RBI issues norms to improve safety of payment systems 
News Updates

RBI issues norms to improve safety of payment systems

RBI on Tuesday said non-bank payment system operators will have to put in place a real-time fraud monitoring solution to identify suspicious transactional behaviour and generate alerts

PTI

New Delhi: The Reserve Bank of India (RBI) on Tuesday said non-bank payment system operators will have to put in place a real-time fraud monitoring solution to identify suspicious transactional behaviour and generate alerts.

Also, non-bank payment system operators (PSOs) will have to ensure that an online session on mobile application is automatically terminated after a fixed period of inactivity and customers are prompted to re-login, according to Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank PSOs.

PSU Watch is now on Whatsapp Channels. Click here to join

The directions have come into effect from Tuesday, but the RBI has also prescribed a phased implementation to provide adequate time to PSOs to put in place the necessary compliance structure.

RBI said the directions aim to improve the safety and security of the payment systems operated by PSOs by providing a framework for overall information security preparedness with an emphasis on cyber resilience.

Regarding mobile payments, RBI said PSOs should ensure that an authenticated session, together with its encryption protocol, remains intact throughout an interaction with the customer.

"In case of any interference or if the customer closes the application, the session shall be terminated, and the affected transactions resolved or reversed out," it said.

Further, the PSO should ensure that an online session on mobile application is automatically terminated after a fixed period of inactivity and customers are prompted to re-login.

"The PSO shall put in place a control mechanism, to identify any presence of remote access applications (to the extent possible) and prohibit access to the mobile payment application while the remote access is live," the directions said.

RBI further said the card networks should facilitate implementation of transaction limits at card, bank identification number (BIN) as well as at card issuer level.

"Such limits shall mandatorily be set at the card network switch itself," it said.

Also, the card networks should institute an alert mechanism on a 24x7 basis, to be triggered to the card issuer in case of any suspicious incident. RBI also said card networks will have to ensure that card details of the customers are stored in an encrypted form at any of their server locations.

The central bank has also encouraged Prepaid Payment Instruments issuers to communicate OTP and transaction alerts with users in a language of their choice, including vernacular languages.

RBI said the PSO should put in place a comprehensive data leak prevention policy for confidentiality, integrity, availability and protection of business and customer information in respect of data available with it or at vendor managed facilities.

They will also have to develop a business continuity plan based on different cyber threat scenarios, including extreme but plausible events to which it may be exposed.

According to the directions, while sending SMS or e-mail alert to customers, either by PSO or payment system participants, it has to be ensured that bank account number, card number, or other confidential information are redacted/masked to the extent possible.

"The PSO shall provide a facility on its mobile application / website that would enable customers, with necessary authentication, to identify / mark a fraudulent transaction for seamless and immediate notification to the issuer of payment instrument," it said.

(PSU Watch– India's Business News centre that places the spotlight on PSUs, Bureaucracy, Defence and Public Policy is now on Google News. Click here to follow. Also, join PSU Watch Channel in your Telegram. You may also follow us on Twitter here and stay updated.)

IIFCL in talks with ADB, Korean Exim Bank to raise $600 million

Govt notifies telecom cyber security rules; sets timelines for telcos to report security incidents

Govt invites job applications for PNGRB's Member post

Power Minister visits NHPC’s Nimoo Bazgo Power Station in Ladakh

Delegates from 18 countries attend RBI's policy conference of Global South central banks