RBI issues norms to improve safety of payment systems with fraud monitoring

Don't want to miss the best from Business Standard?

The RBI on Tuesday said non-bank payment system operators will have to put in place a real-time fraud monitoring solution to identify suspicious transactional behaviour and generate alerts.

Also, non-bank payment system operators (PSOs) will have to ensure that an online session on mobile application is automatically terminated after a fixed period of inactivity and customers are prompted to re-login, according to Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank PSOs.

The directions have come into effect from Tuesday, but the Reserve Bank has also prescribed a phased implementation to provide adequate time to PSOs to put in place the necessary compliance structure.

RBI said the directions aim to improve safety and security of the payment systems operated by PSOs by providing a framework for overall information security preparedness with an emphasis on cyber resilience.

Regarding mobile payments, RBI said PSOs should ensure that an authenticated session, together with its encryption protocol, remains intact throughout an interaction with the customer.

"In case of any interference or if the customer closes the application, the session shall be terminated, and the affected transactions resolved or reversed out," it said.

Further, the PSO should ensure that an online session on mobile application is automatically terminated after a fixed period of inactivity and customers are prompted to re-login.

"The PSO shall put in place a control mechanism, to identify any presence of remote access applications (to the extent possible) and prohibit access to the mobile payment application while the remote access is live," the directions said.

RBI further said the card networks should facilitate implementation of transaction limits at card, bank identification number (BIN) as well as at card issuer level.

"Such limits shall mandatorily be set at the card network switch itself," it said.

Also, the card networks should institute an alert mechanism on a 24x7 basis, to be triggered to the card issuer in case of any suspicious incident. RBI also said card networks will have to ensure that card details of the customers are stored in an encrypted form at any of their server locations.

The central bank has also encouraged Prepaid Payment Instruments issuers to communicate OTP and transaction alerts with users in a language of their choice, including vernacular languages.

RBI said the PSO should put in place a comprehensive data leak prevention policy for confidentiality, integrity, availability and protection of business and customer information in respect of data available with it or at vendor managed facilities.

They will also have to develop a business continuity plan based on different cyber threat scenarios, including extreme but plausible events to which it may be exposed.

According to the directions, while sending SMS or e-mail alert to customers, either by PSO or payment system participants, it has to be ensured that bank account number, card number, or other confidential information are redacted/masked to the extent possible.

"The PSO shall provide a facility on its mobile application / website that would enable customers, with necessary authentication, to identify / mark a fraudulent transaction for seamless and immediate notification to the issuer of payment instrument," it said.