NCIIPC) or IDRBT and other agencies may be referred for guidance, it said.

In addition to this, the PSO shall undertake a cyber risk assessment exercise relating to the launch of new products or services or technologies or undertaking major changes to the infrastructure or processes of existing product or services.