The Reserve Bank of India has issued master directions for Digital Payment Security Controls in its circular dated Feb 18, 2021. Among other things, the intent is to provide greater security to customers in digital transactions (internet, mobile banking, card transactions etc).
The rules come into force in July 2021.
The directions apply to the regulated entities (RE) that include:
- Schedule Commercial banks
- Small Finance Banks
- Payments Banks
- Credit card issuing NBFCs
Not surprising since these are the entities that facilitate digital transactions. While much of the language in the circular was technical and esoteric, I will list down some of the changes that will affect you directly.
#1 The mobile application should not store/retain sensitive personal/consumer authentication information such as user IDs, passwords, keys, hashes, hard coded references on the device and the application should securely wipe any sensitive customer information from memory when the customer/user exits the application.
Of all the changes, this is the one with the biggest ramifications. Most eCommerce/food delivery/streaming services providers will have issues with this. And they have already sought clarification from RBI through NASSCOM. Currently, these apps store your credit card or debit card details. While making the payment, you just have to enter the CVV followed by OTP to complete the purchase. If the application must wipe out sensitive information (I assume credit card information is sensitive information) from memory once you exit the application, then you will have to enter the complete card details every time you want to make a purchase. Well, get ready to memorise the card details.
What about recurring payments? To Netflix, Hotstar, Zee5 or Big Basket Daily. These can’t happen if the app/web server can’t store card details. I think the last word is yet to be written in this specific matter. Expect some concessions from the Reserve Bank.
#2 Multi-factor authentication and alerts (e-mail, SMS etc.) should apply in respect of all payment transactions (including debits and credits), addition/deletion/modification of beneficiaries, changing accounts details or revising fund transfer limits.
This is already implemented in some ways but you can expect this to become more stringent. As I see, this means you will have to enter SMS/e-mail OTP for each mobile/net-banking transaction. For mobile banking payments, the banks can consider alternatives to SMS-based OTP since the mobile app and the authentication factor (SMS based OPT) may reside on the same device. By the way, I do not understand what the regulator means by credit. Why should multi-factor authentication be required for credit to your bank account?
#3 The alerts and OTPs received by the customer for online transactions shall identify the merchant name, wherever applicable, rather than the payment aggregator through which the transaction was effected.
I like this move. Many times, you make payment on a website/app and the OTP/payment is shown for PayU or PayTM (or any other payment gateway). Even the bank or credit card statement shows the payment to the payment gateway. I find this really irritating and it is difficult to reconcile transactions at the end of the month. By the way, in some cases, OTP does not even contain information about the beneficiary. With this change, I hope such confusion will go away.
#4 The banks should set down the maximum number of failed login or authentication attempts. After the maximum number of failed attempts, the access to the payment product/service shall be blocked. The customer shall be notified on failed login attempts.
Good again. This already happens to an extent. An online session shall be automatically terminated after a fixed period of inactivity. Does this mean you will have to login to Paytm every time you use it?
#5 The banks shall ensure device binding of mobile application. As per RBI circular, the device binding should be preferably implemented through a combination of hardware, software and service information.
Even now, there is a binding of mobile application with the phone number. You can install the app for your bank account only phone with registered mobile number (that happens at least with banks I transact with). In case a user can register multiple devices, the user must be notified of every new device registration on multiple channels such as registered mobile number, email or through a phone call.
#6 After receiving the password from the bank, the user shall be compulsorily required to change the password on the first login.
#7 The banks shall ensure robust surveillance/monitoring of card transactions, especially for overseas cash withdrawals. Transaction limits shall be set in place for various kinds of transactions.