Payment Gateway System is an online digital transactional medium where e-transaction takes place. This Payment system establishes a gateway between a merchant and a buyer or customer, which allows them to carry out the monetary transaction safely. Since the risk of cyber attacks, phishing, and hacking has become severe, the need to secure online monetary transactions has increased, and therefore the need for a Payment Licensed Gateway System.
The RBI issues these Gateway systems Payment Gateway licenses to carry out their businesses legally. Also, the RBI is the regulating authority of such licensed Payment Gateways. Accordingly, the RBI has issued some important Security-related recommendations for the licensed Payment Gateway Systems that they must adhere to. Some of these recommendations are discussed in this article in the following subheadings.
Information Security Governance
- The Payment Gateway Licensed System (PGS) must conduct a comprehensive security risk assessment of its people, IT, business process environment, etc.
- This assessment must be done so as to identify risk exposures with remedial measures and residual risks.
- These security checks can be one of the following:
- Internal security audit
- An annual security audit by an independent security auditor
- CERT-In empanelled auditor.
- The PGS must submit the reports on risk assessment, security compliance posture, security audit reports and security incidents presented to the Board.
Data Security Standards
The Payment Gateway Licensed System must implement the best data security standards and practices, such as:
- PCI-DSS
- PA-DSS
- Latest encryption standards
- Transport channel security
Security Incident Reporting
- The PGS must report security incidents or cardholder data breaches to the RBI within the stipulated timeframe.
- The PGS must also submit monthly cyber security incident reports with root cause analysis and preventive actions undertaken to the RBI.
Merchant Onboarding
The Payment License System must undertake a comprehensive security assessment during the merchant onboarding process to ensure the merchants adhere to these minimal baseline security controls.
Cyber Security Audit and Reports
The Payment Gateway Licensed System must carry out and submit the following to the IT Committee:
- Quarterly internal and annual external audit reports
- Bi-annual Vulnerability Assessment / Penetration Test (VAPT) reports
- PCI-DSS, including Attestation of Compliance (AOC)
- Report of Compliance (ROC) compliance report
Along with the observations noted, if any, including corrective or preventive actions planned with action closure date.
Also Read: Online Company Registration in India
Information Security
The Payment License system must review Board-approved information security policy annually. The security policy must consider aspects the following aspects:
- Alignment with business objectives
- Objectives, scope, ownership and responsibility for the policy
- Information security organizational structure
- Information security roles and responsibilities
- Maintenance of asset inventory and registers
- Data classification
- Authorization
- Exception
- Knowledge and skill sets required
- Periodic training and continuous professional education
- Compliance review and penal measures for non-compliance with policies
IT Governance
The Payment License System must frame an IT policy for regular management of IT functions and ensure detailed documentation of procedures and guidelines exists and is implemented. In addition, the strategic plan and policy must be reviewed annually.
The board-level IT Governance framework must have the following:
Involvement of Board:
The major role of the Board or the Top Management of the Payment License system must involve the following:
- Approving information security policies
- Afterwards, establishing necessary organizational processes or functions for information security
- Lastly, providing necessary resources
IT Steering Committee:
- The Payment License system must create an IT Steering Committee with representations from various business functions as appropriate.
- The Committee then must assist the Executive Management in implementing the IT strategy approved by the Board. Lastly, It must have well-defined objectives and actions.
Enterprise Information Model:
- The Payment License system must establish and maintain an enterprise information model to enable application development as well as decision-supporting activities consistent with the Board-approved IT strategy.
- The model shall facilitate optimal creation, use and sharing of information by a business in a way that maintains integrity and is flexible, functional, timely, secure and resilient to failure.
Also Read: Convert your Sole Proprietorship to a Private Limited Company
Cyber Crisis Management Plan:
- The Payment License system must also prepare a comprehensive Cyber Crisis Management Plan approved by the IT strategy committee.
- It must include components such as Detection, Containment, Response and Recovery.