This Article is From Dec 09, 2016

RBI Fears Cyber Attack On Prepaid Payment Instruments, Asks Issuers To Conduct Security Audit

RBI Fears Cyber Attack On Prepaid Payment Instruments, Asks Issuers To Conduct Security Audit

The RBI said any cyber attack on Prepaid Payment Instruments could prove dampener.

Mumbai: The Reserve Bank of India on Friday asked banks and companies issuing Prepaid Payment Instruments (PPI) to conduct a special security audit saying any cyber attack could prove dampener at a time when the government is nudging people to go in for digital transactions in a big way.

With the withdrawal of legal tender characteristics of old Rs 500 and Rs 1,000 notes (Specified Bank Notes or SBN), the use of alternate modes of payment, specifically e-wallets, has gained momentum, the RBI said.

"While all efforts should continue to be made by entities for on boarding new customers and merchants, it needs to be borne in mind that any kind of cyber security incident affecting the digital channels/products, particularly at this juncture, may have significant system-wide ramifications and act as a dampener for the adoption of digital products by public at large," the central bank said.

As the rapid escalation in e-payments may put significant pressure on the existing digital infrastructure, the RBI said "it is imperative that the integrity of our digital ecosystem is maintained by ensuring that they remain robust and fully secure".

"All authorised entities/banks issuing PPIs in the country are advised to - carry out a special audit by the empaneled auditors of Indian Computer Emergency Response Team (CERT-In) on a priority basis and take immediate steps thereafter to comply with the findings of the audit report."

The audit should cover compliance as per security best practices, specifically the application security life cycle and patch/vulnerability and change management aspects for the system authorised and adherence to the process.

Also "take appropriate measures on mitigating phishing attacks considering that the new customers are likely to be first time users of the digital channels. Safety and security best practices may be disseminated to the customers periodically", the RBI added.

The scope of the System Audit includes evaluation of the hardware structure, operating systems and critical applications, security and controls in place.