RBI Master Directions on
Cyber Resilience
Cyber Resilience
And Digital Payment Security Controls (2024)
On July 30, 2024, the Reserve Bank of India (RBI) issued the
Master Directions on Cyber Resilience and Digital Payment
Security Controls for non-bank Payment System Operators
(PSOs).
Master Directions on Cyber Resilience and Digital Payment
Security Controls for non-bank Payment System Operators
(PSOs).
These guidelines are designed to bolster cybersecurity,
implement resilient security practices, and ensure robust risk
mitigation across India's digital payments ecosystem. All
authorized non-bank PSOs must comply, with additional
expectations for their vendors and partners.
implement resilient security practices, and ensure robust risk
mitigation across India's digital payments ecosystem. All
authorized non-bank PSOs must comply, with additional
expectations for their vendors and partners.
The Master Directions require PSOs to adopt comprehensive
information security policies, secure application development
practices, incident response mechanisms, and strong controls
for mobile and digital payment channels. The focus is on
preventing evolving cyber threats, ensuring transaction
integrity, and protecting customer data.
information security policies, secure application development
practices, incident response mechanisms, and strong controls
for mobile and digital payment channels. The focus is on
preventing evolving cyber threats, ensuring transaction
integrity, and protecting customer data.
RBI guidelines
How we solve it
Mechanism to ensure that the mobile application is free
from any anomalies or exceptions for which the
application was not programmed.
from any anomalies or exceptions for which the
application was not programmed.
Validate the app signature that detects the version of the
app and checks for reverse engineering, screen sharing
and mirroring attacks
app and checks for reverse engineering, screen sharing
and mirroring attacks
An authenticated session, together with its encryption
protocol, remains intact throughout an interaction with the
customer. In case of any interference or if the customer
closes the application, the session shall be terminated,
and the affected transactions resolved or reversed out
protocol, remains intact throughout an interaction with the
customer. In case of any interference or if the customer
closes the application, the session shall be terminated,
and the affected transactions resolved or reversed out
Sense provides runtime integrity checks which involve
calculating its checksum at runtime and comparing it with
the checksum stored in the database.
calculating its checksum at runtime and comparing it with
the checksum stored in the database.
Ensure device binding / finger printing of mobile applications
with the device and SIM. In case the mobile application remains
unused beyond a policy determined specified period, the PSO
shall ensure device binding is performed again.
with the device and SIM. In case the mobile application remains
unused beyond a policy determined specified period, the PSO
shall ensure device binding is performed again.
Strengthens the device binding by providing additional
signals that might prove to be suspicious to the bank.
signals that might prove to be suspicious to the bank.
An online session on a mobile application is automatically
terminated after a fixed period of inactivity and
customers are prompted to re-login.
terminated after a fixed period of inactivity and
customers are prompted to re-login.
Setup the session inactive time which secures the
user's account in cases of inactivity
user's account in cases of inactivity
The PSO shall, where applicable, set down the maximum
number of failed log-in or authentication attempts after which
access to the mobile application is blocked. There shall be a secure
procedure to re-activate the access to blocked product / service.
The customer shall be notified for failed log-in or authentication
attempts, immediately
number of failed log-in or authentication attempts after which
access to the mobile application is blocked. There shall be a secure
procedure to re-activate the access to blocked product / service.
The customer shall be notified for failed log-in or authentication
attempts, immediately
Prevents any unauthorised attempts to login
to the app by creating a unique digital identity that
enhances the overall security posture of the user
to the app by creating a unique digital identity that
enhances the overall security posture of the user
The PSO shall put in place a control mechanism, to identify
any presence of remote access applications (to the extent
possible) and prohibit access to the mobile payment
application while the remote access is live.
any presence of remote access applications (to the extent
possible) and prohibit access to the mobile payment
application while the remote access is live.
Sense is able to identify unknown or third party apps that
have screen mirroring or screen overlay abilities
have screen mirroring or screen overlay abilities
Whenever there is a change in registered mobile number or
email ID linked to the payment instrument there shall be
a cooling period of minimum 12 hours before allowing any
payment transaction through online modes / channels.
email ID linked to the payment instrument there shall be
a cooling period of minimum 12 hours before allowing any
payment transaction through online modes / channels.
When a device binding ID is created and if that is mapped
to a customer ID, Sense is able to figure out any changes
to the primary contact details
to a customer ID, Sense is able to figure out any changes
to the primary contact details