The RBI Master Direction on Digital Payment Security Controls (February 2021) sets governance and security requirements for digital payment products and services — internet banking, mobile banking and card payments — to make these channels secure by design.
Who it applies to
- Scheduled commercial banks (excluding regional rural banks).
- Small finance banks and payments banks.
- Credit-card-issuing NBFCs.
Common (channel-agnostic) controls
| Area | Requirements |
|---|---|
| Governance | Board-approved policy, roles, and a product-approval process for digital payments |
| Application security | Secure SDLC, source-code review, application security testing (SAST/DAST), VAPT |
| Authentication | Multi-factor / strong authentication and secure session management |
| Fraud risk management | Transaction monitoring, velocity checks, alerts and cooling periods |
| Data security | Encryption, key management and protection of customer data |
| Monitoring | Logging, anomaly detection and incident response |
| Customer protection | Awareness, transaction alerts, grievance handling and liability framework |
Channel-specific controls
- Internet banking — secure sessions, device binding, re-authentication for sensitive actions, secure APIs.
- Mobile banking / apps — app hardening, secure storage, root/jailbreak detection, secure updates.
- Card payments — tokenisation, secure card-on-file handling, EMV/3-D Secure, PCI DSS alignment.
Implementation roadmap
- Inventory digital payment products and map their architecture and data flows.
- Assess against the master direction’s control areas.
- Harden applications (secure SDLC, SAST/DAST, VAPT).
- Implement strong authentication, fraud monitoring and customer-protection controls.
- Close gaps, evidence continuous compliance and monitor.
Evidence checklist
- Board-approved digital-payment security policy and product-approval records.
- Secure-SDLC and source-code-review evidence.
- Application security testing and VAPT reports.
- MFA/authentication and session-management configurations.
- Fraud-monitoring rules and alerting evidence.
- Customer-protection, alerting and grievance records.
How CyberSigma helps
We assess your digital payment channels against the RBI master direction, run application security testing and VAPT, and help implement authentication, fraud-monitoring and customer-protection controls — with CERT-In empanelled reporting.
Frequently asked questions
Does the Digital Payment Security Controls direction apply to NBFCs?
Yes, it applies to credit-card-issuing NBFCs and the listed regulated entities offering digital payment products, in addition to banks.
Official documents
CyberSigma resources
Need help with RBI Digital Payment Security Controls?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
