What the RBI DPSC Requires
The Reserve Bank of India’s Master Direction on Digital Payment Security Controls was issued in February 2021 and applies to:
- Scheduled Commercial Banks
- Small Finance Banks
- Payment Banks
- Credit Card issuing NBFCs
- Prepaid Payment Instrument issuers
The DPSC establishes six control areas specifically addressing the security of digital payment systems and the personal financial data they process.
The Six Control Areas
§1 — Governance and Oversight
Payment entities must have:
- A dedicated Board-level oversight mechanism for digital payment security
- An executive responsible for digital payment security
- Documented security policies for all digital payment channels
- Annual review of security posture by independent assurance
§2 — General Controls for Digital Payments
Baseline security controls applicable across all payment channels:
- Customer authentication: Minimum two-factor authentication for all transactions above prescribed limits
- Transaction monitoring: Real-time monitoring with anomaly detection
- Fraud management: Documented fraud detection, investigation, and resolution procedures
- Customer notification: Real-time alerts for all transactions
- Dispute resolution: Time-bound dispute resolution with documented procedures
§3 — Internet and Mobile Banking
For internet and mobile banking channels:
- HTTPS/TLS 1.2 or higher for all sessions
- Session timeout and re-authentication for idle sessions
- Certificate pinning for mobile applications
- Protection against common web vulnerabilities (OWASP Top 10)
- Device binding and anomaly detection for mobile banking
§4 — Card Payments
PCI-DSS compliance is mandatory for all card-processing entities. Additionally:
- EMV chip mandate for all new card issuances
- Tokenisation for card-on-file storage
- Dynamic CVV for high-value transactions
- Geolocation-based fraud controls
§5 — AEPS and UPI
For Aadhaar Enabled Payment Systems and UPI:
- UIDAI-prescribed biometric data handling protocols
- Consent artefact storage for all AEPS transactions
- Daily transaction velocity limits
- Merchant risk categorisation
§6 — Prepaid Payment Instruments
For PPI issuers:
- KYC documentation and verification standards
- AML/CFT transaction monitoring
- Expiry and dormancy management
- Cross-border transaction controls
Intersection with DPDP Act
The DPSC’s data protection requirements directly overlap with DPDP Act obligations:
| DPSC Control | DPDP Act Obligation | Overlap |
|---|---|---|
| Customer authentication logs | §8 — Security safeguards | Shared control evidence |
| Transaction data retention | §8(7) — Storage limitation | Retention schedule alignment |
| AEPS consent records | §6 — Consent framework | Consent artefact requirement |
| Fraud investigation data | §12 — Data principal access right | Subject access request scope |
| KYC data handling | §8(2) — Data accuracy | Accuracy and update obligations |
| Breach notification to RBI | §8(6) — DPDP breach notification | Coordinated notification required |
The CreativeCyber DPDP Assurance Platform’s native RBI DPSC control pack maps these six domains against DPDP Act obligations, allowing payment entities to conduct a unified gap assessment rather than two parallel exercises.
Assess your compliance against RBI DPSC
The CreativeCyber DPDP Assurance Platform includes RBI DPSC as a mapped control pack — run a gap assessment, generate evidence, and produce audit-ready reports.
Explore the Platform →