RBI’s New Framework on Cybersecurity: Strengthening Digital Payment Security Controls

Share on

Ravi Lingarkar Chief Product & Engineering Officer

In a world where digital payment transactions are increasingly becoming the norm, cybersecurity has turned into an issue of paramount importance. Recognizing the growing need for robust cybersecurity measures, the Reserve Bank of India (RBI) has released draft directions to fortify cybersecurity and ensure secure digital payment transactions. The draft titled 'Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators' is intended for application by RBI-authorized non-bank payment system companies. The payment system operators are also responsible for ensuring adherence to the directions by any unregulated entities, such as payment gateways, third-party service providers, vendors, merchants etc. with whom they have linkages with as part of their digital payments ecosystem.

Addressing Cybersecurity Risks

The draft directions emphasize several important aspects of cybersecurity management, including developing and implementing a comprehensive governance framework, ensuring regular audits, maintaining a robust incident response mechanism, conducting regular risk assessments, and providing necessary training to personnel. They also include information security risks and vulnerabilities and specify baseline security measures to ensure safe and secure digital payment transactions. This holistic approach to managing cybersecurity risks underscores RBI's commitment to ensuring the resilience of India's digital payment systems.

New Measures for Enhancing Cybersecurity

The draft directions propose governance mechanisms to address cybersecurity risks and baseline security measures to ensure the safety and security of digital payment transactions. Some of the key measures in the draft would require PSOs to:

• Formulate an Information Security policy, prepare a crisis management plan, undertake a cyber risk assessment.
• Notify RBI of any unusual incident, including cyberattacks, outages of critical system or infrastructure, internal fraud, and settlement delay, within 6 hours of detection. (This measure takes cue from CERT-In cybersecurity directions released in April 2022)
• Implement multi-factor authentication for all payment transactions conducted through electronic modes.
• Institute a board-approved incident response mechanism and a Business Continuity Plan based on different cyber threat scenarios.
• Establish a Security Operations Centre (SOC) to proactively monitor network logs and manage security incidents.
• Design a comprehensive data protection policy and ensure all applications are subject to rigorous and periodic security testing by qualified agencies.

Impact on Payment System Operators

The draft cybersecurity framework is a proactive step by RBI, to safeguard the country's expanding digital payment landscape against potential cyber threats. The payment system operators, including banks, non-banking financial companies (NBFCs), and other digital payment platforms, will come under the purview of these proposed directions. These operators will need to implement the specified governance mechanisms and security measures, subject to the final directions from the RBI. Further, the draft directions also set out a number of new requirements for PSOs. These requirements are likely to increase the costs of compliance and operational complexity for PSOs. However, the long-term benefits of a more secure payments ecosystem are likely to outweigh the short-term costs of compliance. By strengthening the cybersecurity framework for PSOs, the RBI is aiming to create a more secure environment for digital payments. This will help to boost confidence in digital payments and boost adoption rates.

An Open, Collaborative Approach to Cybersecurity Regulation

In order to promote a collaborative approach to cybersecurity management, the RBI has actively solicited input on the draft directions from multiple stakeholders, including payment system operators, cybersecurity experts, and the general public. By engaging in this transparent and consultative process, the RBI aims to incorporate a diverse range of perspectives and experiences into the finalization of these vital directions. This inclusive approach ensures that all relevant voices are heard and taken into account, leading to more robust and effective cybersecurity measures.
In conclusion, RBI’s proposed framework is expected to significantly fortify India's digital payment landscape against potential cyber threats. It is a testament to the proactive and comprehensive approach adopted by the RBI to manage cybersecurity risks in an increasingly digitalized economy. These measures, once implemented, are expected to bring a new level of security and resilience to digital payment transactions, thereby boosting consumer trust and facilitating the continued growth of India's digital economy.

Stay tuned for further updates on these important developments in the cybersecurity space.

(Disclaimer: The content of this blog is based on the draft directions issued by the RBI. The final directions, once released, may have modifications as per the feedback received and the RBI's discretion.)