RBI Master Direction on Digital Payment Security Controls – Everything you need to know

The volume of digital payments in India is increasing year by year, necessitating the implementation of security controls around digital payments. Important financial data, if fallen in wrong hands, can have terrible consequences. A security framework that requires businesses to follow best practices while handling customer data can significantly reduce security risks.

The RBI has therefore issued DPSC guidelines to regulate card payments, internet banking and mobile banking. This article will walk you through the RBI Direction on Payment Security Controls (DPSC) in detail.

What is RBI DPSC?

RBI DPSC stands for Digital Payment Security Controls, a framework introduced by the Reserve Bank of India to strengthen the security of digital payment systems in India.

It provides mandatory security guidelines for banks, fintech companies, and payment service providers to protect digital transactions, mobile banking apps, and customer data from cyber threats.

Who Needs to Follow RBI’s Digital Payments Security Controls

The Master Direction that establishes security controls for digital payments was released on 18th February, 2021. 

These security controls are applicable to banks or any financial institution that allows customers to make digital payments. 

These rules apply to Regulated Entities like;

• Scheduled commercial banks
• Payment banks
• Small finance banks 
• Credit card issuing NBFCs. 

RBI DPSC enables customers to securely conduct digital payments. RBI Master Direction on Digital Payment Security Controls covers areas such as 

• Governance and Management of Security Risks
• Generic Security Controls
• Application Security Life Cycle (ASLC)
• Authentication Framework
• Fraud Risk Management
• Reconciliation Mechanism
• Customer Protection
• Awareness and Grievance Redressal Mechanism

Further it states specific controls related to Internet Banking, Mobile Payments Application Security Controls and Card Payments Security.

Applicability of RBI DPSC

Regulated Entities (REs) such as Scheduled Commercial Banks (excluding Regional Rural Banks), Small Finance Banks, Payments Banks and Credit card issuing NBFCs need to abide by the provisions of the Master Direction.

What was the Purpose behind RBI’s Introduction of the DPSC Framework

The RBI Master Direction on Digital Payment Security Controls is aimed at providing a framework for licensed banks, scheduled banks, primary dealers, authorized PSPs so they can securely obtain membership to the payment systems. The directions also outline specific requirements to be fulfilled by the applicants. This framework is introduced by RBI for several clear reasons.

a) To Improve Security

Digital payments involve sensitive information like:

• Bank account details 
• Card details 
• Personal data 

The RBI wants to ensure this information is protected.

b) To Reduce Fraud

With more digital transactions, fraud risks increase.
The framework helps detect and prevent fraud early.

c) To Create Standard Rules

Earlier, different entities followed different security practices  but now, RBI has created a uniform security standard.

d) To Build Customer Trust

Customers must feel safe while making any digital payments.

What Are the Key Guidelines Issued by RBI Under DPSC

The RBI has provided DPSC guidelines across multiple areas. Organizations must actively manage risks instead of reacting later.

1. Governance and Risk Management

• Entities must identify risks like:
  • Cyber attacks 
  • Fraud 
  • System failures 
• There must be proper monitoring and control systems.
  

2. Secure Application Development

Applications must be built using secure coding practices. All securities should be built into apps from the beginning. 

• Must follow standards like:
  • OWASP 
  • ISO guidelines 

3. Authentication Controls

Multi-factor authentication (MFA) must be used 

• Example:
  • Password + OTP 

4. Fraud Risk Management

Systems should be able to catch suspicious activities quickly. Entities must:

• Monitor transactions continuously 
• Detect unusual behaviour like:
  • Sudden high-value transactions 
  • Transactions from unknown locations 

5. Customer Protection

• Customers must be protected and supported at all times. They must be informed about:
  • Risks 
  • Safe practices 
• There must be:
  • Complaint handling system 
  • Quick resolution process 

6. Channel-Specific Security

Different channels require different controls which means every payment method must be secured separately.

• Internet banking security 
• Mobile banking app security 
• Card payment security

The key guidelines for DPSC as issued by RBI varies on access criteria varies for both centralized and decentralized payment systems.

Centralized Payment Systems

Real Time Gross Settlement (RTGS), National Electronic Fund Transfer (NEFT) systems and any other systems as recognized by the RBI from time to time.

Decentralized Payment Systems

Clearing houses operating under RBI such as Cheque Truncation System Centers and other banks such as Express Cheque Clearing System Centers.  

• All scheduled and licensed banks are open to apply for membership to the centralized and decentralized payment systems. 
• These banks can obtain Type A Membership in RTGS with inter-bank, Own Account Transfer (OAT), customer and Intra-Day Liquidity (IDL) transactions and NEFT. 
• Co-operative societies are not eligible to become either direct members or sub-members in any payment system.
• Post office savings banks however can be members of decentralized payment systems. 
• Primary dealers can apply for Type B membership that covers OAT, IDL, inter-bank transactions. 
• Prepaid Payment Instrument Issuers and White Label ATM Operators can be Type D members in RTGS and Card networks can apply for Type C membership in RTGS that covers multilateral net settlement batch transactions and OAT.
• Prepaid Payment Issuers can get membership to NEFT too. 
• RBI decides whether clearing organizations and other entities are eligible for membership on a case to case basis. 

Who Is Eligible for Membership Under RBI DPSC

There is a set of requirements to be fulfilled by entities applying to centralized and decentralized payment systems. The criteria to gain membership in centralized payment systems are as follows:

1. Banks

Banks must have a minimum CRAR of 9% with net NPAs below 5% and minimum net-worth of Rs 25 crore. A core banking solution/centralized processing system should be available at the applicant’s end and banks must be technically competent in areas including cyber security. Banks should also comply with the instructions governing payment system data storage along with obtaining recommendations from the regulatory department.

2. Authorized non-bank PSPs

Non-bank PSPs must be authorized by the central bank under the Payment and Settlement Systems. Non-bank PSPs must have a minimum net worth of Rs 25 crore or as prescribed by RBI in the certificate of authorization, whichever is higher. Entities should be incorporated in India under the Companies Act, 1956 / 2013. Entities that haven’t been incorporated should get their Indian subsidiaries to enter into requisite agreements with the RBI. A centralized processing system, cyber resilience and compliance with payment storage instructions are also mandatory requirements to be fulfilled. 

Access criteria for decentralized payment systems are as follows:

• Entities must have a minimum CRAR of 9% and net NPAs below 5% as per the latest audited balance sheet.
• A core  banking system at the applicant’s end as well as recommendation of the concerned regulatory/supervisory department is mandatory.

The recommendation is obtained independently and the entity need not present it while submitting the application. The recommendation can be useful for banks, authorized non-bank PSPs, and primary dealers to continue operations even during instances when the entity’s financials drop below the above mentioned thresholds. New licensed banks need no separate recommendation if the application has been submitted before starting operations.

How to Achieve RBI DPSC Compliance for Mobile Apps?

Problems	Solutions	Link to relevant Solution Page
Keylogging Attacks	Prevent unauthorized Keystroke recording	Learn more
Overlay Attacks	Detect and stop suspicious screen overlays	Learn more
App Code Decompiling and Reverse Engineering	Code Obfuscation and Encryption	Learn more
Account Takeover	Blocking suspicious repeated login attempts	Learn more

General Controls under RBI DPSC

The Master Direction on Payment Security Controls covers key areas such as general controls, internet banking security controls, mobile payment application security control and card payment security. Let’s look at the key highlights of general controls one by one.

1. Governance and management of security

This pertains to identification, analysis, monitoring and management of fraud risk and compliance risk linked with digital payment products through risk governance and risk management programs.

2. Application security life cycle

Regulated entities with digital payment applications must implement all the necessary security controls to handle, store and protect payment data. There are several standards and guidelines developed to ensure protection of applications such as OWASP, data protection guidelines in ISO 12812 and threat catalogs by NIST which must be adhered to right from the application development phase. 

3. Authentication Framework

REs should implement multi factor authentication for payments and fund transfers through electronic modes and payment applications. Appropriate authentication methodologies should be determined after risk assessment. It is recommended that entities use at least one authentication methodology that is generally dynamic or non-replicable.

4. Fraud Risk Management

Entities need to implement security controls in terms of configuration aspects to identify any suspicious transactional behavior. Various parameters such as the ones mentioned below are established:

• Transaction velocity which includes fund transfers, withdrawals, payments and adding new beneficiaries in a short span of time mostly in customer accounts with zero transactions conducted through apps, internet banking or card.
• Parameters associated with high risk Merchant Category Codes (MCC) 
• Parameters linked with card counterfeiting (for instance, continuous unsuccessful attempts to enter PINs or CVV indicate fake account creation)
• New account parameters to detect unusual excess activity in new accounts
• Geo-locations, time zones,  IP address origin that indicate activity from prohibited zones 
• Transactions to mobile numbers or mobile wallets that have been blacklisted previously for fraud activities.

What Security Measures Does RBI Expect You to Implement

Secure by design 

Adopting a ‘secure by design approach’ is a must for entities looking to strengthen their digital payment products with complete security. Implementing security features must start right at the development stage. Entities must operate with certain security objectives that emphasize safeguarding customer data during several stages such as requirements gathering, designing, development, testing, implementation, maintenance, monitoring and decommissioning of the application. 

Entities must always mask sensitive customer information such as card numbers and account numbers. Mobile applications should not be designed to store any sensitive information on the device. The application should be able to erase sensitive data from the memory without compromising the security. The number of temp files must  be restricted and any information, if stored in such files, must be protected with suitable methods such as encryption or masking. 

Adequate safeguards 

All entities are required to implement adequate safeguards when dealing with digital payment products and services. Web applications offering digital payment products and services should abstain from storing sensitive data in cookies, HTML, hidden fields, and client-side storage as they are not considered secure storage methods. Firewall solutions and Distributed Denial-of-Service mitigation techniques should be implemented to safeguard payment products and services delivered over the internet.

Customer awareness and protection

The Master Direction on Digital Payment Security Controls requires entities to keep their customers well informed about their rights, obligations and responsibilities pertaining to digital payments. The customers should be aware of any risks associated with service unavailability or security violations. Customers should also have clarity on the terms and conditions regarding privacy and security and no product/service should be offered without the customer expressing explicit willingness to use the product. The customer’s consent should be obtained through a written or authenticated electronic requisition. Customers should be compulsorily made to read all the DPSC guidelines of secure usage in their preferred language so as to prevent security risks arising from ignorance or negligence.

How can DoveRunner help with RBI DPSC Compliance? 

DoveRunner provides compliance with RBI Digital Payment Security Controls by providing specialized mobile app security, through its runtime application self-protection helping fintechs and banks meet stringent regulatory standards for secure transactions and data protection. It offers a 360-degree security ecosystem, including threat detection and compliance mapping. 

Key Ways DoveRunner Helps with RBI DPSC Compliance:

1. Protection Against Keylogging Attacks

DoveRunner detects and blocks unauthorized attempts to record what users type on their devices.

Keylogging attacks are used to steal:

• Passwords 
• OTPs 
• Banking credentials 

By stopping these attacks, DoveRunner ensures that sensitive information entered by users stays private. It adds an extra layer of safety during login and transactions.This supports RBI’s requirement for secure authentication and protection of user data.

2. Protection from Overlay Attacks

Overlay attacks use fake screens placed over real apps to trick users into entering sensitive information.

DoveRunner:

• Detects suspicious overlays 
• Blocks fake screens 
• Protects user inputs 

This ensures users interact only with genuine app screens and not malicious ones. It helps reduce the risk of credential theft. This supports RBI’s guidelines on fraud prevention and secure app usage.

3. Prevention of App Code Decompiling and Reverse Engineering

Attackers may try to break down an app to understand its code and find weaknesses.

DoveRunner prevents this using:

• Runtime Application Self-Protection (RASP) 
• Code obfuscation 

This makes it difficult for hackers to analyze or modify the app code. It keeps the app’s logic and security controls protected at all times. This supports RBI’s requirement for secure application design and protection.

4. Strong Security Without Affecting User Experience

Many security tools slow down apps, but DoveRunner is designed to maintain smooth performance.

It ensures:

• No noticeable delays 
• Fast response time 
• Smooth user experience 

This is important because users should feel safe without facing inconvenience while using the app. This supports RBI’s need for secure and user-friendly systems.

5. Reliable Support and Industry Trust

DoveRunner is trusted by developers and professionals worldwide.

Users have experienced:

• Quick and helpful support 
• Fast issue resolution 
• Consistent performance 

This ensures that businesses can rely on the solution for continuous protection and compliance. This helps maintain ongoing compliance and operational stability.

6. Built for Global Compliance

DoveRunner is designed to meet high security and regulatory standards across different regions and domains.

It helps organizations:

• Follow regulatory requirements 
• Maintain strong data protection 
• Stay compliant with evolving security rules 

This makes it easier for businesses to meet RBI DPSC and global compliance standards.

What are the Consequences of failing to comply with RBI’s Digital Payment Security Guidelines? 

The RBI Digital Payment Security Controls (DPSC) are mandatory for all regulated entities. These are not optional guidelines. Entities are expected to follow them fully.

If an entity does not comply with these controls, it can face several serious consequences.

1. Regulatory Action by RBI

The RBI has the authority to take action if rules are not followed. RBI can step in and enforce compliance if an entity fails to follow the rules.

This can include:

• Issuing warnings or notices 
• Directing the entity to fix gaps within a timeline 
• Taking supervisory or corrective action 

2. Increased Monitoring, Inspections, and Audits

The entity will be closely watched and regularly checked for issues.

Non-compliance can lead to:

• More frequent inspections by RBI 
• Detailed audits of systems and processes 
• Continuous supervision 

3. Higher Risk of Fraud and Cyber Incidents

If proper security controls are not implemented:

• Systems may become vulnerable 
• Fraud attempts may increase 
• Cyber attacks may succeed more easily 

4. Financial Losses

Security failures can result in:

• Direct loss of money due to fraud 
• Costs for fixing systems and improving security 
• Compensation to affected customers 

5. Damage to Reputation and Loss of Trust

If customers face fraud or data breaches:

• Trust in the institution decreases 
• Brand reputation is affected 
• Customers may stop using the services 

6. Customer Complaints and Dissatisfaction

Non-compliance can lead to:

• Increase in customer complaints 
• Poor customer experience 
• Delays in resolving issues
• Customers may feel unsafe and unhappy using the service.

7. Operational Disruptions

Security issues may also cause:

• System downtime 
• Service interruptions 
• Disruption in payment processing 

Why RBI DPSC Matters in Today’s Digital Landscape

India has transitioned from a cash based economy to a cashless economy resulting in digital payment systems gaining more prominence. With more and more users opting for digital payments, cyber threats have raised some major concerns. The RBI published common security standards for digital payment products and services in view of the proliferation of cyber attacks. Mandating regulated entities to follow secure standards enables customers to use digital payments products and services in a safe and secure manner. RBI DPSC outlines data privacy and security guidelines to address cyber security risks prevalent in the digital payment landscape.

Frequently Asked Questions

Does the RBI digital security framework mandate PCI PIN compliance for banks?

Banks managing any of the following domains need to adhere to PCI PIN standards:

1. PIN acquiring payment processing – POS and ATM
2. Remote key distribution with asymmetric keys
3. Key injection facilities 
4. Certification and registration 

The third party vendor too needs to be PCI compliant in case any of the above activities has been outsourced by the bank.  

What are PCI PTS, PCI HSM and PCI P2PE standards?

PCI PTS standards apply to POI/POS devices, HSMs, encryption PIN pads, and unattended payment terminals. Banks must ensure that the hardware vendor has adhered to PCI PTS standards when deploying these devices.  

PCI PTS HSM standards apply to HSM devices and outlines all physical, logical and security requirements to be fulfilled when deploying HSM devices. Hardware vendors must ensure the devices meet the security requirements and banks need to evaluate the same. 

PCI P2PE standards cover the security requirements to be fulfilled for point-to-point encryption solutions. It specifies encryption, decryption and key management requirements and requires banks to only use assets that are PCI P2PE compliant. Any third party vendors involved need to be PCI P2PE compliant as well.

What do PCI P2PE solutions include?

PCI P2PE solutions include the following:

• Payment card data encryption at the POI
• Use of P2PE validated applications at the point of interaction 
• Managing encryption and decryption devices securely 
• Managing decryption environment and decrypted account data
• Applying secure encryption methodologies

Is it safe to migrate the PCI environment to cloud?

It is safe to move the PCI environment to cloud since a majority of the popular cloud platforms today are PCI DSS compliant. However, there are a few challenges and risks that come with moving data to the cloud which need to be addressed effectively. Banks may have to adopt a hybrid approach to achieve certain compliance requirements. Some data can be stored on-premise whereas some can be moved to the cloud so compliance isn’t compromised. 

DoveRunner is a premier security solutions provider that facilitates zero coding protection for Android, iOS and Hybrid mobile apps. Protect your application from runtime attacks with scalable security and advanced threat analytics that provide snapshots of all hacking attempts. Our solutions are customized for apps across a wide range of industries including gaming, movies, fintech, ecommerce among others. Get in touch with us to protect your data from unauthorized access without compromising on app performance.

What are the Mobile application security solutions available in the market that are RBI, GDPR, HIPAA compliant?

Here are some leading mobile application security solutions that can help you address compliance requirements like Reserve Bank of India (RBI) cyber guidelines, General Data Protection Regulation (GDPR), and Health Insurance Portability and Accountability Act (HIPAA) — Advanced features like runtime application self-protection (RASP), anti-tampering, reverse-engineering prevention, AES-256 and FIPS 140-2 encryption, and root/jailbreak detection. These solutions are designed for both Android and iOS, ensuring regulatory adherence for sectors like banking, healthcare, and fintech, helping organizations secure sensitive data and meet RBI cybersecurity, GDPR privacy, and HIPAA health data protection requirements effectively.