RBI orders PPI issuers to conduct special security audit to check fraud

RBI on Friday asked banks and companies issuing Prepaid Payment Instrument (PPI) to conduct special security audit saying any cyber attack could prove dampener at a time when government is nudging people to go in for digital transactions in a big way.

With the withdrawal of legal tender characteristics of old Rs 500 and Rs 1000 notes (Specified Bank Notes SBN), the use of alternate modes of payment, specifically e-wallets has gained momentum, the RBI said.

“While all efforts should continue to be made by entities for on boarding new customers and merchants, it needs to be borne in mind that any kind of cyber security incident affecting the digital channels/products, particularly at this juncture, may have significant system-wide ramifications and act as a dampener for the adoption of digital products by public at large,” the central bank said.

As the rapid escalation in e-payments may put significant pressure on the existing digital infrastructure, RBI said “it is imperative that the integrity of our digital ecosystem is maintained by ensuring that they remain robust and fully secure”.

“All authorised entities/banks issuing PPIs in the country are advised to - carry out a special audit by the empaneled auditors of Indian Computer Emergency Response Team (CERT-In) on a priority basis and take immediate steps thereafter to comply with the findings of the audit report”.

The audit should cover compliance as per security best practices, specifically the application security lifecycle and patch/vulnerability and change management aspects for the system authorised and adherence to the process.

Also “take appropriate measures on mitigating phishing attacks considering that the new customers are likely to be first time users of the digital channels. Safety and security best practices may be disseminated to the customers periodically” the RBI added.

The scope of the System Audit includes evaluation of the hardware structure, operating systems and critical applications, security and controls in place.