The Reserve Bank of India (RBI) has toughened digital payment security norms to improve security, control, and compliance for banks and other regulated entities.
The new norms come at a time when India's thriving payments ecosystem has witnessed increased occurrences of frauds, outages, and cyber breaches.
The RBI, in a set of directives issued on its website on Thursday, February 18, listed prescriptive guidelines for digital payment security, which specified security protocols to be adopted in mobile applications, internet banking of scheduled commercial banks, small finance banks, payment banks, and card issuing non-bank lenders as well as cards issued by them.
The 'Master Direction' lays down guidelines for internet banking, mobile payments, card payments, customer protection, and grievance redressal mechanism.
"In view of the proliferation of cyber-attacks and their potential consequences, regulated entities should implement, except where explicitly permitted/relaxed, multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from ATMs/micro-ATMs/business correspondents, through digital payment applications," it said.
Such a move is expected to improve the security of digital payment channels and also convenience for users. These directions contain requirements for robust governance, implementation, and monitoring of certain minimum standards on common security controls for channels like internet and mobile banking, card payments, etc.
The robust protocol will help in checking frequent outages and disruptions while providing a secure environment for digital transactions. The RBI in December temporarily barred the largest private sector lender HDFC Bank from selling new credit cards or launching new digital banking initiatives, taking a serious view of service outages at the systemically important bank over the last two years.
The digital banking app of the country's largest lender SBI was also facing service outages. "The Master Direction provides necessary guidelines for the regulated entities to set up a robust governance structure and implement common minimum standards of security controls for digital payment products and services, and the guidelines are technology and platform agnostic and shall create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner," the central bank said in its circular.
It further said that entities would incorporate secure, safe, and responsible usage guidelines and training materials for end-users within the digital payment applications.
"They shall also make it mandatory (i.e. not providing any option to circumvent/avoid the material) for the consumer to go through secure usage guidelines (even in the consumer's preferred language) while obtaining and recording confirmation during the on-boarding procedure in the first instance and first use after each update of the digital payment application or after major updates to secure and safe usage guidelines," the circular added.
"REs would adhere to extant instructions, updated from time to time, to put in place systems for online dispute resolution for resolving disputes and grievances of customers pertaining to digital payments," it further stated.
On public awareness, the circular said, financial institutions should inform about types of threats and attacks used against consumers while using digital payment products and precautionary measures to safeguard against the same.
"Customers shall be cautioned against commonly known threats in recent times like phishing, vishing, reverse-phishing, remote access of mobile devices and educated to secure and safeguard their account details, credentials, PIN, card details, devices, etc.," the circular noted.
With regard to mobile apps, it asked to deactivate the older application versions in a phased but time-bound manner not exceeding six months from the date of release of the newer version.