THE MINISTER OF STATE IN THE MINISTRY OF FINANCE
(a) and (b): As per the provisions of the Payment and Settlement Systems Act, 2007 (PSS Act), all entities are required to obtain authorization from the Reserve Bank of India (RBI) before commencing any payment system operation in the country. RBI has accorded approval to PAYTM Payments Bank Limited for issuance and operation of Prepaid Payment Instruments (PPIs), and to offer Mobile Banking Services to its customers. RBI has informed that RBI does not maintain data relating to losses etc. pertaining to e-trade agencies and financial corporates.
(c) to (e): Enhancing the safety and security of digital payment systems is a continuous process. RBI has taken required steps and, inter alia, issued the following circulars / guidelines related to security and risk mitigation measures for securing electronic / digital payment transactions:
• Vide circular on ‘Security and Risk Mitigation Measures for Electronic Payment Transactions’ dated 28.02.2013, RBI has directed banks to introduce additional measures to secure electronic mode of payments like RTGS, NEFT and IMPS.
• Vide ‘Master Direction on Issuance and Operation of PPIs’ dated 11.10.2017 and updated as on 29.12.2017, PPI issuers were instructed to put in place a framework to address safety and security concerns for risk mitigation and fraud prevention.
• RBI has issued various instructions in respect of customer protection. Vide circular dated 06.07.2017. RBI has issued directions limiting the liability of customers in unauthorized electronic banking transactions. Similarly, vide circular dated 04.01.2019, RBI has issued directions limiting the liability of customers in unauthorized electronic payment transactions in PPIs issued by Authorized Non-banks. Vide circular on “Harmonization of Turn Around Time (TAT) and customer compensation for failed transactions using authorized Payment Systems” dated 20.09.2019, the framework for TAT for failed transactions and compensation has been prescribed, and the prescribed TAT is the outer limit for resolution of failed transactions.
• For non-bank entities operating payment systems in India, in order to ensure that the technology deployed to operate the payment system/s authorized is/are being operated in a safe, secure, sound and efficient manner, RBI has, vide circulars dated 07.12.2009 and 27.12.2010 (as subsequently amended vide circular dated 15.04.2011), mandated System Audit to be done on an annual basis by a Certified Information Systems Auditor (CISA), registered with Information Systems Audit and Control Association (ISACA) or by a holder of a Diploma in Information System Audit (DISA) qualification of the Institute of Chartered Accountants of India (ICAI). Further, in January 2020, RBI has revised the scope and coverage of System Audit of Authorized Payment System Operators (PSOs) to enhance the resilience of the payment systems.
• For securing card transactions, banks have been advised to provide online alerts for all card transactions {Card Present (CP) and Card Not Present (CNP)}, vide RBI’s circular dated 29.03.2011. Vide circulars dated 22.09.2011, 28.02.2013 and 24.06.2013, banks have been advised to introduce additional security measures for securing electronic (online and e-banking) transactions.
• All banks and White Label ATM Operators (WLAOs) have been advised to ensure that all existing ATMs installed /operated by them are enabled for EMV Chip and PIN Cards vide circular dated 26.05.2016.
• Banks have been directed to mandatorily put in place an Additional Factor of Authentication (AFA) for all CNP transactions w.e.f. 01.05.2013 failing which the issuer bank shall reimburse the loss to customer without demur.
• All authorised card payment networks are permitted to offer card tokenisation services to any token requestor (i.e., third party app provider), subject to all extant instructions on safety and security of card transactions, including the mandate for AFA / PIN entry, vide circular dated 08.01.2019
***
Download PDF Files
