RBI’s new diktat: Fresh rules to tighten online payment security
RBI's new diktat: Fresh rules to tighten online payment security
The Reserve Bank of India (RBI) has introduced fresh regulations to enhance the security of online transactions, effective from July 30. The new rules require non-bank payment system operators (PSOs) to implement real-time fraud monitoring systems. These systems are designed to detect suspicious transaction activity and send out alerts to prevent fraud.
Additionally, the RBI mandates that mobile app sessions must automatically end after a specified period of inactivity. This requires users to log in again, which is intended to enhance security. The RBI’s Master Directions on Cyber Resilience and Digital Payment Security Controls outline these requirements to help PSOs improve their overall security measures.
While the new rules are in effect from July 30, the RBI has allowed for a phased implementation to give PSOs time to comply fully. The objective is to strengthen the security framework of payment systems by ensuring a high level of cyber resilience.
For mobile payments, the RBI specifies that PSOs must maintain the security of authenticated sessions and their encryption protocols throughout the user interaction. If there is any disruption or if the user closes the app, the session should be terminated, and any transactions should be resolved or reversed accordingly.
PSOs are also required to implement mechanisms to detect and block remote access applications that could compromise mobile payment systems. This will help in preventing unauthorized access while remote sessions are active.
Card networks are directed to enforce transaction limits at various levels, including card, bank identification number (BIN), and card issuer levels. These limits must be set at the card network switch itself. Additionally, card networks must provide a 24/7 alert system to notify card issuers of any suspicious activity and ensure that card details are stored in an encrypted format.
The RBI has encouraged Prepaid Payment Instrument (PPI) issuers to send one-time passwords (OTPs) and transaction alerts in the user’s preferred language, including regional languages. Moreover, PSOs must establish a robust data leak prevention policy to protect both business and customer information and develop a business continuity plan for various cyber threat scenarios.
Finally, when sending SMS or email alerts, PSOs must ensure that sensitive information, such as bank account and card numbers, is redacted or masked to protect user privacy. PSOs must also offer a feature on their apps or websites that allows customers to quickly report fraudulent transactions.
