The RBI Master Direction on Prepaid Payment Instruments (MD-PPI) governs the issuance and operation of prepaid instruments such as wallets and prepaid cards by banks and non-banks. It covers eligibility, KYC, interoperability, escrow and security, with periodic system audits.
Types of PPI
| Type | Characteristics |
|---|---|
| Small PPI (minimum-detail) | Loaded from a bank account/card; lower limits; must be converted to full-KYC within the stipulated period |
| Full-KYC PPI | Full KYC completed; higher limits; supports interoperability and cash withdrawal (as permitted) |
| Specific-use / gift PPIs | Issued for defined use cases per the master direction |
Key requirements
- Authorisation/eligibility and minimum net-worth for non-bank issuers.
- KYC tiers, loading and outstanding-balance limits.
- Interoperability via UPI and card networks (as mandated).
- Escrow-account maintenance with a scheduled commercial bank and settlement controls.
- Information security, fraud risk management and customer protection.
- A periodic system audit of the PPI systems.
- Grievance redressal and customer-liability framework.
Implementation roadmap
- Confirm eligibility, authorisation and net worth.
- Implement KYC tiers, limits and interoperability.
- Establish the escrow arrangement and settlement controls.
- Harden security (application testing, VAPT, data protection).
- Complete the mandated system audit and remediate.
- Operate customer-protection and grievance processes; maintain compliance.
Evidence checklist
- Authorisation and net-worth records.
- KYC, limits and interoperability implementation evidence.
- Escrow-account and settlement records.
- Security controls, VAPT and application-testing reports.
- The periodic system audit report (CERT-In empanelled auditor).
- Grievance-redressal and customer-liability records.
How CyberSigma helps
We assess your PPI systems against MD-PPI, run VAPT and application security testing, and perform the mandated system audit as a CERT-In empanelled auditor — so your issuance and operations stay compliant.
Frequently asked questions
Do PPI issuers need a system audit?
Yes — PPI issuers must undergo periodic system audits of their systems, commonly performed by CERT-In empanelled auditors, alongside strong security controls.
Official documents
CyberSigma resources
Need help with RBI PPI Master Direction?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
