New Delhi. RBI on Tuesday said that non-bank payment system operators would have to implement real-time fraud monitoring solutions to identify suspicious transaction behaviour and issue alerts.

PSO got these instructions

According to the Master Direction on Cyber ​​Resilience and Digital Payment Safety Controls for Non-Bank PSOs, non-bank payment system operators (PSOs) will also have to ensure that the online session on the mobile application is automatically closed after a certain period and the customer is asked to log in again.

Rules came into effect with immediate effect. 

These directions have come into effect from Tuesday, but the Reserve Bank has also prescribed a phased implementation to provide sufficient time for PSOs to put in place the required compliance structure. The RBI said the directions aim to improve the safety and security of payment systems operated by PSOs by providing a framework for overall information security preparedness with an emphasis on cyber resilience.

RBI also said that card networks must ensure that customers' card details are encrypted at any server location. The central bank has also asked prepaid payment instrument issuers to communicate OTP and transaction alerts to users in a language of their choice.

Special care will be taken for privacy.

The RBI said that the PSO should implement a comprehensive data leak prevention policy for confidentiality, integrity, availability and security of business and customer information regarding data it holds or available at vendor-managed facilities.

As per the directions, while sending SMS or e-mail alerts to customers by PSOs or payment system participants, it has to be ensured that the bank account number, card number or other confidential information is redacted/hidden as far as possible.