What changed
RBI finalized the Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank PSOs, following a draft published on June 2, 2023. The directions introduce phased implementation timelines based on entity size: large PSOs by April 1, 2025, medium by April 1, 2026, and small by April 1, 2028. They also require PSOs to ensure adherence by unregulated entities in their ecosystem through mutual agreement and a Board-approved policy.
What it means for you
Non-bank PSOs must now implement comprehensive cyber resilience frameworks, including governance, risk assessment, and baseline security measures like inventory management, access controls, and incident response. The phased timeline gives smaller entities more time to comply, but all must start preparing immediately. Existing card, PPI, and mobile banking security instructions remain valid, but these directions take precedence in case of conflict.
What you must do
- Classify your entity as large, medium, or small based on RBI criteria and note your compliance deadline.
- Establish a robust governance mechanism for cyber risk identification, assessment, monitoring, and management.
- Implement baseline security controls covering inventory, identity and access management, network security, application security, vendor risk, data security, patch management, incident response, BCP, APIs, employee training, and cloud security.
- Ensure digital payment security measures for mobile payments, card payments, and PPIs are aligned with these directions.
- Review and update agreements with unregulated entities in your ecosystem to mandate adherence to these directions.
Who it affects
All authorized non-bank Payment System Operators (PSOs), Unregulated entities in the digital payments ecosystem (e.g., payment gateways, third-party service providers, vendors), Compliance and IT teams of non-bank PSOs
When do these directions take effect?
The directions are effective from the date they were placed on RBI's website (July 30, 2024). Compliance timelines are phased: large non-bank PSOs by April 1, 2025, medium by April 1, 2026, and small by April 1, 2028.
Do these directions apply to banks?
No, these directions specifically apply to authorized non-bank Payment System Operators. Banks are covered under separate RBI guidelines on cyber resilience.
What happens if existing security instructions conflict with these directions?
In case of any discrepancy, the instructions in this Master Direction shall prevail over existing ones on card, PPI, and mobile banking security.