Knowledge Center / RBI PPI Master Direction
Reserve Bank of India · India

RBI Prepaid Payment Instruments (PPI)

Rules for issuing and operating prepaid payment instruments (wallets, cards).

The RBI Master Direction on Prepaid Payment Instruments (MD-PPI) governs the issuance and operation of prepaid instruments such as wallets and prepaid cards by banks and non-banks. It covers eligibility, KYC, interoperability, escrow and security, with periodic system audits.

Types of PPI

TypeCharacteristics
Small PPI (minimum-detail)Loaded from a bank account/card; lower limits; must be converted to full-KYC within the stipulated period
Full-KYC PPIFull KYC completed; higher limits; supports interoperability and cash withdrawal (as permitted)
Specific-use / gift PPIsIssued for defined use cases per the master direction

Key requirements

  • Authorisation/eligibility and minimum net-worth for non-bank issuers.
  • KYC tiers, loading and outstanding-balance limits.
  • Interoperability via UPI and card networks (as mandated).
  • Escrow-account maintenance with a scheduled commercial bank and settlement controls.
  • Information security, fraud risk management and customer protection.
  • A periodic system audit of the PPI systems.
  • Grievance redressal and customer-liability framework.

Implementation roadmap

  1. Confirm eligibility, authorisation and net worth.
  2. Implement KYC tiers, limits and interoperability.
  3. Establish the escrow arrangement and settlement controls.
  4. Harden security (application testing, VAPT, data protection).
  5. Complete the mandated system audit and remediate.
  6. Operate customer-protection and grievance processes; maintain compliance.

Evidence checklist

  • Authorisation and net-worth records.
  • KYC, limits and interoperability implementation evidence.
  • Escrow-account and settlement records.
  • Security controls, VAPT and application-testing reports.
  • The periodic system audit report (CERT-In empanelled auditor).
  • Grievance-redressal and customer-liability records.
How CyberSigma helps
We assess your PPI systems against MD-PPI, run VAPT and application security testing, and perform the mandated system audit as a CERT-In empanelled auditor — so your issuance and operations stay compliant.

Frequently asked questions

Do PPI issuers need a system audit?
Yes — PPI issuers must undergo periodic system audits of their systems, commonly performed by CERT-In empanelled auditors, alongside strong security controls.

Need help with RBI PPI Master Direction?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.