Digital Payment has become the main stream of payments since the push from the Government of India in 2016. Digital Payment is playing a pivotal role in the growth of the economy in the country. Digital payments through Mobile Payments Applications, Internet Banking and Payment Gateways provide great convenience to users. Mobile platform based digital payment channels such as payment apps (Paytm, PhonePe, Airtel Pay, WhatsApp Pay, Google Pay, Amazon Pay) and payment wallets (Paytm Wallet, Mobikwik, Yono by SBI, ICICI Pockets) are most preferred and widely used. The adoption of these channels has increased manifold due to changing socio-work culture, like work-from-home, study-from-home, online-shopping, and COVID-19 pandemic. As per Reserve Bank of India (RBI) data, between 2015-16 and 2019-20, digital payments have grown at a compounded annual growth rate of 55 % – from 593.61 Cr in the year to March 2016 to 3,434.56 Cr in the year to March 2020. Amid Covid, India witnessed the highest number of real-time online transactions for a whooping amount of $25.5 billion in 2020. The increased momentum towards digital payment was exploited by cyber criminals for financial frauds. According to the RBI’s annual report released in May 2021, Banks and other financial institutions reported frauds worth Rs. 1.38 trillion in 2020-21.

To arrest the weaknesses in the digital payment channels, Reserve Bank of India (RBI) has mandated implementation of Digital Payment Security Controls issued in the form of Master Direction on February 18, 2021. These directions will come into effect from mid-August 2021 for strict implementation by Scheduled Commercial Banks, Small Finance Banks, Payments Banks and Credit card issuing NBFCs. The directions require that payment products such as mobile payment apps and wallets are built in a secure manner and rolled out after necessary testing for achieving desired security, functionality and performance. It becomes important for Board/ Senior Management to incorporate policy for identifying, analysing, monitoring and managing compliance risk and fraud risk. A special attention needs to be given for data storage, security and privacy protection as per extant laws/ instructions. It must be ensured that adequate safeguards are in place to protect integrity of data, customer confidentiality and security of data. An appropriate level of encryption and security is mandated in the digital payment ecosystem. Security testing such as review of source code, Vulnerability Assessment (VA) and Penetration Testing (PT) of digital payment applications are required before rollout as well at regular intervals.

Multi-factor authentication mechanisms need to be an essential part of all digital payment channels to protect confidentiality of payment data and enhance user confidence against cyber-attack mechanisms such as phishing, key logging, spyware/ malware and frauds.

As a result of master directions, varied security controls in mobile payment applications become essential. The verification of integrity and authentication of mobile applications is prerequisite before transactions are enabled. On encountering any exception / anomaly, the user should be directed to remove the current version and proceed with installation of a new copy of the application. Payment app installation should be permitted only after ensuring that device baseline is met. Applications should be made readily available for secure download/ installation. Customer data is to be stored in encrypted form. The app should seek minimal app permissions. To protect apps, sandboxing and containerisation are to be used. Ability to detect active remote access applications and prohibit login access to payments apps need to be incorporated. Code obfuscation and version control to deter reverse engineering be used. Prior to installation of the app, mandatory checks should be performed to ensure that the app is not installed on rooted / jailbroken devices. Device binding of mobile apps as an indicator of genuine user is recommended. Implementation of alternatives to SMS-based OTP authentication mechanisms are encouraged. Apps must be able to identify new network connections or connections from unsecured networks like unsecured Wi-Fi connections and must implement appropriate authentication/ checks/ measures to perform transactions under those circumstances. App should securely wipe any sensitive customer information from memory when the user exits the app. Anti-malware capabilities may be incorporated in the app. Mobile apps should be secured from SQL injection. Sensitive data are written in encrypted form in the database. SSL / TLS negotiation errors and certificate errors are proactively detected and mitigated.

The RBIs Master Direction on Digital Payment Security Controls makes implementation of strong security controls in digital payment vehicles, including mobile payment apps and wallets, mandatory as a regulatory compliance requirement. This step will strengthen the security backbone of varied digital payment vehicles in India and would further accelerate adoption of digital payment by the masses. mobisec Technologies, a company with the mission to deliver mobile security, is well equipped with capabilities for on demand mobile app security and mobile threat defence to support the enterprises in meeting the digital payment security controls as required by RBI.