The Reserve Bank of India (RBI) on Tuesday released master directions on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators (PSOs).
As per the RBI circular, the PSO shall formulate a Board approved Information Security policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised.
Also, the policy shall be reviewed annually, it said.
It shall cover at the minimum, roles and responsibilities of Board/sub-committees of the Board, senior management and other key personnel; measures to identify, assess, manage and monitor cyber security risk which shall also include various types of security controls for ensuring cyber resiliency along with processes for training and awareness of employees/stakeholders.
The Board of Directors (Board) of the PSO shall be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience.
However, primary oversight may be delegated to a sub-committee of the Board, headed by a member with experience in information / cyber security, which shall meet at least once every quarter.
RBI further said that the PSO shall prepare a distinct Board approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond and recover from cyber threats and cyber attacks.
Relevant guidelines from CERT-In / National Critical Information Infrastructure Protection Centre (NCIIPC) / IDRBT and other agencies may be referred for guidance.
CISO-level official for policy implementation
The Board shall entrust the responsibility and accountability for implementing the IS policy and the cyber resilience framework as well as for continuously assessing the overall IS posture of PSO to a senior level executive with expertise in areas of information security including cyber security. [e.g. Chief Information Security Officer (CISO)], it said.
The PSO shall define appropriate Key Risk Indicators (KRIs) to identify potential risk events and Key Performance Indicators (KPIs) to assess the effectiveness of security controls.
Digital Payment Security Measures
RBI further said that the PSO shall facilitate its members/participants with mechanisms for online alerts based on various parameters.
These include failed transactions, transaction velocity, time zone, geo-location, IP address origin, behavioural biometrics, transaction origination from point of compromise, transactions to mobile wallets/mobile numbers/VPAs on whom vishing or other types of fraud are registered/recorded, declined transactions, transactions with no approval code, etc.
It also highlighted that while sending SMS/e-mail alert or any other notification to customers, either by PSO or payment system participants, it shall be ensured that Bank account number/card number/other confidential information are redacted/masked to the extent possible.
Further, online payment transactions shall mention merchant name and amount; for fund transfers, name of the beneficiary and debit amount.
The PSO shall ensure that the name is taken from the system of the entity maintaining the beneficiary account.
In cases where the OTP is a factor of authentication, the PSO shall ensure that the OTP is mentioned at the end of the notification message and the message shall also refer the specific transaction.
