That, at a time when outages, frauds and instances of data breach have spiked in India’s burgeoning payments ecosystem. The new rules set the framework for all regulated entities to standardise its security operations to emulate best practices defined by the central bank.
“The Master Direction provides necessary guidelines…to set up a robust governance structure and implement common minimum standards of security controls for digital payment products and services,” according to an RBI circular issued Thursday. “The guidelines are technology and platform agnostic and shall create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner.”
All regulated entities have been given six months to ensure compliance.
The 21-page master circular issues specifications for
- protection of source code of third-party UPI apps,
- cybersecurity guidelines to prevent external attacks, and
- protocols for card payments and internet banking security
“Going by the pre-eminent role being played by digital payment systems in India, RBI gives highest importance to the security controls around it,” the central bank said in the circular. “While the guidelines will be technology and platform agnostic, it will create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner. Necessary guidelines will be issued separately.”
RBI Governor Shaktikanta Das had first hinted about the introduction of these guidelines in his Monetary Policy Committee address on December 4, 2020.
These rules will have implications for not only regulated banks but also third-party payment apps—Google Pay, WhatsApp Pay, PhonePe, etc, —on how they interact with their banking partners and store customer data.
It will also affect the business models of several payment gateways that rely on delayed settlement of merchant funds to banking partners. The rules now specify that a payments operator or a bank cannot delay settlements to nodal settlement accounts by over 24 hours.
“The Board and Senior Management shall be responsible for implementation of this policy. The policy shall be reviewed periodically, at least on a yearly basis. REs may formulate this policy separately for its different digital products or include the same as part of their overall product policy,” RBI said in the circular.