Knowledge Center / RBI Digital Payment Security Controls
Reserve Bank of India · India

RBI Digital Payment Security Controls

RBI’s master direction on securing internet, mobile and card digital payment channels.

The RBI Master Direction on Digital Payment Security Controls (February 2021) sets governance and security requirements for digital payment products and services — internet banking, mobile banking and card payments — to make these channels secure by design.

Who it applies to

  • Scheduled commercial banks (excluding regional rural banks).
  • Small finance banks and payments banks.
  • Credit-card-issuing NBFCs.

Common (channel-agnostic) controls

AreaRequirements
GovernanceBoard-approved policy, roles, and a product-approval process for digital payments
Application securitySecure SDLC, source-code review, application security testing (SAST/DAST), VAPT
AuthenticationMulti-factor / strong authentication and secure session management
Fraud risk managementTransaction monitoring, velocity checks, alerts and cooling periods
Data securityEncryption, key management and protection of customer data
MonitoringLogging, anomaly detection and incident response
Customer protectionAwareness, transaction alerts, grievance handling and liability framework

Channel-specific controls

  • Internet banking — secure sessions, device binding, re-authentication for sensitive actions, secure APIs.
  • Mobile banking / apps — app hardening, secure storage, root/jailbreak detection, secure updates.
  • Card payments — tokenisation, secure card-on-file handling, EMV/3-D Secure, PCI DSS alignment.

Implementation roadmap

  1. Inventory digital payment products and map their architecture and data flows.
  2. Assess against the master direction’s control areas.
  3. Harden applications (secure SDLC, SAST/DAST, VAPT).
  4. Implement strong authentication, fraud monitoring and customer-protection controls.
  5. Close gaps, evidence continuous compliance and monitor.

Evidence checklist

  • Board-approved digital-payment security policy and product-approval records.
  • Secure-SDLC and source-code-review evidence.
  • Application security testing and VAPT reports.
  • MFA/authentication and session-management configurations.
  • Fraud-monitoring rules and alerting evidence.
  • Customer-protection, alerting and grievance records.
How CyberSigma helps
We assess your digital payment channels against the RBI master direction, run application security testing and VAPT, and help implement authentication, fraud-monitoring and customer-protection controls — with CERT-In empanelled reporting.

Frequently asked questions

Does the Digital Payment Security Controls direction apply to NBFCs?
Yes, it applies to credit-card-issuing NBFCs and the listed regulated entities offering digital payment products, in addition to banks.

Need help with RBI Digital Payment Security Controls?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.