15. Security, Fraud prevention and Risk Management Framework
15.1 A strong risk management system is necessary for the PPI issuers to meet the challenges of fraud and ensure customer protection. PPI issuers shall put in place adequate information and data security infrastructure and systems for prevention and detection of frauds.
15.2 All PPI issuers shall put in place Board approved Information Security policy for the safety and security of the payment systems operated by them, and implement security measures in accordance with this policy to mitigate identified risks.
PPI issuers shall review the security measures
(a) on on-going basis but at least once a year,
(b) after any security incident or breach, and
(c) before / after a major change to their infrastructure or procedures.
15.3 PPI issuers shall ensure that the following framework is put in place to address the safety and security concerns, and for risk mitigation and fraud prevention:
a) In case of wallets, PPI issuers shall ensure that if same login is provided for the PPI and other services offered by the PPI Issuer, then the same shall be clearly informed to the customer by SMS or email or post or by any other means. The option to logout from the website / mobile account shall be provided prominently.
b) Issuers shall put in place appropriate mechanisms to restrict multiple invalid attempts to login / access to the PPI, inactivity, timeout features, etc.
c) Issuers shall introduce a system where every successive payment transactions in wallet is authenticated by explicit customer consent.
d) Cards (physical or virtual) shall necessarily have Additional Factor of Authentication (AFA) as required for debit cards, except in case of PPIs issued under PPI-MTS.
e) Issuers shall provide customer induced options for fixing a cap on number of transactions and transaction value for different types of transactions / beneficiaries. Customers shall be allowed to change the caps, with additional authentication and validation.
f) Issuers shall put in place a limit on the number of beneficiaries that may be added in a day per PPI.
g) Issuers shall introduce a system of alert when a beneficiary is added.
h) PPI issuers shall put in place suitable cooling period for funds transfer upon opening the PPI or loading / reloading of funds into the PPI or after adding a beneficiary so as to mitigate the fraudulent use of PPIs.
i) Issuers shall put in place a mechanism to send alerts when transactions are done using the PPIs. In addition to the debit or credit amount intimation, the alert shall also indicate the balance available / remaining in the PPI after completion of the said transaction.
j) Issuers shall put in place mechanism for velocity check on the number of transactions effected in a PPI per day / per beneficiary.
k) Issuers shall also put in place suitable mechanism to prevent, detect and restrict occurrence of fraudulent transactions including loading / reloading funds into the PPI.
l) Issuers shall put in place suitable internal and external escalation mechanisms in case of suspicious operations, besides alerting the customer in case of such transactions.
15.4 The requirements prescribed here are minimum and the entities may deploy additional checks and balances, as considered appropriate.
15.5 PPI issuers shall put in place centralised database / management information system (MIS) to prevent multiple purchase of PPIs at different locations, leading to circumvention of limits, if any, prescribed for their issuance.
15.6 Where direct interface is provided to their authorised / designated agents, PPI issuers shall ensure that the compliance to regulatory requirements is strictly adhered to by these systems also.
15.7 PPI issuers shall establish a mechanism for monitoring, handling and follow-up of cyber security incidents and cyber security breaches. The same shall be reported immediately to DPSS, RBI, Central Office, Mumbai. It shall also be reported to CERT-IN as per the details notified by CERT-IN.