With rising cases of cyber fraud and security incidents, RBI published a Master Direction providing necessary guidelines stating the directions of security control,” Reserve Bank of India (Digital Payment Security Controls) Directions 2021”  to strengthen the nation’s digital payments architecture, improving the security, control, and  compliance  among banks, gateways, wallets, and other non-banking entities,
The efforts are to regulate security in commercial banks, small finance banks, payment banks and credit card-issuing non-banking financial companies (NBFC). The new set of norms also specifies the criteria under which regulated entities can form partnerships and interact with third-party apps and ecosystem players such as  mobile applications, payment operators and gateways.
The comprehensive guidelines aim to tackle the recent severe rise in digital outages, cyber frauds and data breaches incidents. The control guidelines consolidates multiple vital aspects of the cybersecurity space like:
- Governance and Management of Security Risks
- Other Generic Security Controls
- Application Security Life Cycle (ASLC)
- Authentication Framework
- Fraud Risk Management
- Reconciliation Mechanism
- Customer Protection, Awareness, and Grievance Redressal Mechanism
Apart from the General guideline, the directive consists of separate controls namely :
- Internet Banking Security Controls
- Mobile Payments Application Security Controls
- Card Payments Security
With NPCI’s plan to revamp the IT infrastructure across popular payment channels like UPI, IMPS, AePS etc, the latest RBI directives are considered as a crucial update to improve the security of digital payment channels and also customer convenience. The Master guideline aids in setting up a robust governance structure and implementing common minimum standards of security controls for digital payment products and services.
Adhering to the guideline, all the regulated entities (REs) need to update their secure process and policies time to time and place an online dispute resolution for resolving disputes and grievances of customers pertaining to digital payments. In view of a security incident, the financial institutions are expected to inform about the threats and attack against their digital payment product and ensure that precautionary  safeguards  are in place to avoid incidents like ” phishing, remote access, safeguard of PIN, credentials, card details” etc.
RBI has given all the regulated entities to comply within the next six months
Full document here :
As a CERT-in empanelled organization    QRC Assurance and Solutions  has been a forerunner on the cybersecurity front, empanelled with CERT-in, certified to provide PCI DSS QSA, PA QSA, PCI 3DS, PCI SSF, ISO 27001, ISO 27701 Certifications along with other security compliance services. As forerunners in Cybersecurity Space, QRC supports our customers to establish, document, implement and maintain Data Security and Privacy frameworks to protect their sensitive data from all Internal / External Threats and manage the confidentiality, Integrity, availability, Security, Privacy of such information systematically.