SlideShare a Scribd company logo

RBI’s Master Direction on Digital Payment Security Controls

T
TobyRobinson13

The guidelines will help organizations establish a robust digital payment system and implement effective standards of security controls for online payments. With this Master Direction, it is now expected that entities like banks and NBFC’s emphasise on their quality of governance, risk management, and internal security controls for establishing a safer digital payment environment. The issued guidelines specify security protocols to be implemented in mobile applications, internet banking, and card payments by scheduled commercial banks, small financial and payment banks, and card issuing institutes.

Technology
1 of 18
Download to read offline
RBI’s Master Direction on Digital Payment Security Controls RBI’s Master Direction on Digital Payment Security Controls W: www.vistainfosec.com E: info@vistainfosec.com US Tel: +1-415-513-5261 | SG Tel: +65-3129-0397 | IN Tel: +91 73045 57744 An ISO27001 Certified Company, CERT-IN Empanelled, PCI QSA | USA. SINGAPORE. INDIA. UK. MIDDLE EAST. CANADA.
Introduction Given the dynamic digital landscape and skyrocket -ing online payment transactions, the industry has witne -ssed huge spike in cybercrimes. Addressing the growing need for stringent digital payment security controls in the industr- y, RBI recently issued a comprehensive Master Direction for organiza- tions to follow. The Master Direction works as a guideline for organiza- tions to improve the security, and governance of payment gateways, wallets, and other digital payment transactions that they deal with on a day-to-day basis. The guidelines will help organizations establish a robust digital pay- ment system and implement effective standards of security controls for online payments. With this Master Direction, it is now expected that entities like banks and NBFC’s emphasise on their quality of gover- nance, risk management, and internal security controls for establishing a safer digital payment environment. The issued guidelines specify security protocols to be implemented in mobile applications, internet banking, and card payments by scheduled commercial banks, small financial and payment banks, and card issuing institutes. The Master Direction is issued at crucial time when the financial indus- try is in the mid of its rapid digital transformation and evolving security landscape. The guidelines issued is a technological and applica- tion-based framework that improves the digital payment environment for customers to securely embrace the evolving digitization of the finan- cial industry. While this initiative is seen as a positive move to towards strengthening the regulations and supervision, it is yet to be seen as to how the enforcement of the security framework takes it course. Topics Covered Introduction Sr. No. Pg. No. Titles 01. Key Highlights of Master Direction 02. Applicability of the Master Direction 03. Key Areas Covered in the Master Direction 04. Digital Payment Security Controls in a Glance 05. Chapter II 06. Chapter III 07. Chapter IV 08. Chapter V 09. 10. Going Ahead with the Master Direction Plan of Action & Key Recommendat- ions for Businesses 02 03 03 04 06 07 11 11 12 14 www.vistainfosec.com 02
Key Highlights of the Master Direction It provides a comprehensive governance structure and mini- mum-security control standards for systems like internet bank- ing, mobile banking, card payment, etc. Scheduled Commercial Banks (excluding Regional Rural Banks) Timeline Objective of the Master Direction It is a Standard driven by secure and robust security gover- nance controls of international standards and guidelines like OWASP, NIST, ISO, PCI to name a few. It contains requirements for strong governance, implementa- tion, and monitoring of security control standards by sched- uled commercial banks, small financial and payment banks, and card issuing institutes. The Master Directions will also have implications on the third-party payment applications such as Google Pay, Pho- nePe, etc. RBI’s Master Direction covers a diverse area, including import- ant security controls concerning the Governance and Manage- ment of Security Risks, Generic Security Controls, Application Security Life Cycle (ASLC), Authentication Framework, Fraud Risk Management, Reconciliation Mechanism, Customer Pro- tection, Awareness and Grievance Redressal Mechanism relat- ed to Internet Banking, Mobile Payments Application Security Controls, and Card Payments Security. It will come into effect on August which is six months from the day they are placed on the official website of the Reserve Bank of India (RBI). The timeline would be with immediate effect from thereon. Small Finance Banks Payments Banks Credit card issuing NBFCs. The guideline aims is to strengthen the regulations and supervision of non-cash, digital payments in the industry. Improve the security, and gov- ernance of payment gateways, wallets, and other digital pay- ment transactions. Applicability of the Master Direction It provides a comprehensive gover- nance structure and minimum-securi- ty control standards for systems like internet banking, mobile banking, card payment, etc. Typically speaking the issued guide- lines will also affect the business models of several payment gateways. The directions will have implications on third-party payment applications such as Google Pay, PhonePe, etc. The guidelines is set to come into full effect from August 2021 (6 months post-release of the guidelines) www.vistainfosec.com 03
The guideline aims is to strengthen the regulations and supervision of non-cash, digital payments in the industry. Improve the security, and governance of payment gateways, wallets, and other digital payment trans- actions. Aims to ensure regulated entities prioritize and focus on the quality of governance, risk manage- ment, and internal security controls for building a safer digital payment environment. Strengthen and improve the internal grievance redress mechanism with enhanced disclosures on customer complaints. Overall, aim is to ensure secure online payment transactions and prevent incidents of a data breach, theft, or data leakage of sensitive customer information. Effective implementation and monitoring of certain minimum standards on security controls. The Master Direction is a detailed 21-page dossier issued by the RBI which specifies security protocols to be implemented in mobile applica- The Master Direction is a detailed 21-page dossier issued by the RBI which specifies security pro tocols to be implemented in mobile appli cations, internet banking, and card payments by scheduled com- mercial banks, small finan- cial and payment banks, and card issuing institutes. The guide line includes spe- cifications on diverse areas, including important Securi- ty Controls concerning:- Key Areas Covered in the RBI’s Master Direction www.vistainfosec.com 04
Governance and Management of Security Risks Generic Security Controls Application Security Life Cycle (ASLC) Authentication Framework Fraud Risk Management, Reconciliation Mechanism Customer Protection Awareness and Grievance Redressal Mechanism related to Internet Banking, Mobile Payments Application Security Controls, and Card Payments Security. Special emphasis on following various Payment Card Security Stan- dards as per Payment Card Industry (PCI). RBI aims to push the regulated financial institutes and NBFC’s to improve the overall operations, security controls and customer care services. www.vistainfosec.com 05
Digital Payment Security Controls CHAPTER II Governance & Management of Security Risks Policy for Digital Payment Products & Services Risk Management & Governance Program Controls for Monitoring the Ac�vi�es of the Third Party Risk Assessment Capacity Management Plan Data Recovery System & Procedure Generic Security Controls Communica�on Protocols Storage of Sensi�ve Data Implementa�on of Firewalls & DDoS Protec�on Renewal of Digital Cer�ficates Logging and Monitoring Ac�vi�es Applica�on Security Lifecycle Mul�-�er Applica�on Architecture Threat Modeling Approach Security Tes�ng Ac�vity Monitoring Mechanism Security Controls for Digital Payment Applica�ons Authen�ca�on Framework Mul�-factor Authen�ca�on Authentica�on A�empts System Fraud Management System Alerts Fraud Analysis Mechanism Train Staff Incident Response Reconcilia�on Mechanism Real-�me reconcilia�on Mechanism Customer Protec�on, Awareness, Grievance Redressal Mechanism Usage Guidelines & Training Material Update & Educate Customers Mechanism for Consumer Grievance & Redressal Mechanism for Alerts & No�fica�on CHAPTER III Internet Banking Security Controls Secure internet banking website System Time-outs Password Genera�on CHAPTER IV Mobile Applica�on Security Controls Mechanism for Reinstalling and Verifying Mobile Applica�on Controls for Mobile Applica�ons Device Binding Authentica� on & Re- authen�ca� on Mechanism Storage of Sensi�ve Data Security considera�ons CHAPTER V Card Payment Security Follow PCI Standards PCI P2PE Certified Terminal Installa�on Secure Card Payment Infrastructure Security Controls at HSM Security Controls at ATM’s Robust Surveillance/ Monitoring of Card Transac�ons Transac �on Limits Card Data Scanning Tools Digital Payment Security Controls In A Glance www.vistainfosec.com 06
1. Policy for Digital Payment Products & Services - The regulated entity is expected to have in place a comprehensive policy for the Digital Payment Products & Services approved by the Board of Directors and the Senior Management. The policy should explicitly con- tain payment security requirements covering the areas of functionality, security & performance of products and services. This would include having in place- 2. Risk management & Governance Program - Establish a robust Governance and Risk Management program for identifying, ana- lyzing, monitoring, and managing the specific risks. This would include having in place CHAPTER II Governance & Management of Security Risk Controls to protect the confidentiality of customer, data integrity of data and processes associated with the digital product/ services. Availability of requisite infrastructure. Process for capacity building and expansion with scalability. Minimal customer service disruption with high availability of systems/ channels. Compliance risk and Fraud risk assessment program. Performance monitoring systems Efficient and effective dispute resolution mechanism and handling of customer grievance. Adequate and appropriate review mechanism followed by swift cor- rective action. Mechanism for conducting User Acceptance Tests (UAT) in multiple stages before roll out, sign off from multiple stakeholders. Payment products built securely offering robust performance, safety, and consistency. Key performance indicators for assessing operational and security norms Quantitative benchmarks for evaluating the effectiveness of securi- ty built. 3. Controls for Monitoring the Activities of the Third Party - Regulated Entities who are dependent on third party service providers must have in place adequate measures to oversee and con- trols for monitoring the activities of the third party personnel. The enti- ties shall implement necessary measures in line with RBI guidelines on outsourcing to the third-party. 4. Risk Assessment - The Regulated entities are required to per- form Risk Assessment at regular intervals to ensure safety and security of digital payment products and associated processes and services. This is to ensure entities protect the integrity, confidentiality and security of the payment data and evaluate the resilience of their systems. They are also required to maintain database of all systems and applications stor- www.vistainfosec.com 07
Generic Security Controls ing customer data in the payment ecosystem and ensure compliance with applicable PCI standards in each of the systems. 5. Capacity Management Plan - Entities must have in place appropriate Capacity Management Plan to ensure the established digital payment infrastructure is robust, scalable and resilient to meet the grow- ing demands. 6. Data Recovery System & Procedure - Entities should have procedures to periodically test systems and applications that account data back-ups, and recovery pertaining to digital products and services to ensure there is no loss of transactions or audit-trails. 2. Storage of Sensitive Data - Web applications providing the digital payment prod- ucts and services should not store sensitive infor- mation to prevent compromise in the integrity of the data. 3. Implementation of Firewalls & DDoS Protection - Regulated Entities are required to implement Web Application Firewall (WAF) and DDoS mitigation techniques to secure the digital payment products and services. 4. Renewal of Digital Certificates - Digital certificates used in the ecosystem should be renewed on time by the Regulated Entities. 5. Logging and Monitoring Activi- ties - Mobile Application and Internet Banking Application should have effective logging and monitoring capabilities to track user activity, secu- rity changes and identify anomalous behavior and transactions. 1. Communication Protocols - Entities should adhere to a secure standards and implement appropriate level of encryption and security. www.vistainfosec.com 08
Application Security Lifecycle Authentication Framework Fraud Risk Management 1. Multi-tier Application Architecture - Entities must implement a multi-tier application architecture, segregating application, database and presentation layer adopting a secure by design practice for developing digital payment products and services. 2. Threat Modeling Approach - The Regulated entities must adopt and incorporate a threat modelling approach into their policies, processes, guidelines and procedures during the course of Application Lifecycle Management. 3. Security Testing - Entities must conduct various security testing including review of source code, Vulnerability Assessment (VA) and Pene- tration Testing (PT) of their digital payment applications at a regular inter- val to ensure that the application is secure. 4. Activity Monitoring Mechanism - Entities must imple- ment a mechanism to actively monitor non-genuine/ unauthorized/ mali- cious Payment Applications on app stores and webs and respond accord- ingly to bring them down. 5. Security controls for Digital Payment Applica- tions - Considering various OWASP standards, security and data pro- tection guidelines in ISO 12812, threat catalogues and guides developed by NIST, entities must accordingly deploy the best Security controls for digital payment applications. 1. Multi-factor Authentication - Entities should implement multi-factor authentication for payment through electronic modes and fund transfers. 2. Authentication Attempts - Regulated Entities should set maximum number of failed log-in or authentication attempts after which access to the digital payment product/ service shall be blocked. 1. System Alerts - Entities must have in place parameterized and monitored alert systems to alert the customers in case of failed authenti- cation, fund transfers, cash withdrawals, payments through electronic modes, adding new beneficiaries etc. 2. Fraud Analysis Mechanism - Fraud analysis mechanism must be in place to identify fraud occurrence and determine mechanism to prevent such frauds. 3. Train staff - Regular training should be provided to staff in the fraud control function to educate and train them with skills and areas of expertise in- www.vistainfosec.com 09
4. Incident Response - Regulated Enti- ties must have in place mechanism for handling and responding to Incidents related to payment ecosystem and mitigate the loss either to the customer or Regulated Entities. 1. Real-time Reconciliation Mecha- nism - Regulated Entities must establish an effective, real-time reconciliation mechanism (not later than 24 hours from the time of receipt of settlement file(s)) for all digital payment trans- actions between the Regulated Entities all other stakeholders such as payment system opera- tors, business correspondents, card networks, payment system processors, payment aggrega- tors, payment gateways, third party technology service providers, other participants, etc. This is for better detection and prevention of suspi- cious transactions. 1. Usage Guidelines & Training Material - Regulated Entities must provide usage guidelines and train- ing materials for end users and make it mandatory for users to go through secure guidelines. 2. Update and Educate Customers - Regulated entities must educate customers and keep them updated about the best usage practice of digital payment applications. 3. Mechanism for Consumer Grievance & Redressal - Entities are expected to have in place an effective mechanism for address- ing consumer grievance & redressal. This should include clearly specifying the respond timelines, process and procedure (with forms/ contact infor- mation, etc.) to lodge consumer grievances and a mechanism to keep this information periodically updated. 4. Mechanism for Alerts & Notification - Entities must estab- lish a mechanism for sending out immediate alerts and notification of fraudulent transactions for instant reporting to the corresponding benefi- ciary/ counterparty’s Regulated Entities. This is to accelerate early detec- tion and quickly trace the transaction trail and mitigate the loss to the defrauded customer at the earliest possible time. Fraud control tools and their usage; Investigative techniques and procedures; Cardholder and merchant education techniques to prevent fraud; Scheme/ Card operating regulations; Data processing and analysis and liaising or communicating with law enforcement agencies; Reconciliation Mechanism Customer Protection, Awareness and Grievance Redressal Mechanism www.vistainfosec.com 10
11 CHAPTER III Internet Banking Security Controls CHAPTER IV Mobile Application Security Controls 1. Secure Internet Banking Websites - Entitles must ensure securing the internet banking websites against authentica- tion-related attacks such as the DOS and brute force attacks by imple- ment additional levels of authentication such as adaptive authentica- tion, strong CAPTCHA (preferably with anti-bot features) with serv- er-side validation, etc. Further, measures to be taken to prevent DNS cache poisoning attacks and for secure handling of cookies. 2. System Time-outs - Establish a mechanism of automated time-out of a sessions after a fixed period of inactivity. 3. Password Generation - Entities must ensure secure genera- tion and dispatching of sensitive passwords with validity for a limited period from the date and time of its creation. 1. Mechanism for Reinstalling and Verifying Mobile Application - In case of detection of any anomalies or exceptions for which the mobile application was not programmed, there should be a process in place that reinstall a new version and verify the before the transactions are enabled. 2. Controls for Mobile Applications - Entities must implement the below mentioned controls for their mobile applica- tions - 3. Device Binding - Regulated Entities shall ensure Device Binding of Mobile Applications. 4. Authentication & Re-authentication Mecha- nism - Regulated Entities must have in place appropriate authentication and re-authentication mechanism. This would include - Device policy enforcement; Application secure download/ install; Deactivating older application versions in a phased but time bound manner and maintain only one version of the mobile application on a platform/ operating system; Storage of Customer Data; An alternatives to SMS-based OTP; Re-authentication for when the device or application remains unused for a designated period Authentication/ checks/ measures to identify new network connections or connections from unsecured networks like unsecured Wi-Fi connections. Device or Application Encryption; Ensuring minimal data collection/ app permissions; Application sandbox/ containerisation; Identify remote access applications and prohibit login access to the mobile application, as a matter of precaution; Code obfuscation. www.vistainfosec.com
PCI-PIN (secure management, processing, and transmission of personal identification number (PIN) data); PCI-PIN (secure management, processing, and transmission of personal identification number (PIN) data); PCI-PTS (security approval framework addresses the logical and/ or physical protection of cardholder and other sensitive data at point of interaction (POI) devices and hardware security modules (HSMs); PCI-HSM (securing cardholder-authentication applications and processes including key generation, key injection, PIN verification, secure encryption algorithm, etc.); and PCI-P2PE (security standard that requires payment card information to be encrypted instantly upon its initial swipe and then securely transferred directly to the payment processor). 5. Storage of Sensitive Data - Mobile Application should not store/ retain sensitive personal/ consumer authentication information such as user IDs, passwords, keys, hashes, hard coded references on the device and the application should securely wipe any sensitive customer informa- tion from memory when the customer/ user exits the application. 6. Security considerations - Entities must design anti-malware capabilities and secure the mobile application against vulnerabilities like SQL injection. 2. PCI P2PE Certified Terminal Installation - Entities should install terminals at merchant sites that are PCI P2PE certified. 3. Secure Card Payment Infrastructure - Acquirers shall secure their card payment infrastructure with Unique Key Per Terminal (UKPT) or Derived Unique Key Per Transaction (DUKPT)/ Terminal Line Encryption (TLE). 1. Follow PCI Standards - Regulated Entities are expected to follow various PCI Standards applicable to them which includes - www.vistainfosec.com 12 CHAPTER V Card Payment Security
4. Security Controls at HSM - The Security Controls expected to be implemented at HSM include - 5. Security Controls at ATM’s - The Security Controls expected to be implemented at ATM’s include – 6. Robust Surveillance/ Monitoring of Card Transactions- Entities must institute a mechanism to monitor breaches, if any, on a 24x7 basis, including weekends, long holidays and have in place a robust incident response mechanism to mitigate the fraud loss, on account of suspicious transactions. 7. Transaction Limits - Entities must have in place transaction limits for domestic and international transactions at Card, BIN as well as at the Regulated Entities levels, set at the card network switch itself. 8. Card Data Scanning Tools – Entities must adopt card data scanning tools to identify unencrypted pay- ments card data in their ecosystem and adhere the following safety mea- sures - Log Management Access Control Management Secure Key Management. BIOS password Latest Patches of Operating System Anti-Skimming & Whitelisting Solution Test tools to understand the scope, impact and its capabilities in a test environment. Scan tools should be installed in the Regulated Entities premises and devices. Card data scanning should not be done remotely. Exportable card data must be appropriately masked. No data, which is even masked, must be taken out of the RE’s premises/ infrastructure. Limited access to service providers to conduct the scan or analyze the data or provide only on entities device. www.vistainfosec.com 13
www.vistainfosec.com Going Ahead with the Master Direction Plan of Action for Businesses - Businesses should initially conduct a basic assessment of their Digital Payment Ecosystem to understand where they stand with their existing Compliance Program in place. The key to achieving Compliance is understanding your Digital Payment Ecosystem and accordingly establishing security measures aligning with the new Master Direction. Again, for those businesses that are compliant to some or most of the international standards like PCI, NIST, ISO, OWASP, etc should map their Compliance Program with the RBI’s Master Direction to determine the GAP areas. For your business to stay ahead in the industry, understanding the law is crucial Gaining such insight will help you design a compliance program that aligns well with your business and compliance goals, making the road ahead for Compliance more achievable. Preparing ahead of the time before the new master direction comes into effect will save you from the last minute hassle. The earlier your business takes steps towards initiating the Digital Payment Security Program, your business will be in a far better position to deal with the regulation when it comes into effect. We also recommend businesses to approach an experienced Cyber Security Consulting firm for assisting you in navigating through the process. Consulting an expert from the industry will help your business make an informed decision when designing a Digital Payment Security Program. 14
VISTA lnfoSec is a Global Cyber Security Consulting firm offering exceptional Cyber Security Consulting & Audit Service, Regulat- ory & Compliance Consulting Services and Infrastructure Advisory Solutions. With stro- ng industrial presence since 2004, we have been serving clients from across the world with our robust, end-to-end security services and solutions. We are a 100% vendor neut- ral company with strict no outsourcing policy and built on our core values of strict code of ethics, transparency and professionalism. About Us www.vistainfosec.com
OUR SERVICES OFFERINGS www.vistainfosec.com Compliance & Governance • SOC 1 Consulting & Audit • SOC 2 Consulting & Audit • PCI DSS Advisory and Certification • PCI PIN Advisory and Certification • PA SSF Advisory and Certification • ISO 27001 Advisory and Certification • ISO 20000 Advisory and Certification • Business Continuity Management (ISO22301) • Cloud Risk CCM / CStar / ISO27017 • lnformation Security Audit • Software License Audit • ATM Security Assessment Regulatory And Compliance • GDPR Consulting and Audit • HIPAA Consulting and Audit • CCPA Consulting and Audit • NESA Consulting and Audit • MAS-TRM Consulting and Audit • NCA ECC Compliance • SAMA Compliance Managed Service • Adaptive Security Managment Pro gram • DPO Consultancy Services • CISO Advisory • Managed Compliance Services • Managed Security Services IT Audit & Advisory • Infrastructure Audit • Infrastructure Design & Advisory • Datacenter Design & Consultancy Services Training & Skill Development • Training & Skill Development Technical Assessment • Vulnerability Assessment • Penetration Testing • Web App Security Assessment • Mobile Security Assessment • Thick Client Application Security Assessment • Virtualization Risk Assessment • Secure Configuration Assessment • Source Code Review
OUR OFFICES SINGAPORE INDIA UK USA VISTA INFOSEC LLC 24007 VENTURA BLVD SUITE 285 CALABASAS CA 91302 +1-415-513-5261 USSALES@VISTAINFOSEC.COM SGSALES@VISTAINFOSEC.COM SALES@VISTAINFOSEC.COM UKSALES@VISTAINFOSEC.COM VISTA INFOS EC PTE. LTD 20 COLLYER QUAY #09-01 20 COLLYER QUAY SINGAPORE (049319) VISTA INFOSEC PVT. LTD 001, NORTH WING, 2ND FLOOR, NEOSHINE HOUSE, LINK ROAD, ANDHERI (W) MUMBAI - 400053 6 AMBER COURT GOLDSMITH CLOSE HARROW, GREATER LONDON UNITED KINGDOM HA20EZ +65-3129-0397 +91 99872 44769 +447405816761 +91-22-26300683 www.vistainfosec.com
CONTACT US US Tel: +1-415-513-5261 | SG Tel: +65-3129-0397 | IN Tel: +91 73045 57744 W: www.vistainfosec.com| E: info@vistainfosec.com You can reach us on Webinar : RBI’s Master Direction on Digital Payment Security Controls RBI’s Master Direction on Digital Payment Security Controls

Recommended

Controls for Digital Signature (e-Sign) Cloud Network & eCommerce Application
Controls for Digital Signature (e-Sign) Cloud Network & eCommerce ApplicationControls for Digital Signature (e-Sign) Cloud Network & eCommerce Application
Controls for Digital Signature (e-Sign) Cloud Network & eCommerce ApplicationMufaddal Nullwala
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 
NEC Public Safety | Digital Identity for Banks
NEC Public Safety | Digital Identity for BanksNEC Public Safety | Digital Identity for Banks
NEC Public Safety | Digital Identity for BanksNEC Public Safety
 
01 introduction-to-digital-finance
01 introduction-to-digital-finance01 introduction-to-digital-finance
01 introduction-to-digital-financeinnov-acts-ltd
 
Tech stocks to buy - Top small cap tech stocks
Tech stocks to buy - Top small cap tech stocksTech stocks to buy - Top small cap tech stocks
Tech stocks to buy - Top small cap tech stocksHigh Return Investments
 
Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengKnowledge Group
 
Analysis of Security Algorithms used in E-Commerce and ATM Transactions
Analysis of Security Algorithms used in E-Commerce and ATM TransactionsAnalysis of Security Algorithms used in E-Commerce and ATM Transactions
Analysis of Security Algorithms used in E-Commerce and ATM TransactionsIJERD Editor
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 

Recommended

Controls for Digital Signature (e-Sign) Cloud Network & eCommerce Application
Controls for Digital Signature (e-Sign) Cloud Network & eCommerce ApplicationControls for Digital Signature (e-Sign) Cloud Network & eCommerce Application
Controls for Digital Signature (e-Sign) Cloud Network & eCommerce ApplicationMufaddal Nullwala
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 
NEC Public Safety | Digital Identity for Banks
NEC Public Safety | Digital Identity for BanksNEC Public Safety | Digital Identity for Banks
NEC Public Safety | Digital Identity for BanksNEC Public Safety
 
01 introduction-to-digital-finance
01 introduction-to-digital-finance01 introduction-to-digital-finance
01 introduction-to-digital-financeinnov-acts-ltd
 
Tech stocks to buy - Top small cap tech stocks
Tech stocks to buy - Top small cap tech stocksTech stocks to buy - Top small cap tech stocks
Tech stocks to buy - Top small cap tech stocksHigh Return Investments
 
Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengKnowledge Group
 
Analysis of Security Algorithms used in E-Commerce and ATM Transactions
Analysis of Security Algorithms used in E-Commerce and ATM TransactionsAnalysis of Security Algorithms used in E-Commerce and ATM Transactions
Analysis of Security Algorithms used in E-Commerce and ATM TransactionsIJERD Editor
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015TransUnion
 
We Authenticate the World
We Authenticate the WorldWe Authenticate the World
We Authenticate the WorldVASCO Data Security
 
Privacy & Security Challenges Faced By Financial Services In The Digital Age
Privacy & Security Challenges Faced By Financial Services In The Digital AgePrivacy & Security Challenges Faced By Financial Services In The Digital Age
Privacy & Security Challenges Faced By Financial Services In The Digital AgeAgile Financial Technologies
 
Bhadale group of companies- services catalogue for banking and financial sector
Bhadale group of companies- services catalogue for banking and financial sectorBhadale group of companies- services catalogue for banking and financial sector
Bhadale group of companies- services catalogue for banking and financial sectorVijayananda Mohire
 
PSD2, SCA and the EBA’s Opinion on SCA – Decoded
PSD2, SCA and the EBA’s Opinion on SCA – DecodedPSD2, SCA and the EBA’s Opinion on SCA – Decoded
PSD2, SCA and the EBA’s Opinion on SCA – DecodedTransUnion
 
Io t security market
Io t security marketIo t security market
Io t security marketdanishsmith01
 
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011Andris Soroka
 
mAgri Webinar: Mobile market information systems for farmers: requirements fo...
mAgri Webinar: Mobile market information systems for farmers: requirements fo...mAgri Webinar: Mobile market information systems for farmers: requirements fo...
mAgri Webinar: Mobile market information systems for farmers: requirements fo...GSMA Mobile for Development
 
How to Start Payment Gateway Business in India
How to Start Payment Gateway Business in IndiaHow to Start Payment Gateway Business in India
How to Start Payment Gateway Business in IndiaMyOnlineCA.in
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
FinTech Applications & Tools for Financial Health
FinTech Applications & Tools for Financial HealthFinTech Applications & Tools for Financial Health
FinTech Applications & Tools for Financial HealthJohn Owens
 
fn_sun_readiminds
fn_sun_readimindsfn_sun_readiminds
fn_sun_readimindsNagesh KP
 
white paper - WN - Montiroing 2014
white paper - WN - Montiroing 2014white paper - WN - Montiroing 2014
white paper - WN - Montiroing 2014Hugo Montiel
 
LastPass 2021
LastPass 2021LastPass 2021
LastPass 2021Bruce Ma
 
Digital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseDigital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseElena Kvochko
 
Separation strategy presentation
Separation strategy presentationSeparation strategy presentation
Separation strategy presentationInvestorSymantec
 
IRJET- Secure Banking System using Block Chain Technology
IRJET- Secure Banking System using Block Chain TechnologyIRJET- Secure Banking System using Block Chain Technology
IRJET- Secure Banking System using Block Chain TechnologyIRJET Journal
 
IRJET- A Mobile Payment System Based on Face Recognition
IRJET- A Mobile Payment System Based on Face RecognitionIRJET- A Mobile Payment System Based on Face Recognition
IRJET- A Mobile Payment System Based on Face RecognitionIRJET Journal
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 
Nigeria.pdf
Nigeria.pdfNigeria.pdf
Nigeria.pdfAlemayehu
 
Digital Innovations | Retail & SME Baking
Digital Innovations | Retail & SME BakingDigital Innovations | Retail & SME Baking
Digital Innovations | Retail & SME Bakingaakash malhotra
 

More Related Content

What's hot

Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015TransUnion
 
Privacy & Security Challenges Faced By Financial Services In The Digital Age
Privacy & Security Challenges Faced By Financial Services In The Digital AgePrivacy & Security Challenges Faced By Financial Services In The Digital Age
Privacy & Security Challenges Faced By Financial Services In The Digital AgeAgile Financial Technologies
 
Bhadale group of companies- services catalogue for banking and financial sector
Bhadale group of companies- services catalogue for banking and financial sectorBhadale group of companies- services catalogue for banking and financial sector
Bhadale group of companies- services catalogue for banking and financial sectorVijayananda Mohire
 
PSD2, SCA and the EBA’s Opinion on SCA – Decoded
PSD2, SCA and the EBA’s Opinion on SCA – DecodedPSD2, SCA and the EBA’s Opinion on SCA – Decoded
PSD2, SCA and the EBA’s Opinion on SCA – DecodedTransUnion
 
Io t security market
Io t security marketIo t security market
Io t security marketdanishsmith01
 
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011Andris Soroka
 
mAgri Webinar: Mobile market information systems for farmers: requirements fo...
mAgri Webinar: Mobile market information systems for farmers: requirements fo...mAgri Webinar: Mobile market information systems for farmers: requirements fo...
mAgri Webinar: Mobile market information systems for farmers: requirements fo...GSMA Mobile for Development
 
How to Start Payment Gateway Business in India
How to Start Payment Gateway Business in IndiaHow to Start Payment Gateway Business in India
How to Start Payment Gateway Business in IndiaMyOnlineCA.in
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
FinTech Applications & Tools for Financial Health
FinTech Applications & Tools for Financial HealthFinTech Applications & Tools for Financial Health
FinTech Applications & Tools for Financial HealthJohn Owens
 
fn_sun_readiminds
fn_sun_readimindsfn_sun_readiminds
fn_sun_readimindsNagesh KP
 
white paper - WN - Montiroing 2014
white paper - WN - Montiroing 2014white paper - WN - Montiroing 2014
white paper - WN - Montiroing 2014Hugo Montiel
 
LastPass 2021
LastPass 2021LastPass 2021
LastPass 2021Bruce Ma
 
Digital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseDigital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseElena Kvochko
 
Separation strategy presentation
Separation strategy presentationSeparation strategy presentation
Separation strategy presentationInvestorSymantec
 
IRJET- Secure Banking System using Block Chain Technology
IRJET- Secure Banking System using Block Chain TechnologyIRJET- Secure Banking System using Block Chain Technology
IRJET- Secure Banking System using Block Chain TechnologyIRJET Journal
 
IRJET- A Mobile Payment System Based on Face Recognition
IRJET- A Mobile Payment System Based on Face RecognitionIRJET- A Mobile Payment System Based on Face Recognition
IRJET- A Mobile Payment System Based on Face RecognitionIRJET Journal
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 

What's hot (20)

Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
 
Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015Mobile Banking Security Risks and Consequences iovation2015
Mobile Banking Security Risks and Consequences iovation2015
 
We Authenticate the World
We Authenticate the WorldWe Authenticate the World
We Authenticate the World
 
Privacy & Security Challenges Faced By Financial Services In The Digital Age
Privacy & Security Challenges Faced By Financial Services In The Digital AgePrivacy & Security Challenges Faced By Financial Services In The Digital Age
Privacy & Security Challenges Faced By Financial Services In The Digital Age
 
Bhadale group of companies- services catalogue for banking and financial sector
Bhadale group of companies- services catalogue for banking and financial sectorBhadale group of companies- services catalogue for banking and financial sector
Bhadale group of companies- services catalogue for banking and financial sector
 
PSD2, SCA and the EBA’s Opinion on SCA – Decoded
PSD2, SCA and the EBA’s Opinion on SCA – DecodedPSD2, SCA and the EBA’s Opinion on SCA – Decoded
PSD2, SCA and the EBA’s Opinion on SCA – Decoded
 
Io t security market
Io t security marketIo t security market
Io t security market
 
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
 
mAgri Webinar: Mobile market information systems for farmers: requirements fo...
mAgri Webinar: Mobile market information systems for farmers: requirements fo...mAgri Webinar: Mobile market information systems for farmers: requirements fo...
mAgri Webinar: Mobile market information systems for farmers: requirements fo...
 
How to Start Payment Gateway Business in India
How to Start Payment Gateway Business in IndiaHow to Start Payment Gateway Business in India
How to Start Payment Gateway Business in India
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
FinTech Applications & Tools for Financial Health
FinTech Applications & Tools for Financial HealthFinTech Applications & Tools for Financial Health
FinTech Applications & Tools for Financial Health
 
fn_sun_readiminds
fn_sun_readimindsfn_sun_readiminds
fn_sun_readiminds
 
white paper - WN - Montiroing 2014
white paper - WN - Montiroing 2014white paper - WN - Montiroing 2014
white paper - WN - Montiroing 2014
 
LastPass 2021
LastPass 2021LastPass 2021
LastPass 2021
 
Digital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseDigital Threats: Scenarios Exercise
Digital Threats: Scenarios Exercise
 
Separation strategy presentation
Separation strategy presentationSeparation strategy presentation
Separation strategy presentation
 
IRJET- Secure Banking System using Block Chain Technology
IRJET- Secure Banking System using Block Chain TechnologyIRJET- Secure Banking System using Block Chain Technology
IRJET- Secure Banking System using Block Chain Technology
 
IRJET- A Mobile Payment System Based on Face Recognition
IRJET- A Mobile Payment System Based on Face RecognitionIRJET- A Mobile Payment System Based on Face Recognition
IRJET- A Mobile Payment System Based on Face Recognition
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
 

Similar to RBI’s Master Direction on Digital Payment Security Controls

Digital Innovations | Retail & SME Baking
Digital Innovations | Retail & SME BakingDigital Innovations | Retail & SME Baking
Digital Innovations | Retail & SME Bakingaakash malhotra
 
Why Is Quality Assurance So Important in Banking Systems.pptx
Why Is Quality Assurance So Important in Banking Systems.pptxWhy Is Quality Assurance So Important in Banking Systems.pptx
Why Is Quality Assurance So Important in Banking Systems.pptxMaveric Systems
 
Application on Know Your Customer Authentication
Application on Know Your Customer AuthenticationApplication on Know Your Customer Authentication
Application on Know Your Customer AuthenticationIRJET Journal
 
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYS
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYSUNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYS
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYSIRJET Journal
 
Why banks need to race ahead in cloud adoption - Finacle
Why banks need to race ahead in cloud adoption - FinacleWhy banks need to race ahead in cloud adoption - Finacle
Why banks need to race ahead in cloud adoption - Finaclenehapaul23
 
5. Core Banking System
5. Core Banking System5. Core Banking System
5. Core Banking SystemAshish Desai
 
BANKING INNOVATIONS THROUGH TECHNOLOGY
BANKING INNOVATIONS THROUGH TECHNOLOGYBANKING INNOVATIONS THROUGH TECHNOLOGY
BANKING INNOVATIONS THROUGH TECHNOLOGYPARAMASIVANCHELLIAH
 
Banking Management System Synopsys
Banking Management System SynopsysBanking Management System Synopsys
Banking Management System SynopsysMr. Moms
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsIntellect Design Arena Ltd
 
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...Smart Payment Association
 
Best E-Wallet Mobile Application Development - CodeStore Technologies
Best E-Wallet Mobile Application Development - CodeStore TechnologiesBest E-Wallet Mobile Application Development - CodeStore Technologies
Best E-Wallet Mobile Application Development - CodeStore TechnologiesCodeStore Technologies Pvt Ltd
 
Corporate governance and business ethics
Corporate governance and business ethicsCorporate governance and business ethics
Corporate governance and business ethicsShreyaSingh517783
 
Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityMike Lemire
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxITIO Innovex
 
Five Financial Industry Objectives for Catalyzing Order from Chaos
Five Financial Industry Objectives for Catalyzing Order from ChaosFive Financial Industry Objectives for Catalyzing Order from Chaos
Five Financial Industry Objectives for Catalyzing Order from ChaosCognizant
 
Furture_of_banking
Furture_of_bankingFurture_of_banking
Furture_of_bankingrclalwani
 

Similar to RBI’s Master Direction on Digital Payment Security Controls (20)

Nigeria.pdf
Nigeria.pdfNigeria.pdf
Nigeria.pdf
 
Digital Innovations | Retail & SME Baking
Digital Innovations | Retail & SME BakingDigital Innovations | Retail & SME Baking
Digital Innovations | Retail & SME Baking
 
Why Is Quality Assurance So Important in Banking Systems.pptx
Why Is Quality Assurance So Important in Banking Systems.pptxWhy Is Quality Assurance So Important in Banking Systems.pptx
Why Is Quality Assurance So Important in Banking Systems.pptx
 
Application on Know Your Customer Authentication
Application on Know Your Customer AuthenticationApplication on Know Your Customer Authentication
Application on Know Your Customer Authentication
 
MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
 
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYS
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYSUNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYS
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYS
 
Why banks need to race ahead in cloud adoption - Finacle
Why banks need to race ahead in cloud adoption - FinacleWhy banks need to race ahead in cloud adoption - Finacle
Why banks need to race ahead in cloud adoption - Finacle
 
5. Core Banking System
5. Core Banking System5. Core Banking System
5. Core Banking System
 
BANKING INNOVATIONS THROUGH TECHNOLOGY
BANKING INNOVATIONS THROUGH TECHNOLOGYBANKING INNOVATIONS THROUGH TECHNOLOGY
BANKING INNOVATIONS THROUGH TECHNOLOGY
 
Banking Management System Synopsys
Banking Management System SynopsysBanking Management System Synopsys
Banking Management System Synopsys
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking Applications
 
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
 
Best E-Wallet Mobile Application Development - CodeStore Technologies
Best E-Wallet Mobile Application Development - CodeStore TechnologiesBest E-Wallet Mobile Application Development - CodeStore Technologies
Best E-Wallet Mobile Application Development - CodeStore Technologies
 
Corporate governance and business ethics
Corporate governance and business ethicsCorporate governance and business ethics
Corporate governance and business ethics
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on security
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptx
 
Five Financial Industry Objectives for Catalyzing Order from Chaos
Five Financial Industry Objectives for Catalyzing Order from ChaosFive Financial Industry Objectives for Catalyzing Order from Chaos
Five Financial Industry Objectives for Catalyzing Order from Chaos
 
E Banking
E BankingE Banking
E Banking
 
Furture_of_banking
Furture_of_bankingFurture_of_banking
Furture_of_banking
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

RBI’s Master Direction on Digital Payment Security Controls

  • 1. RBI’s Master Direction on Digital Payment Security Controls RBI’s Master Direction on Digital Payment Security Controls W: www.vistainfosec.com E: info@vistainfosec.com US Tel: +1-415-513-5261 | SG Tel: +65-3129-0397 | IN Tel: +91 73045 57744 An ISO27001 Certified Company, CERT-IN Empanelled, PCI QSA | USA. SINGAPORE. INDIA. UK. MIDDLE EAST. CANADA.
  • 2. Introduction Given the dynamic digital landscape and skyrocket -ing online payment transactions, the industry has witne -ssed huge spike in cybercrimes. Addressing the growing need for stringent digital payment security controls in the industr- y, RBI recently issued a comprehensive Master Direction for organiza- tions to follow. The Master Direction works as a guideline for organiza- tions to improve the security, and governance of payment gateways, wallets, and other digital payment transactions that they deal with on a day-to-day basis. The guidelines will help organizations establish a robust digital pay- ment system and implement effective standards of security controls for online payments. With this Master Direction, it is now expected that entities like banks and NBFC’s emphasise on their quality of gover- nance, risk management, and internal security controls for establishing a safer digital payment environment. The issued guidelines specify security protocols to be implemented in mobile applications, internet banking, and card payments by scheduled commercial banks, small financial and payment banks, and card issuing institutes. The Master Direction is issued at crucial time when the financial indus- try is in the mid of its rapid digital transformation and evolving security landscape. The guidelines issued is a technological and applica- tion-based framework that improves the digital payment environment for customers to securely embrace the evolving digitization of the finan- cial industry. While this initiative is seen as a positive move to towards strengthening the regulations and supervision, it is yet to be seen as to how the enforcement of the security framework takes it course. Topics Covered Introduction Sr. No. Pg. No. Titles 01. Key Highlights of Master Direction 02. Applicability of the Master Direction 03. Key Areas Covered in the Master Direction 04. Digital Payment Security Controls in a Glance 05. Chapter II 06. Chapter III 07. Chapter IV 08. Chapter V 09. 10. Going Ahead with the Master Direction Plan of Action & Key Recommendat- ions for Businesses 02 03 03 04 06 07 11 11 12 14 www.vistainfosec.com 02
  • 3. Key Highlights of the Master Direction It provides a comprehensive governance structure and mini- mum-security control standards for systems like internet bank- ing, mobile banking, card payment, etc. Scheduled Commercial Banks (excluding Regional Rural Banks) Timeline Objective of the Master Direction It is a Standard driven by secure and robust security gover- nance controls of international standards and guidelines like OWASP, NIST, ISO, PCI to name a few. It contains requirements for strong governance, implementa- tion, and monitoring of security control standards by sched- uled commercial banks, small financial and payment banks, and card issuing institutes. The Master Directions will also have implications on the third-party payment applications such as Google Pay, Pho- nePe, etc. RBI’s Master Direction covers a diverse area, including import- ant security controls concerning the Governance and Manage- ment of Security Risks, Generic Security Controls, Application Security Life Cycle (ASLC), Authentication Framework, Fraud Risk Management, Reconciliation Mechanism, Customer Pro- tection, Awareness and Grievance Redressal Mechanism relat- ed to Internet Banking, Mobile Payments Application Security Controls, and Card Payments Security. It will come into effect on August which is six months from the day they are placed on the official website of the Reserve Bank of India (RBI). The timeline would be with immediate effect from thereon. Small Finance Banks Payments Banks Credit card issuing NBFCs. The guideline aims is to strengthen the regulations and supervision of non-cash, digital payments in the industry. Improve the security, and gov- ernance of payment gateways, wallets, and other digital pay- ment transactions. Applicability of the Master Direction It provides a comprehensive gover- nance structure and minimum-securi- ty control standards for systems like internet banking, mobile banking, card payment, etc. Typically speaking the issued guide- lines will also affect the business models of several payment gateways. The directions will have implications on third-party payment applications such as Google Pay, PhonePe, etc. The guidelines is set to come into full effect from August 2021 (6 months post-release of the guidelines) www.vistainfosec.com 03
  • 4. The guideline aims is to strengthen the regulations and supervision of non-cash, digital payments in the industry. Improve the security, and governance of payment gateways, wallets, and other digital payment trans- actions. Aims to ensure regulated entities prioritize and focus on the quality of governance, risk manage- ment, and internal security controls for building a safer digital payment environment. Strengthen and improve the internal grievance redress mechanism with enhanced disclosures on customer complaints. Overall, aim is to ensure secure online payment transactions and prevent incidents of a data breach, theft, or data leakage of sensitive customer information. Effective implementation and monitoring of certain minimum standards on security controls. The Master Direction is a detailed 21-page dossier issued by the RBI which specifies security protocols to be implemented in mobile applica- The Master Direction is a detailed 21-page dossier issued by the RBI which specifies security pro tocols to be implemented in mobile appli cations, internet banking, and card payments by scheduled com- mercial banks, small finan- cial and payment banks, and card issuing institutes. The guide line includes spe- cifications on diverse areas, including important Securi- ty Controls concerning:- Key Areas Covered in the RBI’s Master Direction www.vistainfosec.com 04
  • 5. Governance and Management of Security Risks Generic Security Controls Application Security Life Cycle (ASLC) Authentication Framework Fraud Risk Management, Reconciliation Mechanism Customer Protection Awareness and Grievance Redressal Mechanism related to Internet Banking, Mobile Payments Application Security Controls, and Card Payments Security. Special emphasis on following various Payment Card Security Stan- dards as per Payment Card Industry (PCI). RBI aims to push the regulated financial institutes and NBFC’s to improve the overall operations, security controls and customer care services. www.vistainfosec.com 05
  • 6. Digital Payment Security Controls CHAPTER II Governance & Management of Security Risks Policy for Digital Payment Products & Services Risk Management & Governance Program Controls for Monitoring the Ac�vi�es of the Third Party Risk Assessment Capacity Management Plan Data Recovery System & Procedure Generic Security Controls Communica�on Protocols Storage of Sensi�ve Data Implementa�on of Firewalls & DDoS Protec�on Renewal of Digital Cer�ficates Logging and Monitoring Ac�vi�es Applica�on Security Lifecycle Mul�-�er Applica�on Architecture Threat Modeling Approach Security Tes�ng Ac�vity Monitoring Mechanism Security Controls for Digital Payment Applica�ons Authen�ca�on Framework Mul�-factor Authen�ca�on Authentica�on A�empts System Fraud Management System Alerts Fraud Analysis Mechanism Train Staff Incident Response Reconcilia�on Mechanism Real-�me reconcilia�on Mechanism Customer Protec�on, Awareness, Grievance Redressal Mechanism Usage Guidelines & Training Material Update & Educate Customers Mechanism for Consumer Grievance & Redressal Mechanism for Alerts & No�fica�on CHAPTER III Internet Banking Security Controls Secure internet banking website System Time-outs Password Genera�on CHAPTER IV Mobile Applica�on Security Controls Mechanism for Reinstalling and Verifying Mobile Applica�on Controls for Mobile Applica�ons Device Binding Authentica� on & Re- authen�ca� on Mechanism Storage of Sensi�ve Data Security considera�ons CHAPTER V Card Payment Security Follow PCI Standards PCI P2PE Certified Terminal Installa�on Secure Card Payment Infrastructure Security Controls at HSM Security Controls at ATM’s Robust Surveillance/ Monitoring of Card Transac�ons Transac �on Limits Card Data Scanning Tools Digital Payment Security Controls In A Glance www.vistainfosec.com 06
  • 7. 1. Policy for Digital Payment Products & Services - The regulated entity is expected to have in place a comprehensive policy for the Digital Payment Products & Services approved by the Board of Directors and the Senior Management. The policy should explicitly con- tain payment security requirements covering the areas of functionality, security & performance of products and services. This would include having in place- 2. Risk management & Governance Program - Establish a robust Governance and Risk Management program for identifying, ana- lyzing, monitoring, and managing the specific risks. This would include having in place CHAPTER II Governance & Management of Security Risk Controls to protect the confidentiality of customer, data integrity of data and processes associated with the digital product/ services. Availability of requisite infrastructure. Process for capacity building and expansion with scalability. Minimal customer service disruption with high availability of systems/ channels. Compliance risk and Fraud risk assessment program. Performance monitoring systems Efficient and effective dispute resolution mechanism and handling of customer grievance. Adequate and appropriate review mechanism followed by swift cor- rective action. Mechanism for conducting User Acceptance Tests (UAT) in multiple stages before roll out, sign off from multiple stakeholders. Payment products built securely offering robust performance, safety, and consistency. Key performance indicators for assessing operational and security norms Quantitative benchmarks for evaluating the effectiveness of securi- ty built. 3. Controls for Monitoring the Activities of the Third Party - Regulated Entities who are dependent on third party service providers must have in place adequate measures to oversee and con- trols for monitoring the activities of the third party personnel. The enti- ties shall implement necessary measures in line with RBI guidelines on outsourcing to the third-party. 4. Risk Assessment - The Regulated entities are required to per- form Risk Assessment at regular intervals to ensure safety and security of digital payment products and associated processes and services. This is to ensure entities protect the integrity, confidentiality and security of the payment data and evaluate the resilience of their systems. They are also required to maintain database of all systems and applications stor- www.vistainfosec.com 07
  • 8. Generic Security Controls ing customer data in the payment ecosystem and ensure compliance with applicable PCI standards in each of the systems. 5. Capacity Management Plan - Entities must have in place appropriate Capacity Management Plan to ensure the established digital payment infrastructure is robust, scalable and resilient to meet the grow- ing demands. 6. Data Recovery System & Procedure - Entities should have procedures to periodically test systems and applications that account data back-ups, and recovery pertaining to digital products and services to ensure there is no loss of transactions or audit-trails. 2. Storage of Sensitive Data - Web applications providing the digital payment prod- ucts and services should not store sensitive infor- mation to prevent compromise in the integrity of the data. 3. Implementation of Firewalls & DDoS Protection - Regulated Entities are required to implement Web Application Firewall (WAF) and DDoS mitigation techniques to secure the digital payment products and services. 4. Renewal of Digital Certificates - Digital certificates used in the ecosystem should be renewed on time by the Regulated Entities. 5. Logging and Monitoring Activi- ties - Mobile Application and Internet Banking Application should have effective logging and monitoring capabilities to track user activity, secu- rity changes and identify anomalous behavior and transactions. 1. Communication Protocols - Entities should adhere to a secure standards and implement appropriate level of encryption and security. www.vistainfosec.com 08
  • 9. Application Security Lifecycle Authentication Framework Fraud Risk Management 1. Multi-tier Application Architecture - Entities must implement a multi-tier application architecture, segregating application, database and presentation layer adopting a secure by design practice for developing digital payment products and services. 2. Threat Modeling Approach - The Regulated entities must adopt and incorporate a threat modelling approach into their policies, processes, guidelines and procedures during the course of Application Lifecycle Management. 3. Security Testing - Entities must conduct various security testing including review of source code, Vulnerability Assessment (VA) and Pene- tration Testing (PT) of their digital payment applications at a regular inter- val to ensure that the application is secure. 4. Activity Monitoring Mechanism - Entities must imple- ment a mechanism to actively monitor non-genuine/ unauthorized/ mali- cious Payment Applications on app stores and webs and respond accord- ingly to bring them down. 5. Security controls for Digital Payment Applica- tions - Considering various OWASP standards, security and data pro- tection guidelines in ISO 12812, threat catalogues and guides developed by NIST, entities must accordingly deploy the best Security controls for digital payment applications. 1. Multi-factor Authentication - Entities should implement multi-factor authentication for payment through electronic modes and fund transfers. 2. Authentication Attempts - Regulated Entities should set maximum number of failed log-in or authentication attempts after which access to the digital payment product/ service shall be blocked. 1. System Alerts - Entities must have in place parameterized and monitored alert systems to alert the customers in case of failed authenti- cation, fund transfers, cash withdrawals, payments through electronic modes, adding new beneficiaries etc. 2. Fraud Analysis Mechanism - Fraud analysis mechanism must be in place to identify fraud occurrence and determine mechanism to prevent such frauds. 3. Train staff - Regular training should be provided to staff in the fraud control function to educate and train them with skills and areas of expertise in- www.vistainfosec.com 09
  • 10. 4. Incident Response - Regulated Enti- ties must have in place mechanism for handling and responding to Incidents related to payment ecosystem and mitigate the loss either to the customer or Regulated Entities. 1. Real-time Reconciliation Mecha- nism - Regulated Entities must establish an effective, real-time reconciliation mechanism (not later than 24 hours from the time of receipt of settlement file(s)) for all digital payment trans- actions between the Regulated Entities all other stakeholders such as payment system opera- tors, business correspondents, card networks, payment system processors, payment aggrega- tors, payment gateways, third party technology service providers, other participants, etc. This is for better detection and prevention of suspi- cious transactions. 1. Usage Guidelines & Training Material - Regulated Entities must provide usage guidelines and train- ing materials for end users and make it mandatory for users to go through secure guidelines. 2. Update and Educate Customers - Regulated entities must educate customers and keep them updated about the best usage practice of digital payment applications. 3. Mechanism for Consumer Grievance & Redressal - Entities are expected to have in place an effective mechanism for address- ing consumer grievance & redressal. This should include clearly specifying the respond timelines, process and procedure (with forms/ contact infor- mation, etc.) to lodge consumer grievances and a mechanism to keep this information periodically updated. 4. Mechanism for Alerts & Notification - Entities must estab- lish a mechanism for sending out immediate alerts and notification of fraudulent transactions for instant reporting to the corresponding benefi- ciary/ counterparty’s Regulated Entities. This is to accelerate early detec- tion and quickly trace the transaction trail and mitigate the loss to the defrauded customer at the earliest possible time. Fraud control tools and their usage; Investigative techniques and procedures; Cardholder and merchant education techniques to prevent fraud; Scheme/ Card operating regulations; Data processing and analysis and liaising or communicating with law enforcement agencies; Reconciliation Mechanism Customer Protection, Awareness and Grievance Redressal Mechanism www.vistainfosec.com 10
  • 11. 11 CHAPTER III Internet Banking Security Controls CHAPTER IV Mobile Application Security Controls 1. Secure Internet Banking Websites - Entitles must ensure securing the internet banking websites against authentica- tion-related attacks such as the DOS and brute force attacks by imple- ment additional levels of authentication such as adaptive authentica- tion, strong CAPTCHA (preferably with anti-bot features) with serv- er-side validation, etc. Further, measures to be taken to prevent DNS cache poisoning attacks and for secure handling of cookies. 2. System Time-outs - Establish a mechanism of automated time-out of a sessions after a fixed period of inactivity. 3. Password Generation - Entities must ensure secure genera- tion and dispatching of sensitive passwords with validity for a limited period from the date and time of its creation. 1. Mechanism for Reinstalling and Verifying Mobile Application - In case of detection of any anomalies or exceptions for which the mobile application was not programmed, there should be a process in place that reinstall a new version and verify the before the transactions are enabled. 2. Controls for Mobile Applications - Entities must implement the below mentioned controls for their mobile applica- tions - 3. Device Binding - Regulated Entities shall ensure Device Binding of Mobile Applications. 4. Authentication & Re-authentication Mecha- nism - Regulated Entities must have in place appropriate authentication and re-authentication mechanism. This would include - Device policy enforcement; Application secure download/ install; Deactivating older application versions in a phased but time bound manner and maintain only one version of the mobile application on a platform/ operating system; Storage of Customer Data; An alternatives to SMS-based OTP; Re-authentication for when the device or application remains unused for a designated period Authentication/ checks/ measures to identify new network connections or connections from unsecured networks like unsecured Wi-Fi connections. Device or Application Encryption; Ensuring minimal data collection/ app permissions; Application sandbox/ containerisation; Identify remote access applications and prohibit login access to the mobile application, as a matter of precaution; Code obfuscation. www.vistainfosec.com
  • 12. PCI-PIN (secure management, processing, and transmission of personal identification number (PIN) data); PCI-PIN (secure management, processing, and transmission of personal identification number (PIN) data); PCI-PTS (security approval framework addresses the logical and/ or physical protection of cardholder and other sensitive data at point of interaction (POI) devices and hardware security modules (HSMs); PCI-HSM (securing cardholder-authentication applications and processes including key generation, key injection, PIN verification, secure encryption algorithm, etc.); and PCI-P2PE (security standard that requires payment card information to be encrypted instantly upon its initial swipe and then securely transferred directly to the payment processor). 5. Storage of Sensitive Data - Mobile Application should not store/ retain sensitive personal/ consumer authentication information such as user IDs, passwords, keys, hashes, hard coded references on the device and the application should securely wipe any sensitive customer informa- tion from memory when the customer/ user exits the application. 6. Security considerations - Entities must design anti-malware capabilities and secure the mobile application against vulnerabilities like SQL injection. 2. PCI P2PE Certified Terminal Installation - Entities should install terminals at merchant sites that are PCI P2PE certified. 3. Secure Card Payment Infrastructure - Acquirers shall secure their card payment infrastructure with Unique Key Per Terminal (UKPT) or Derived Unique Key Per Transaction (DUKPT)/ Terminal Line Encryption (TLE). 1. Follow PCI Standards - Regulated Entities are expected to follow various PCI Standards applicable to them which includes - www.vistainfosec.com 12 CHAPTER V Card Payment Security
  • 13. 4. Security Controls at HSM - The Security Controls expected to be implemented at HSM include - 5. Security Controls at ATM’s - The Security Controls expected to be implemented at ATM’s include – 6. Robust Surveillance/ Monitoring of Card Transactions- Entities must institute a mechanism to monitor breaches, if any, on a 24x7 basis, including weekends, long holidays and have in place a robust incident response mechanism to mitigate the fraud loss, on account of suspicious transactions. 7. Transaction Limits - Entities must have in place transaction limits for domestic and international transactions at Card, BIN as well as at the Regulated Entities levels, set at the card network switch itself. 8. Card Data Scanning Tools – Entities must adopt card data scanning tools to identify unencrypted pay- ments card data in their ecosystem and adhere the following safety mea- sures - Log Management Access Control Management Secure Key Management. BIOS password Latest Patches of Operating System Anti-Skimming & Whitelisting Solution Test tools to understand the scope, impact and its capabilities in a test environment. Scan tools should be installed in the Regulated Entities premises and devices. Card data scanning should not be done remotely. Exportable card data must be appropriately masked. No data, which is even masked, must be taken out of the RE’s premises/ infrastructure. Limited access to service providers to conduct the scan or analyze the data or provide only on entities device. www.vistainfosec.com 13
  • 14. www.vistainfosec.com Going Ahead with the Master Direction Plan of Action for Businesses - Businesses should initially conduct a basic assessment of their Digital Payment Ecosystem to understand where they stand with their existing Compliance Program in place. The key to achieving Compliance is understanding your Digital Payment Ecosystem and accordingly establishing security measures aligning with the new Master Direction. Again, for those businesses that are compliant to some or most of the international standards like PCI, NIST, ISO, OWASP, etc should map their Compliance Program with the RBI’s Master Direction to determine the GAP areas. For your business to stay ahead in the industry, understanding the law is crucial Gaining such insight will help you design a compliance program that aligns well with your business and compliance goals, making the road ahead for Compliance more achievable. Preparing ahead of the time before the new master direction comes into effect will save you from the last minute hassle. The earlier your business takes steps towards initiating the Digital Payment Security Program, your business will be in a far better position to deal with the regulation when it comes into effect. We also recommend businesses to approach an experienced Cyber Security Consulting firm for assisting you in navigating through the process. Consulting an expert from the industry will help your business make an informed decision when designing a Digital Payment Security Program. 14
  • 15. VISTA lnfoSec is a Global Cyber Security Consulting firm offering exceptional Cyber Security Consulting & Audit Service, Regulat- ory & Compliance Consulting Services and Infrastructure Advisory Solutions. With stro- ng industrial presence since 2004, we have been serving clients from across the world with our robust, end-to-end security services and solutions. We are a 100% vendor neut- ral company with strict no outsourcing policy and built on our core values of strict code of ethics, transparency and professionalism. About Us www.vistainfosec.com
  • 16. OUR SERVICES OFFERINGS www.vistainfosec.com Compliance & Governance • SOC 1 Consulting & Audit • SOC 2 Consulting & Audit • PCI DSS Advisory and Certification • PCI PIN Advisory and Certification • PA SSF Advisory and Certification • ISO 27001 Advisory and Certification • ISO 20000 Advisory and Certification • Business Continuity Management (ISO22301) • Cloud Risk CCM / CStar / ISO27017 • lnformation Security Audit • Software License Audit • ATM Security Assessment Regulatory And Compliance • GDPR Consulting and Audit • HIPAA Consulting and Audit • CCPA Consulting and Audit • NESA Consulting and Audit • MAS-TRM Consulting and Audit • NCA ECC Compliance • SAMA Compliance Managed Service • Adaptive Security Managment Pro gram • DPO Consultancy Services • CISO Advisory • Managed Compliance Services • Managed Security Services IT Audit & Advisory • Infrastructure Audit • Infrastructure Design & Advisory • Datacenter Design & Consultancy Services Training & Skill Development • Training & Skill Development Technical Assessment • Vulnerability Assessment • Penetration Testing • Web App Security Assessment • Mobile Security Assessment • Thick Client Application Security Assessment • Virtualization Risk Assessment • Secure Configuration Assessment • Source Code Review
  • 17. OUR OFFICES SINGAPORE INDIA UK USA VISTA INFOSEC LLC 24007 VENTURA BLVD SUITE 285 CALABASAS CA 91302 +1-415-513-5261 USSALES@VISTAINFOSEC.COM SGSALES@VISTAINFOSEC.COM SALES@VISTAINFOSEC.COM UKSALES@VISTAINFOSEC.COM VISTA INFOS EC PTE. LTD 20 COLLYER QUAY #09-01 20 COLLYER QUAY SINGAPORE (049319) VISTA INFOSEC PVT. LTD 001, NORTH WING, 2ND FLOOR, NEOSHINE HOUSE, LINK ROAD, ANDHERI (W) MUMBAI - 400053 6 AMBER COURT GOLDSMITH CLOSE HARROW, GREATER LONDON UNITED KINGDOM HA20EZ +65-3129-0397 +91 99872 44769 +447405816761 +91-22-26300683 www.vistainfosec.com
  • 18. CONTACT US US Tel: +1-415-513-5261 | SG Tel: +65-3129-0397 | IN Tel: +91 73045 57744 W: www.vistainfosec.com| E: info@vistainfosec.com You can reach us on Webinar : RBI’s Master Direction on Digital Payment Security Controls RBI’s Master Direction on Digital Payment Security Controls