RBI Toughens Digital Payment Security Norms For Lenders

RBI becomes more prescriptive on digital payment security norms.

A security guard stands by a Reserve Bank of India (RBI) logo in the RBI building in Mumbai, India. (Photographer: Karen Dias/Bloomberg)
A security guard stands by a Reserve Bank of India (RBI) logo in the RBI building in Mumbai, India. (Photographer: Karen Dias/Bloomberg)

The Reserve Bank of India has asked scheduled commercial banks, payments banks, small finance banks, as well as card issuing non-bank lenders to adopt more stringent security measures for digital payments.

In a set of master directions issued on its website on Thursday, the banking regulator came up with prescriptive guidelines for digital payment security. These guidelines specify security protocols to be adopted in internet banking, mobile applications of the entities mentioned above and cards issued by them.

“While the guidelines will be technology and platform agnostic, it will create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner,” the regulator said in its master directions.

The guidelines will come into effect within six months, the RBI said.

The regulator has asked lenders to have a board-approved policy in place and conduct regular system audits. Banks and non-bank financial companies will be expected to conduct regular vulnerability testing of their systems to provide a secure experience to their customers.

The banking regulator has asked lenders to adopt the highest standards of security available to avoid data breaches on their servers. For card payments, lenders must adopt standards which go beyond the payment card industry data security standards. This would include specific standards for transmission of the personal identification number to the cardholder, security standards for the hardware used to read cards, among others.

“The guidelines don't mention UPI transactions or payment gateways which are major vectors for data breaches and frauds. However, the guidelines around credit cards are very prescriptive which is a positive,” said Sandeep Srinivasa, founder and head of product and tech at RedCarpet, a credit card company.

Some of the requirements specified by the RBI include:

  • For mobile applications, where the service and authentication tools such as one-time-password are received on the same device, lenders are expected to come up with better alternatives to authenticate a transaction.
  • Reconciliation process of transactions must follow a near-real-time framework which would ensure that all stakeholders are provided necessary information about a transaction within a 24-hour time period.
  • The RBI has asked lenders to ensure that their web pages which provide digital payment products and services should not store customer sensitive information in HTML fields, cookies, or any other client-side storage.
  • For authentication of customers using web pages to access digital payments, banks and NBFCs will need to have stronger authentication tools using strong CAPTCHA codes with server-side authentication.
  • Banks and NBFCs must have a specific section on their digital payment products and services which clarify how customers can lodge complaints in the event of a grievance.
  • Lenders may also consider introducing a code on their applications, which can help them to verify the customer’s devices for any security issues. The applications or web pages provided by the lenders must have a mechanism to mark a transaction as fraudulent for seamless and immediate notification to the lenders.

The RBI has also asked banks and NBFCs to have a policy in place to upgrade their IT systems on a regular basis, depending on the growth in customer demand for digital payments.

Over the last two years, large banks such as HDFC Bank have faced service downtime due to the rapid rise in demand and their systems being unable to manage the crisis. In November 2019, HDFC Bank also faced issues with a power outage at their data servers in Mumbai, which prompted the regulator to levy heavy penalties on the bank. Currently, an external audit of the bank’s systems is ongoing.

According to Nitin Bhatnagar, associate director-India at PCI Security Standard Council, the country has become an attractive target for cybercriminals and security of cardholder data needs to be a top priority.

“The road to stronger payment security involves global collaboration, and organisations should start prioritising data security as an important element to their day-to-day business activities,” Bhatnagar said.