The Reserve Bank of India (RBI) on Tuesday said non-bank payment system operators will have to put in place a real-time fraud monitoring solution to identify suspicious transactional behaviour and generate alerts. Also, non-bank payment system operators (PSOs) will have to ensure that an online session on mobile application is automatically terminated after a fixed period of inactivity and customers are prompted to re-login, according to Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank PSOs.The guidelines effective Tuesday aim to improve safety by mandating encrypted storage of card details, setting transaction limits, and developing comprehensive data leak prevention and business continuity plans.The RBI has also prescribed a phased implementation to provide adequate time to PSOs to put in place the necessary compliance structure.Regarding mobile payments, RBI said PSOs should ensure that an authenticated session, together with its encryption protocol, remains intact throughout an interaction with the customer.”In case of any interference or if the customer closes the application, the session shall be terminated, and the affected transactions resolved or reversed out,” it said.Further, the PSO should ensure that an online session on mobile application is automatically terminated after a fixed period of inactivity and customers are prompted to re-login.RBI further said the card networks should facilitate implementation of transaction limits at card, bank identification number (BIN) as well as at card issuer level.”Such limits shall mandatorily be set at the card network switchitself,” it said.Also, the card networks should institute an alert mechanism on a 24×7 basis, to be triggered to the card issuer in case of any suspicious incident. RBI also said card networks will have to ensure that card details of the customers are stored in an encrypted form at any of their server locations.The central bank has also encouraged Prepaid Payment Instruments issuers to communicate OTP and transaction alerts with users in a language of their choice, including vernacular languages.RBI said the PSO should put in place a comprehensive data leak prevention policy for confidentiality, integrity, availability and protection of business and customer information in respect of data available with it or at vendor managed facilities.They will also have to develop a business continuity plan based on different cyber threat scenarios, including extreme but plausible events to which it may be exposed.According to the directions, while sending SMS or e-mail alert to customers, either by PSO or payment system participants, it has to be ensured that bank account number, card number, or other confidential information are redacted/masked to the extent possible.”The PSO shall provide a facility on its mobile application / website that would enable customers, with necessary authentication, to identify / mark a fraudulent transaction for seamless and immediate notification to the issuer of the payment instrument,” it said.
Source link