RBI Releases Draft Directions On Cybersecurity Management At Payment Firms | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators will be applicable to payment system companies, and the Reserve Bank of India has sought stakeholder feedback by June 30. These rules will be applicable to all non-bank payment system operators, according to a notification issued on Friday.

The various requirements enumerated under the directions include:

  • PSOs must ensure adherence to these directions by third-party, unregulated entities they work with, such as payment gateways and vendors.

  • Operators to ensure that all their applications are subjected to rigorous security testing by qualified agencies.

  • Development of a business continuity plan based on cyber threat scenarios.

  • Preparation of a distinct board-approved cyber crisis management plan to detect, contain, respond to, and recover from cyber threats and attacks.

  • The requirement to have a board-approved incident response mechanism, which includes provisions to promptly notify senior management, relevant employees, and regulatory, supervisory, and relevant public authorities about a cyber incident.

The requirements also state that if there is a change in the registered mobile number or email ID linked to a payment instrument, there will be a cooling period of at least 12 hours before allowing transactions through online modes or channels.

Currently, in their draft form, the directions will come into effect once they are placed on the official website of the RBI, according to the notification.

In order to grant adequate time, the RBI has also laid down a staggered implementation process, which is as follows:

  • Large, non-bank operators: April 1, 2024.

  • Medium, non-bank operators: April 1, 2026.

  • Small, non-bank operators: April 1, 2028.


Click Here For The Original Source.

National Cyber Security