The Reserve Bank on Thursday came out with a Master Direction for banks and card-issuing entities laying down common minimum standards to ensure security of digital payments.
The Master Direction lays down guidelines for internet banking, mobile payments, card payments, customer protection, and grievance redressal mechanism.
“In view of the proliferation of cyber-attacks and their potential consequences, regulated entities should implement, except where explicitly permitted/ relaxed, multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from ATMs/ micro-ATMs/ business correspondents, through digital payment applications,” it said.
The provisions of these directions would apply to Regulated Entities (REs): scheduled commercial banks, small finance banks, payments banks, and credit card issuing NBFCs.
Such a move is expected to improve the security of digital payment channels and also convenience of users. These directions contain requirements for robust governance, implementation and monitoring of certain minimum standards on common security controls for channels like internet and mobile banking, card payments, etc.
The robust protocol will help in checking frequent outages and disruption while providing secure environment for digital transactions.
The RBI in December temporarily barred largest private sector lender HDFC Bank from selling new credit cards or launching new digital banking initiatives, taking a serious view of service outages at the systemically important bank over the last two years. The digital banking app of the country’s largest lender SBI was also facing service outages.
Eyeing a robust governance structure
The Master Direction provides necessary guidelines for the Regulated Entities to set up a robust governance structure and implement common minimum standards of security controls for digital payment products and services. The guidelines are technology and platform-agnostic and shall create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner, it said.
It further said entities would incorporate secure, safe, and responsible usage guidelines and training materials for end users within the digital payment applications.
“They shall also make it mandatory (i.e. not providing any option to circumvent/ avoid the material) for the consumer to go through secure usage guidelines (even in the consumer’s preferred language) while obtaining and recording confirmation during the on-boarding procedure in the first instance and first use after each update of the digital payment application or after major updates to secure and safe usage guidelines,” it said.
REs would adhere to extant instructions, updated from time to time, to put in place systems for online dispute resolution for resolving disputes and grievances of customers pertaining to digital payments, it said.
On public awareness, it said, financial institutions should inform about types of threats and attacks used against the consumers while using digital payment products, and precautionary measures to safeguard against the same.
“Customers shall be cautioned against commonly known threats in recent times like phishing, vishing, reverse-phishing, remote access of mobile devices and educated to secure and safeguard their account details, credentials, PIN, card details, devices, etc,” it said.
With regard to mobile apps, it asked to deactivate the older application versions in a phased but time-bound manner not exceeding six months from the date of release of newer version.