RBI issues norms to improve safety of payment systems

New Delhi: The Reserve Bank of India (RBI) announced on Tuesday that non-bank payment system operators must implement a real-time fraud monitoring solution to identify suspicious transactional behavior and generate alerts.

Additionally, non-bank payment system operators (PSOs) are required to ensure that online sessions on mobile applications automatically terminate after a fixed period of inactivity, prompting customers to re-login, as per the Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank PSOs.

The directions, effective from Tuesday, include a phased implementation to allow PSOs adequate time to establish the necessary compliance structure. The RBI stated that these directions aim to enhance the safety and security of payment systems operated by PSOs by providing a comprehensive framework for information security preparedness with an emphasis on cyber resilience.

Regarding mobile payments, the RBI specified that PSOs should ensure that an authenticated session and its encryption protocol remain intact throughout the interaction with the customer. Any interference or closure of the application by the customer should result in the session's termination and the resolution or reversal of affected transactions.

Furthermore, PSOs must identify the presence of remote access applications, to the extent possible, and prohibit access to the mobile payment application while remote access is active. They must also ensure that card networks facilitate the implementation of transaction limits at the card, bank identification number (BIN), and card issuer levels, with such limits set at the card network switch itself.

Card networks are also required to establish a 24x7 alert mechanism to notify card issuers of any suspicious incidents and ensure that customer card details are stored in an encrypted form at all server locations. The central bank has encouraged Prepaid Payment Instrument issuers to communicate OTP and transaction alerts in users' preferred languages, including vernacular languages.

PSOs must also develop a comprehensive data leak prevention policy to protect the confidentiality, integrity, and availability of business and customer information. Additionally, they are required to establish a business continuity plan based on various cyber threat scenarios, including extreme but plausible events.

The directions mandate that SMS or e-mail alerts to customers must redact or mask bank account numbers, card numbers, and other confidential information as much as possible. PSOs are also required to provide a facility on their mobile application or website that enables customers to authenticate and mark a fraudulent transaction for immediate notification to the issuer of the payment instrument.