Major offers a mechanism to disable mobile Payment When a remote user has been granted access to the device. RBI also sought to ensure that transaction alerts mention the name of merchants instead of payment gateways. It has also proposed a cooling period of at least 12 hours for payments made after change in registered mobile number or email ID. Instructions follow on licensing of payment system operators by the Central Edge, and by issuing Master Direction they become fully regulated bodies. These measures are part of the draft directions on ‘Cyber Resilience and Digital Payment Security Controls for Payment System Operators (PSOs)’. PSO is a broad term, which includes retail payment organizations such as NPCI, card payment networks such as Visa, MasterCard, Rupay, non-bank ATM networks and financial market infrastructure providers such as large prepaid instrument issuers.
Apart from institutionalizing best practices that some large PSOs are already following, the regulator has sought to address some of the root causes of frauds. For example, there are frauds that trick the victim into installing a remote access app such as AnyDesk, which the fraudster uses to gain control of the device. The guidelines classify PSOs according to the location they operate in and the scale of their operations. For large PSOs, the directions will come into effect from April 2024, for medium-sized PSOs from April 2026 and for small PSOs from April 2028.
Infrastructure providers and their downstream entities, which also include Trade Receivables Discounting System (TReDS) operators, Bharat Bill Payment Operating Units (BBPOUs) and Payment Aggregators (PAs), are classified as large non-bank PSOs.
Cross-border (in-bound) money transfer operators and medium-sized prepaid instrument issuers are considered medium non-bank PSOs under the Money Transfer Service Scheme (MTSS). Small prepaid instrument issuers and instant money transfer operators are small non-bank PSOs.
The central bank has sought feedback on the draft norms by June 30.