Context

The Reserve Bank of India (RBI) has released the draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators (PSOs).

About

• Objective:
• To ensure that the authorised non-bank Payment System Operators (PSOs) is resilient to traditional and emerging information systems and cyber security risks.
• Key points of the draft:
• The draft covers governance mechanism for identification, assessment, monitoring and management of Cybersecurity risks including information security risks and vulnerabilities, and specifies baseline security measures for ensuring safe and secure digital payment transactions.
• The Directions will also cover baseline security measures for ensuring system resiliency as well as safe and secure digital payment transactions.
• RBI has asked PSOs to effectively identify, monitor, control and manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities who are part of their digital payments ecosystem (like payment gateways, third-party service providers, vendors, merchants, etc.).
• PSOs shall ensure adherence to these Directions by such unregulated entities as well, subject to mutual agreement.
• An organizational policy in this respect, approved by the Board, shall be put in place.
• However, there is no change in the existing instructions on security and risk mitigation measures for payments done using cards, Prepaid Payment Instruments (PPIs) and mobile banking continue to be applicable as such.

Who are Payment system operators (PSOs)?

• PSOs in India include Clearing Corporation of India, National Payments Corporation of India, Cards Payment Networks, Cross border Money Transfer, ATM networks, Prepaid Payment Instruments, White Label ATM Operators, Instant Money Transfer, and Trade Receivables Discounting System, Bharat Bill Payment System.
• The PSOs usually focus on:
  • Ensuring good governance and prudent risk management
  • Maintaining robust IT infrastructure with cyber resilience
  • Putting in place responsive grievance redress mechanism
    
    

RBI’s guidelines for Cybersecurity in India:

• The “Cyber Security Framework in Banks” circular from RBI sets the guidelines for Banks in India for developing and implementing next-generation cyber defence capabilities.
• The framework would direct the execution of progressively more robust security measures based on the nature, scale and variety of bank digital product offerings.
• The RBI cyber security framework addresses three core areas:
• Establish Cyber Security Baseline and Resilience
• Operate Cyber Security Operations Centre (C-SOC)
• Cyber Security Incident Reporting (CSIR).