Device & Behaviour
Mobile App Security
Resources
Device & Behaviour
Simplify Fraud Detection Workflow
Resources
Simplify Fraud Detection Workflow
RBI Master Directions on Cyber Resilience &
Digital Payment Security Controls (2024)
Digital Payment Security Controls (2024)
On July 30, 2024, the Reserve Bank of India (RBI) issued the Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators (PSOs). These guidelines are designed to bolster cybersecurity, implement resilient security practices, and ensure robust risk mitigation across India’s digital payments ecosystem. All authorized non-bank PSOs must comply, with additional expectations for their vendors and partners. The Master Directions require PSOs to adopt comprehensive information security policies, secure application development practices, incident response mechanisms, and strong controls for mobile and digital payment channels. The focus is on preventing evolving cyber threats, ensuring transaction integrity, and protecting customer data.
| RBI guidelines | How Sense solves for this |
|---|---|
| Mechanism to ensure that the mobile application is free from any anomalies or exceptions for which the application was not programmed. | Validate the app signature that detects the version of the app and checks for reverse engineering, screen sharing and mirroring attacks |
| An authenticated session, together with its encryption protocol, remains intact throughout an interaction with the customer. In case of any interference or if the customer closes the application, the session shall be terminated, and the affected transactions resolved or reversed out | Sense provides runtime integrity checks which involve calculating its checksum at runtime and comparing it with the checksum stored in the database. |
| Ensure device binding / finger printing of mobile applications with the device and SIM. In case the mobile application remains unused beyond a policy determined specified period, the PSO shall ensure device binding is performed again. | Strengthens the device binding by providing additional signals that might prove to be suspicious to the bank. |
| An online session on a mobile application is automatically terminated after a fixed period of inactivity and customers are prompted to re-login. | Setup the session inactive time which secures the user's account in cases of inactivity |
| The PSO shall, where applicable, set down the maximum number of failed log-in or authentication attempts after which access to the mobile application is blocked. There shall be a secure procedure to re-activate the access to blocked product / service. The customer shall be notified for failed log-in or authentication attempts, immediately | Prevents any unauthorised attempts to login to the app by creating a unique digital identity that enhances the overall security posture of the user |
| The PSO shall put in place a control mechanism, to identify any presence of remote access applications (to the extent possible) and prohibit access to the mobile payment application while the remote access is live. | Sense is able to identify unknown or third party apps that have screen mirroring or screen overlay abilities |
| Whenever there is a change in registered mobile number or email ID linked to the payment instrument there shall be a cooling period of minimum 12 hours before allowing any payment transaction through online modes / channels. | When a device binding ID is created and if that is mapped to a customer ID, Sense is able to figure out any changes to the primary contact details |