The Reserve Bank of India (RBI) on July 30, 2024 issued final directions for non-bank payment service operators (PSOs), card network and prepaid payment instruments to build a safe and secure payment system and enhance cyber resilience. The directions will be implemented in phases.
According to an RBI notification, the timeline to update digital infrastructure and systems for large non-bank PSOs, such as Clearing Corporation of India (CCIL), National Payments Corporation of India (NPCI), non-bank ATM networks, white label ATM operators (WLAOs), and card payment networks is set for April 1, 2025. For medium and small non-bank PSOs, the timelines are April 1, 2026, and April 1, 2028, respectively.
The purpose of these directions and the implementation exercise is to strengthen the digital payment system in India, identify and avoid suspicious transactions, and improve overall cyber resilience. While most changes are at the PSOs’ system level, users can witness the change while making payments through mobile, card, or a prepaid instrument.
Directions for non-bank PSOs, card networks, and PPI issuers
Also Read: How Does Budget 2024 Aim To Plug Loophole In House Rental Tax? Does It Impact Seniors’ Cash Flow?
Payment Through Mobile Application:
The PSOs will ensure that authenticated sessions ‘remains intact throughout an interaction with the customer’. In the event of an interference, or if the user or customer closes the application, the session will have to be terminated.
Further, PSOs will have to ensure device binding, a process to create a secure association between a device and a mobile app, with the device and the SIM. According to RBI’s direction, the PSOs will have to perform device binding again in case the mobile app remains unused for more than a ‘specified period’.
Also, if a user does not log out from a mobile app, the PSOs will have to ensure that the online session on the mobile app is terminated automatically after the specified period of inactivity.
To improve security measures, the PSOs will also set the number of failed log-ins after which the mobile app will be blocked. To activate it, a user will need to exercise a secure procedure before he/sheis able to log in again. PSOs will also need to identify any remote access application and prohibit it from accessing the mobile payment app.
Along with all these measures, PSOs will put in place a feature of cooling period of 12 hours whenever there is a change in mobile number or email ID linked to the payment instrument. Only after the cooling period is over will the payment be allowed through online modes.
Simultaneously, RBI has also laid down directions for payment through cards and pre-paid instruments.
Also Read: Eknath Shinde Announces Setting Up Senior Citizens’ Welfare Corporation
Payment Through Card Networks
RBI has directed card networks to implement an alert mechanism on a 24-hour by 365 days basis to be triggered to the card issuer. Also, the card networks need to store customers’ card details in an ‘encrypted form at any of the server locations’, and put a transaction limit at the cardissuers’, and bank identification number (BIN) level.
Payment Through Prepaid Payment Instruments (PPI)
Prepaid payment instruments (PPI) issuers need to offer OTP to users along with transaction alerts in vernacular languages. All PPIs, (bank and non-banks) will decide the cooling period for cash withdrawal and fund transfer once the funds are loaded onto these prepaid instruments, the notification said.