The Reserve Bank of India ("RBI") had issued draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators ("DPSC Directions") on June 02, 2023 pursuant to powers granted under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007), inviting comments from all stakeholders. The DPSC Directions covers the robust governance mechanisms for identification, assessment, monitoring and management of these risks. It also extensively covers baseline security measures for ensuring system resiliency as well as safe and secure digital payment transactions.

The intent herein is to improve safety and security of the payment systems operated by for Payment System Operators ("PSOs") by providing a framework for overall information security preparedness with an emphasis on cyber resilience. The Payment and Settlement Systems Act, 2007 defines 'payment system' as a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange. From this inference, credit card operations, debit card operations, smart card operations, money transfer operations or similar operations would come under the ambit of 'payment system'. Hence it is understood that a PSO is a person who operates an authorized payment system. The DPSC Directions shall be implemented in a phased manner, categorizing the PSOs as (a) Large non-bank PSOs (operational from April 01, 2024); (b) Medium non-bank PSOs (operational from April 01, 2026); and (c) Small non-bank PSOs (operational from April 01, 2028).

DPSC Directions holds the Board of Directors ("Board") of the PSO responsible for ensuring information security risks, including cyber risk and cyber resilience. Further, formation of a sub-committee of the Board who will have primary oversight for these requirements, and they shall meet at least once every quarter. It also focuses on formulation of an Information Security (IS) policy by PSO approved by the Board covering roles and responsibilities of Board/ sub-committees of the Board, senior management and other key personnel and measures to identify, assess, manage and monitor cyber security risk.

The following are the key highlights of the Governance Controls:

Cyber Security Preparedness

The draft DPSC Directions lays down preparation of Cyber Crisis Management Plan (CCMP) approved by Board and refer to relevant guidelines for guidance from CERT-In / National Critical Information Infrastructure Protection Centre (NCIIPC) / IDRBT and other agencies.

Risk Assessment and Monitoring

An emphasis on the need for a strong governance structure with clearly defined roles and responsibilities for managing cyber risks has been made. PSO's are expected to appoint a senior level executive as Chief Information Security Officer (CISO) and shall also define appropriate Key Risk Indicators (KRIs) to identify potential risk events and Key Performance Indicators (KPIs) to assess the effectiveness of security controls. The Board shall implement IS policy and the cyber resilience. The PSO's have to conduct regular risk assessments, develop incident response plans, and establish a cyber crisis management framework. Further, the Board and Key Senior Management are required Information System trained.

In view of the need for robust security measures, the DPSC Directions lays down the following baseline information security measures and controls :

Inventory Management

Further, the DPSC Directions emphasizes the need for maintenance of record of all the key roles, information assets, critical functions, processes, third party service providers and their inter-connections and classify and document their levels of usage, criticality, and business value by PSO.

Identity and Access Management

The draft DPSC Directions emphasizes the need of establishment of policies, procedures and controls addressing access privileges and rights and assignment of digital identity to all individuals having access to the IT environment of the PSO. The access to systems and different environments shall be based on need-to-have, need-to-know and based on the principle of least privilege. Further, authentication and monitoring of privileged accounts and appropriate controls, including rotation policy, to be implemented. It mandates putting security controls, including centralised mechanism to whitelist/ blacklist, to ensure secure use of removable media and portable devices. Adoption of multifactor authentication mechanism in case of remote/ work from home situations.

Network Security

A few measures have been laid down which are to be undertaken by PSO to protect its network and systems from external threats. It states configuring and monitoring of network devices periodically. It emphasizes on implementation of anti-malware solutions to prevent malware attacks and network segmentation of critical intensity as per role, location and environment. It states establishment of automated mechanisms units to detect multi-faceted network and system alerts and any other anomalous activity across its business and incorporation of multi-layered boundary defenses into IS systems to efficiently monitor the network traffic and filter the flow of data in and out of the organization and whitelisting solutions shall be in place to ensure that only permitted applications and services with validated needs are running.

Application Security Life Cycle (ASLC)

A focus has been laid on importance for SOs to follow a secure-by-design approach and implement secure software development life cycle ("S-SDLC") practices and by implementing a multi-tier application architecture, that ensures segregation of database layer from other layers and ensure continuity of services. It further ensures that PSO shall have an escrow arrangement for the source code of applications procured from third-party vendors.

Security Testing

All applications are subjected to rigorous security testing, such as source code review. All deficiencies shall be resolved in a time bound manner and recurring observation to be reported to the Board sub-committee. Further, to obtain a certificate from application developer, if the source code is not owned by the PSO stating that the application is free of vulnerabilities and malwares.

Vendor Risk Management

Vendor risk management by excepting PSO's to keep necessary security controls in order to prevent infiltration into its network from vendor environments and by ensuring vendor compliance and regulatory requirements. Further, PSO shall obtain certified assurance of the vendor's cyber resilience capabilities.

Data Security

Requirement for specific data security controls by forming a comprehensive data leak prevention policy by PSO. Further the payment system operators should implement to protect their systems and customer data. This includes measures like access controls, encryption, secure coding practices, network security, secure configuration, and regular security testing. Application and database security controls shall focus on secure handling, storage and protection of data, in particular, personally identifiable information (PII).

Patch and Change Management Life Cycle

The draft DPSC Directions emphasizes on Patch and Change Management Life Cycle by forming documented policy to identify patches to technology, application of security patches in relevant systems in appropriate time frame and implementing changes post testing.

Incident Response

Further, a requirement for payment system operators to promptly report any cybersecurity incidents to the RBI and establish a robust incident response mechanism has been established. This involves conducting forensic investigations, notifying affected parties, and taking appropriate remedial measures. Further, PSO is expected to introduce Board approved incident response mechanism and to include provisions notifying its senior management, relevant employees and regulatory, supervisory and relevant public authorities, of cyber incidents.

Business Continuity Plan (BCP)

The draft DPSC Directions states that PSOs will also be required to develop a Business Continuity Plan ("BCP") that includes comprehensive cyber incident response, resumption, and recovery plans. Setting up of a Disaster Recovery (DR) facility in a different geographical area than the Primary Data Centre ("PDC") and conducting DR drills on a half-yearly or more frequent basis.

Application Programming Interfaces (APIs)

PSOs are required to adhere to relevant standards and globally recognised frameworks on API security and to safeguard applications against risks emanating from insecure APIs, the PSO shall put in place, authentication, authorization, confidentiality, integrity and threat protection.

Employee Awareness / Training

The draft DPSC Directions state that employee awareness and training programs will play a vital role in ensuring information security and mitigating cyber risks. Regular evaluations of cyber security awareness among employees will be conducted. They also address network security, data security, patch and change management, incident response, and the secure use of application programming interfaces.

Other Security Measures

Further, the PSO is expected ensure that all payment transactions are conducted through electronic modes and shall put in place a fraud monitoring system and appoint a dedicated nodal officer(s) to function on 24x7x365 basis. It also lays down that the sub-committee of the Board must ensure and review that the payment architecture operated by them is robust, scalable and commensurate with the transaction volumes. Further, employment of secure mail and messaging systems to ensure that inbound and outbound traffic through mail, messages or any other media are secure and subscribing to anti-phishing / anti-rogue app services for identifying and taking down phishing websites / rogue applications.

In addition to the extant instructions applicable to PSOs, the DPSC Directions lays down guidelines pertaining to digital payment transactions. The PSO will assist its members/participants in implementing online alert mechanisms that are triggered by various factors, including failed transactions, transaction velocity, and conditions related to new accounts such as excessive activity. These alerts will consider parameters such as time zone, geographical location, IP address origin (especially for unusual patterns or suspicious IPs), behavioral biometrics, compromised sources, transactions involving mobile wallets or numbers associated with fraud, declined transactions, and transactions without approval codes. When sending alerts via SMS or email, whether by the PSO or PSPs, precautions should be taken such as concealing or removing confidential information, including relevant details like merchant name and transaction amount, and clearly indicating any OTP required for authentication along with the specific transaction reference.

PSOs are to be involved in mobile payment services must comply with a set of security practices and risk mitigation measures, ensuring that participants in its payment system also follow these guidelines. Measures include verifying the mobile application for anomalies, maintaining an authenticated and encrypted session with customers, implementing device binding and fingerprinting for mobile applications, terminating inactive sessions, setting limits for failed login attempts, detecting and preventing remote access, and imposing a cooling period of 12 hours for any changes to registered mobile numbers or email IDs before allowing payment transactions. These measures aim to safeguard the integrity and security of mobile payment transactions and protect customers from unauthorized access or fraudulent activities. DPSC Directions outlines that the PSO shall ensure that the terminals used by merchants to capture card details for payments or other purposes go through the PCI-P2PE program and the PoS terminals installed at merchants for card payments to be approved by the PCI-PTS program. The card networks must facilitate the implementation of transaction limits at various levels. A 24x7x365 alert mechanism should be established to notify the card issuer of any suspicious incidents. The card networks must also ensure that customer card details are stored in encrypted form at all server locations and vendor systems, and that the processing of card details in readable format is conducted securely.

Conclusion:

These draft DPSC Directions offer organizations a basis for enhancing their cybersecurity and resilience capabilities. By embracing these suggestions and customizing them to suit their particular requirements, organizations can bolster their capacity to thwart, identify, address, and rebound from cyber threats. In an ever-evolving digital landscape, it is vital to consistently adapt and refine cybersecurity measures in order to stay ahead of emerging risks in the digital arena.

Please find a copy of the RBI Directions, here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.