RBI steps in to online payments; guidelines issued

The draft includes various directions related to how card, prepaid payment products like smart cards, online wallets, apps, or mobile banking payment operators should ensure security while making payments

  • Last Updated : May 17, 2024, 14:11 IST
RBI governor Shkatikanta Das. Image-TV9

The Reserve Bank of India (RBI) has issued a draft of new guidelines on Friday to ensure the security of digital payments. It includes various directions related to how card, prepaid payment products like smart cards, online wallets, apps, or mobile banking payment operators should ensure security while making payments.

The draft states that Payment System Operators (PSOs) will have to prepare a Cyber Crisis Management Plan (CCMP) to detect, control, respond to, and recover from cyber threats and attacks. It also states that the board of directors of the company will be responsible for cyber security. An alert must be issued if any payment is suspicious. Customers should hide their account, card numbers, and confidential information. Online deals should mention the name of the payment gateway/aggregator, not the merchant. When sending OTP via mobile or email, it should be mentioned which deal it is issued for.

Guidelines for Card Payments
If there is any fake or suspicious transaction on a card, the bank issuing the card should be informed. The payment service operator will be responsible for ensuring the security of POS terminals.

Guidelines for Prepaid Payment Products
There should be a cooling period between fund loading and transferring. Additionally, OTP and transaction information should be sent in the local language.

Guidelines for Mobile Banking
If a fraudulent payment is identified through mobile banking, there should be provisions to identify it and mark it. Changing mobile number/email should be allowed only after a cooling period of 12 hours before making any payment. The same app should not be used on two devices simultaneously. If a mobile banking app is not used for an extended period, it should be reactivated using the SIM and fingerprint. If someone attempts to log in with incorrect details exceeding the defined limit, the login should be blocked, but there should also be provisions to reactivate it.

When will the proposal be implemented?
RBI has sought feedback from relevant stakeholders on this until June 30. After consensus and approval, preparations are being made to implement this proposal from April 1, 2024, until April 1, 2028. A deadline of April 1, 2024, has been set for major non-bank payment system operators. For medium non-bank operators, it will be applicable until April 1, 2026, and for small non-bank operators, it will be mandatory from April 1, 2028.

Published: June 2, 2023, 20:25 IST
Exit mobile version