RBI has proposed a draft that will aim for more security measures for online payments. Meant primarily for payment system operators, the guideline has measures against several types of cyber-attacks.
Payment system operators or PSOs are any retail payment organizations like VISA, Mastercard, RuPay, NPCI etc. The guidelines categorise PSOs according to their area of operation and scale. Entities like Bharat Bill Payment Operating Units are large PPSOs, cross-border money transfer entities are mid-sized and entities that issue prepaid payment systems are small-scale PSOs.
One of the key proposals is to promptly disable mobile payments when a remote user has gained access to a user’s device. The guideline makes it mandatory for PSOs to report any malicious activity within six hours of its detection. Malicious activity can include attacks done on the infrastructure, internal fraud, cyberattacks etc.
Other noteworthy changes are including the merchant’s name, instead of the payment gateway, on the transaction alert messages. There will also be a cooling period of at least 12 hours when phone numbers or email-ids are changed with associated bank accounts.
RBI’s guidelines come at an hour of need. There have been increasing cases of fraudulent activity in digital payments among the general public. Recently the central bank also announced the removal of INR 2,000 notes from circulation. All measures are a part of RBI’s ‘Cyber Resilience and Digital Payment Security Controls for Payment System Operators (PSOs)’
More guidelines to counter online scams
The guideline goes on to put down some best practices that most PSOs already follow but RBI wanted to readdress them for cases of fraud. One of the biggest examples here is when apps like AnyDesk are installed by victims that are used by the scammer to gain control of the device.
To give time to adjust to the changes mentioned in the draft, the timeline to adopt these is different for the PSOs. They will come into force on April 2024 for larger PSOs, April 2026 for mid-sized PSOs and April 2028 for smaller-sized PSOs.
RBI has also given the deadline of June 30th, 2024 for any feedback regarding the draft parameters.
Introduction of a new payment system
RBI has also planned the introduction of a payment system called Lightweight Payment and Settlement System or LPSS. Its aim is to bring a change in the digital payment industry. As mentioned in its annual report, this payment system will help users make payments even during times of emergency like war.
LPSS will be available on a need-only basis only during the situations mentioned above. This can be done as the system will not be dependable on the existing infrastructure that payment systems use. It will be operable from anywhere with minimal staff. It will have zero downtime for payment and settlement to keep liquidity flowing in the economy.
It will be complementary to the already active payment systems like UPI, NEFT and RTGS. The target market of this payment system is Government and other critical transactions. RBI aims to transform the face of digital payments by making it seamless and more secure with these measures.
