RBI Master Direction on Digital Payments Security Controls: The BFSI Compliance Playbook

RBI's Master Direction on Digital Payment Security Controls (DPSC), issued February 18, 2021, is the most operationally dense cybersecurity regulation the Indian banking sector has faced. It covers 75+ mandatory controls across six digital payment channels — and unlike SEBI CSCRF which is an annual declaration exercise, RBI inspectors verify DPSC controls during IT examinations. Non-compliance triggers penalty letters, corrective action plans, and in serious cases, business restrictions.

Who Must Comply

The DPSC applies to: Scheduled Commercial Banks (including Private, PSU, Foreign), Small Finance Banks, Payment Banks, White Label ATM Operators (WLAOs), Card Payment Networks operating in India, Prepaid Payment Instrument (PPI) issuers regulated by RBI. NBFCs providing digital payment services fall under a related framework but should treat DPSC as their baseline. If your entity touches any digital payment channel — from internet banking to UPI to prepaid wallets — DPSC applies to you.

The Six Control Domains — What RBI Actually Inspects

1. Internet Banking Security

• Mandatory multi-factor authentication (MFA) for all transactions — OTP alone does not satisfy MFA for high-value transfers
• Risk-based transaction limits configurable by customers; defaults must be conservative
• Device binding for registered internet banking sessions
• Session timeout ≤15 minutes for inactive sessions
• End-to-end encryption for all data in transit (TLS 1.2 minimum, TLS 1.3 recommended)
• Anti-phishing controls: DMARC/DKIM/SPF enforced, visual indicators validated quarterly
• Most common inspection gap: Device fingerprinting either absent or not logged for forensics

2. Mobile Banking Security

• Certificate pinning mandatory for mobile banking apps
• Jailbreak/root detection with session termination
• No caching of sensitive data (account numbers, credentials) on device storage
• App hardening: code obfuscation, anti-tampering, binary protection
• API security: signed requests, replay attack prevention, rate limiting
• Most common inspection gap: Older app versions remain live without force-upgrade mechanisms; RBI expects a sunset policy for versions older than 12 months

3. Card Security Controls

• PCI-DSS compliance is a prerequisite, not a substitute — RBI maps PCI controls to DPSC requirements
• EMV chip mandate fully enforced; mag-stripe-only fallback must be disabled for domestic transactions
• Card-Not-Present (CNP) transactions: mandatory 2FA, no exemptions for low-value domestic transactions (unlike EU PSD2)
• International card usage: default OFF, customer activation required per transaction type
• Real-time velocity checks: bank must define and enforce at both issuer and switch level
• Most common inspection gap: Tokenization roadmap — RBI mandated card-on-file tokenization by December 2021; many smaller banks still have merchant integrations storing raw PANs

4. ATM Security

• Logical security: hard disk encryption, BIOS password, USB port disabling
• Anti-skimming: physical inspection protocol (frequency: minimum monthly for high-risk ATMs)
• Network security: ATM must be on isolated VLAN, no direct internet connectivity
• Software: OS must not be end-of-life; Windows 7/XP ATMs are a critical finding
• Surveillance: CCTV with 90-day retention minimum, monitored centrally
• Most common inspection gap: ATM patch management — RBI expects patches within 30 days of vendor release; most banks operate on quarterly patch cycles

5. Prepaid Payment Instruments (PPI)

• Full KYC PPI: transaction limits as per RBI PPI Master Directions; limits cannot be enhanced without KYC upgrade
• Semi-closed PPI: interoperability requirements, fund transfer velocity limits
• Fraud monitoring: real-time transaction monitoring mandatory; 24-hour fraud dispute resolution SLA
• Dormancy: auto-block after 1 year of inactivity; customer notification 30 days prior
• Most common inspection gap: PPI issuers often lack a documented Fraud Risk Management Framework (FRMF) — RBI considers this a standalone deliverable, not just a section of the Information Security Policy

6. Fraud Risk Management (Cross-Channel)

"RBI inspectors ask for the Fraud Risk Management Framework as Document 1. If you hand them your general IS Policy with a 'fraud' section, the examination begins poorly."

• Documented FRMF covering all six channels — must be Board-approved
• Transaction monitoring system with defined rules, thresholds, and review cadence
• Suspicious Transaction Reporting (STR) escalation to FIU-IND within 7 days
• Customer awareness: RBI mandates quarterly SMS/email advisories — log evidence required
• Incident reporting: any fraud above ₹1 lakh must be reported to RBI within 2-3 days (channel-specific timelines)

The 10 Gaps RBI Inspectors Most Commonly Flag

1. No documented FRMF — IS Policy fraud sections don't satisfy the requirement for a standalone Board-approved framework
2. Stale app versions live — No force-upgrade or version sunset policy for mobile banking apps
3. Insufficient device binding — Internet banking sessions not tied to device fingerprints; session tokens transferable
4. Missing certificate pinning — Mobile API calls vulnerable to MITM; found in older app codebases
5. ATM OS end-of-life — Windows 7/XP ATMs still in production; inspectors flag each ATM individually
6. Card tokenization gaps — Merchants still storing raw PANs; bank's tokenization rollout not complete
7. Weak session timeout — Internet banking timeouts set at 30 minutes instead of mandatory 15 minutes
8. No quarterly phishing simulation evidence — DPSC requires evidence of anti-phishing control testing
9. PPI dormancy policy not automated — Manual dormancy review processes fail at scale; RBI expects system-enforced controls
10. STR reporting delays — FIU-IND STR submissions beyond the 7-day window; audit trail incomplete

Building Your DPSC Compliance Evidence Pack

Structure the evidence pack by control domain. For each domain, RBI inspectors typically request:

• Policy document (Board-approved, version-dated)
• System configuration screenshots or logs (not just policy assertions)
• Testing evidence (penetration test reports for internet/mobile banking — annual minimum)
• Monitoring data (fraud monitoring alert logs, review records)
• Incident register (with RBI reporting dates for any reportable incidents)

A practical checklist:

• FRMF document: Board-approved, covers all 6 channels, last reviewed within 12 months
• Internet banking: MFA implementation evidence, session timeout config, device fingerprinting logs
• Mobile banking: VAPT report (annually), app version policy, certificate pinning evidence
• Cards: PCI-DSS AOC (current), tokenization status report, CNP 2FA config evidence
• ATMs: Inventory with OS version, patch status, last physical security inspection date
• PPI: Transaction monitoring rule set, FIU-IND STR log, dormancy automation evidence
• Customer advisories: Last 4 quarters of fraud awareness communications with dispatch logs

DPSC and Other RBI Frameworks — Avoiding Double Documentation

DPSC is one of four overlapping RBI frameworks BFSI compliance teams must manage simultaneously:

The smart compliance approach: build a single control register mapped to all four frameworks. Where DPSC requires quarterly phishing testing and the Cyber Security Framework requires annual security awareness, one programme satisfies both — but you need cross-references in your evidence pack.

Enforcement — What Actually Happens

RBI's enforcement sequence for DPSC gaps:

1. IT Examination observation — Issued as part of the inspection report; bank has 30 days to respond
2. Corrective Action Plan (CAP) — Bank submits remediation timeline; RBI monitors quarterly
3. Penal action letter — If remediation is insufficient or repeat gaps found; penalty quantum disclosed publicly
4. Business restriction — For severe or systemic gaps; rare but has been invoked for digital payment services

One practical note: inspection observations from one bank often signal what RBI will look for at peers in the same examination cycle. If a PSU bank received a DPSC observation on ATM OS lifecycle, expect private sector banks to receive the same question within 6-12 months.