The Reserve Bank on Feb 18, 2021(Thursday) came out with Master Direction (Digital Payment Security Controls) Directions 2021, for banks and card-issuing entities laying down common minimum standards to ensure security of digital payments. The provisions of these directions would apply to the Regulated Entities (REs) Viz. Scheduled Commercial Banks, Small Finance Banks, Payments Banks; and Credit card issuing NBFCs. These regulated entities are asked to set up a robust governance structure for such systems and implement common minimum standards of security controls for channels like internet, mobile banking, and card payments, among others so as to customers to use digital payment products in more safe and secure manner.
The latest Master Direction consolidates important control aspects largely in the areas of (i) Governance and Management of Security Risks, (ii) Generic Security Controls, Application Security Life Cycle (ASLC), (iii) Authentication Framework, (iv) Fraud Risk Management, (v) Reconciliation Mechanism, (vi) Customer Protection, (vii) Awareness and Grievance Redressal Mechanism, (viii) specific controls related to Internet Banking, Mobile Payments Application Security Controls and Card Payments Security.
In respect of General Control over security measures it said “REs shall formulate a policy for digital payment products and services with the approval of their Board. The contours of the policy, while discussing the parameters of any “new product” including its alignment with the overall business strategy and inherent risk of the product, risk management/ mitigation measures, compliance with regulatory instructions, customer experience, etc., should explicitly discuss about payment security requirements from Functionality, Security and Performance (FSP) angles” . The payment security requirements envisaged by the Central Bank includes,
1. Necessary controls to protect the confidentiality of customer data and integrity of data and processes associated with the digital product/ services offered;
2. Availability of requisite infrastructure e.g. human resources, technology, etc. with necessary back up;
3. Assurance that the payment product is built in a secure manner offering robust performance ensuring safety, consistency and rolled out after necessary testing for achieving desired FSP;
4. Capacity building and expansion with scalability (to meet the growth for efficient transaction processing);
5. Minimal customer service disruption with high availability of systems/ channels (to have minimal technical declines);
6. Efficient and effective dispute resolution mechanism and handling of customer grievance; and
7. Adequate and appropriate review mechanism followed by swift corrective action, in case any one of the above requirements is hampered or having high potential to get hampered”.
In addition, signing off of the above requirements, the mechanism for carrying out User Acceptance Tests (UAT) in multiple stages before roll-out, sign off from multiple stakeholders (post-UAT), and data archival requirements shall also be taken in to account. The need for an external assessment of the entire process including the logic, build, and security aspects of the application(s) supporting the digital product should be clearly articulated, RBI said.