RBI Introduces New Rules For Digital Transactions

Table of Contents

What has happened?

The Reserve Bank of India has asked scheduled commercial banks, payments banks, small finance banks, as well as card issuing non-bank lenders, To adopt more stringent security measures for digital payments.
In a set of master directions issued on its website, the banking regulator came up with prescriptive guidelines for digital payment security.
These guidelines specify security protocols to be adopted in internet banking, mobile applications of the entities mentioned above and cards issued by them.
“While the guidelines will be technology and platform agnostic, it will create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner,”
The regulator said in its master directions.
The guidelines will come into effect within 6 months, RBI said.

The regulator has asked lenders to have a board-approved policy in place and conduct regular system audits.
Banks and non-bank financial companies will be expected to conduct regular vulnerability testing of their systems to provide a secure experience to their customers.
The banking regulator has asked lenders to adopt the highest standards of security available to avoid data breaches on their servers.
For card payments, lenders must adopt standards which go beyond the payment card industry data security standards.

For mobile applications, where the service and authentication tools such as one-time-password are received on the same device, Lenders are expected to come up with better alternatives to authenticate a transaction.
Reconciliation process of transactions must follow a near-real-time framework which would ensure that all stakeholders are provided necessary information about a transaction within a 24-hour time period.
For authentication of customers using web pages to access digital payments, banks and NBFCs will need to have stronger authentication tools using strong CAPTCHA codes with server-side authentication.
Banks and NBFCs must have a specific section on their digital payment products and services which clarify how customers can lodge complaints in the event of a grievance.
The RBI has asked lenders to ensure that their web pages which provide digital payment products and services, Should not store customer sensitive information in HTML fields, cookies, or any other client-side storage.

A debit or credit card number is 16 digits, and not everyone has the bandwidth to memorise them in their entirety.
Especially, since most people use more than one card.
But, according to the Reserve Bank of India’s (RBI) new rules, you may not have a choice.
The only other alternative is to take your cards wherever you go.
This means that rather than just having to enter your CVV to make a payment, you’ll have to enter all your card details — Name, card number and expiry date — from scratch every time you want to make an online payment.
One would think that in the push for ‘Digital India’, these new rules would hamper the process of creating a cashless country.
But, India’s central bank argues that the point of not letting third parties store card details is to mitigate the additional risk of fraud and financial theft.

The Indian IT lobby NASSCOM already expressed its concerns against such a step back in January.
“Without card data, merchants will not be able to perform basic functions,
Such as resolution of consumer complaints or disputes, consumer service and speedy resolution of refunds requests, and will be completely dependent upon pay aggregators and banks to provide the same,” it said in letter to the RBI.
Instead, NASSCOM proposes that the RBI could develop a framework to store card data that encompasses security measures, reporting requirements and governance mechanisms as per its requirements.
A group of 25 consumer internet companies like Flipkart, Amazon, Netflix, Microsoft and Zomato also wrote to India’s central bank.
They argue that these rules would severely hamper the customer’s online payment experience.