RBI Tightens Security Norms For Payments Companies, With 200 Mn Users Compromised In 2021

RBI Tightens Security Norms For Payments Companies, With 200 Mn Users Compromised In 2021

SUMMARY

All the payment system operators will now have to submit detailed compliance certificates to RBI

This comes after the financial data of about 200 Mn Indian users was breached from the systems of JusPay and Mobikwik

RBI has also prohibited merchants like Netflix, Zomato to store credit card credentials and other related data of users

Amid the rising cybersecurity threats and breaches in India, the Reserve Bank of India (RBI) has tightened its supervision norms over payments companies storing customer data.  All the payment system operators (PSOs) will now have to submit detailed “compliance certificates” to the central bank twice a year from April 1, 2021, onwards.

The documents have to be signed by their chief executive officer (CEOs) or managing directors (MDs), confirming the adherence to all the RBI regulations around security and storage of payment data.

RBI’s department of payment and settlement systems (DPSS), on Friday (March 26), issued a letter to all the PSOs operating in India, asking them to submit their certificates on April 30 and October 31 for the period ending March 31 and September 30, respectively.

Along with this, the Indian PSOs will also have to submit board-approved system audit report (SAR) by CERT-empanelled auditors. The central bank had introduced this provision back in April 2018 and it will continue in practice, even as the PSOs take a step to ensuring proper certifications.

India’s Financial Data At Risk With Over 200 Mn Users Compromised In 2021

The new specification comes at a time when several Indian payments and tech startups across the sectors have witnessed data leaks and cyber attacks. Some of these companies are grocery delivery giant BigBasket (acquired by Tata), edtech startup Unacademy, crowdfunding platform Impact Guru and many others.

In what is seemingly India’s biggest data leak in recent times, sensitive data of about 100 Mn (10 Cr) cardholders was leaked. This data was linked to Bengaluru-headquartered mobile payment solutions company Juspay. Screenshots of the leaked database, accessed by Inc42, reveal that it contains a user’s card brand (VISA/Mastercard), card expiry date, the last four digits of the card, the masked card number, the type of card (credit/debit), the name on the card, card fingerprint, card ISIN, customer ID and merchant account ID, among several other details.

In all, over 16 fields of data relating to their payment cards have been leaked for at least 20 Mn (2 Cr) users, as conceded by Juspay, a subset of the total number of user records (10 Cr) that have been leaked.

Another Indian payments company Mobikwik’s database of 110 Mn (11 Cr) users has been available on the dark web since January 2021. The 8.2 TB of database included not only personal and financial details of individual customers but also details of merchants that have procured loans from the company. However, Mobikwik has continued to deny any breach, with CEO Bipin Preet Singh also laying the blame on users.

RBI Strips Merchants Off From Customer Data Storage

Taking a note of such breaches, the RBI has also prohibited merchants like Amazon, Microsoft, Netflix, Flipkart, Zomato and others to store customers’ credit card credentials “and related data” on their servers under the new payment aggregators and payment gateway (PA-PG) norms that come into effect this year. The guidelines also bar payment aggregators from storing customer card credentials within their database or the servers assessed by the merchants.

RBI has decided to not allow merchants to store such financial data as they would anyway not be answerable in case of any security breaches since the norm pertains to payment aggregators and gateways. The new guidelines will treat all payment aggregators as regulated entities under the Payment and Settlement Systems Act (2007) under the central bank’s direct supervision.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

RBI Tightens Security Norms For Payments Companies, With 200 Mn Users Compromised In 2021-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

RBI Tightens Security Norms For Payments Companies, With 200 Mn Users Compromised In 2021-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

RBI Tightens Security Norms For Payments Companies, With 200 Mn Users Compromised In 2021-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

RBI Tightens Security Norms For Payments Companies, With 200 Mn Users Compromised In 2021-Inc42 Media
RBI Tightens Security Norms For Payments Companies, With 200 Mn Users Compromised In 2021-Inc42 Media
You’re in Good company