Over the past years, India’s economy is exponentially growing giving rise to unceasing advancement in the banking industry. Various aspects of banking as such Checking accounts, Savings accounts, Debit and credit cards, Merchant services (credit card processing, reconciliation and reporting, check collection), Treasury services, loans etc are diversifying in a multitude manner. Also, forease of customers and to avoid overcrowding at the banks, there is an outrageous increase in number of ATM’s. According to RBI’s report of September 2019 there are 206,589 ATM’s in all over India including on site and off site as well.
Without any doubt the ATM’s do serve the purpose of enhancing the customer experience but also give rise to complications as such card skimming, ATM jack potting, black box ATM attacks and so on.This brings us to the rising issue of ATM frauds that are being reported consecutively across the country. A recent Economic Times news report stated that as many as 61 ATM frauds have been reported, mostly from Jadavpur area of Kolkata, where fraudsters used two ATM machines of Punjab National Bank to dupe customers. Fraudsters have withdrawn nearly Rs 14 lakh in several transactions made between November 28 and December 4.
Another event to highlight would be selling of payment card data on Joker’s Stash. Over 1.3 million payment card details - 98% of them being Indian banks’ cards were put up for sale. Out of which 550,000 of these cards belonged to one single Indian bank. The data was being sold at $100 per card, and was likely obtained by using skimming devices installed on ATMs and Point of Sales systems.
These concerning issues and the risks associated along with it led RBI to take a counter-active action. The Reserve Bank of India (RBI) on 5 Dec,2019announced that all RBI-regulated entities entering into a contract with third-party automated teller machine (ATM) switch application service providers (ASPs) need to comply with cybersecurity controls prescribed by the central bank.
Since these service providers also have exposure to the payment system landscape and are, therefore, exposed to the associated cyber threats, the RBI decided that certain baseline cybersecurity controls shall be mandated by the regulated entities in their contractual agreements with these service providers.
In view of this, the RBI regulated entities shall make sure that the contract agreement signed between them and third party ATM switch application service provider shall necessarily mandate the third party ATM switch ASP to comply with cybersecurity controls and also provide access to RBI for onsite/off site supervision. A considerable thing to keep in mind would be that the RBI-regulated entities have to amend their contracts at the earliest or at the time of renewal, in any case not later than March 31, 2020.
Baseline Cybersecurity Controls for ATM Switch application service providers of RBI regulated entities are listed as:
- Preventing access of unauthorised software
- Environmental Controls
- Network Management and Security
- Secure Configuration
- Application Security Life Cycle (ASLC)
- Patch/Vulnerability and Change Management
- User Access Control / Management
- Data Leak prevention strategy
- Audit Logs
- Incident Response and Management
- Advanced Real-time Threat Defence and Management
- Vulnerability assessment and Penetration Test
- Arrangement for continuous surveillance - Setting up of Cyber Security Operation Centre (C-SOC)
- Compliance with various standards