In the wake of the digitization trend in India’s payment systems, there has been a significant uptick in the adoption of alternative payment methods, particularly electronic wallets (e-wallets).
To ensure the security of virtual transactions and protect the interests of the general public, the Reserve Bank of India (RBI) has implemented a comprehensive framework for Payment Instrument Providers (PIPs). This framework mandates that all authorized entities and banks issuing Prepaid Payment Instruments (PPIs) undergo a specialized audit conducted by empaneled auditors from the Indian Computer Emergency Response Team (CERT-In). The audit covers the evaluation of hardware structure, operating systems, critical applications, and the security and controls in place.
Need for PPI audit:
The need for a PPI audit was highlighted by the RBI through a notification on December 9th, 2016. This mandate applies to all PPI issuers and organizations seeking PPI licenses. The PPI Technical Security Audit serves as a crucial tool, providing recommendations to enhance security postures and prevent cyber-attacks, thereby promoting the secure adoption of digital transactions.
Payment Prepaid Instruments (PPIs) issued in the country are categorized into three types:
(i) Closed System PPIs (ii) Semi-closed System PPIs (iii) Open System PPIs.
Closed System PPIs
Closed System PPIs are issued by specific entities solely for facilitating the purchase of goods and services exclusively from that entity. They do not allow cash withdrawal and fall outside the classification of payment systems requiring RBI approval for transactions involving third-party services.
Semi-closed System PPIs
Semi-closed System PPIs are designed for the purchase of goods and services, including financial services and remittance facilities, at identified merchant locations. These instruments do not allow cash withdrawal, regardless of whether they are issued by banks or non-banking entities.
Open System PPIs
Open System PPIs, exclusive to banks, are intended for use at any merchant for acquiring goods and services. Banks issuing these PPIs are obligated to facilitate cash withdrawal at ATMs, Points of Sale (PoS), and through Business Correspondents (BCs).
Anti- Virus & Patch Management
Monitoring patches on servers, operating systems (OS), and software, along with centralized management of anti-virus software.
Secure Mail & Messaging Systems
Emphasizing the security of email and messaging systems, including specific controls for email servers and communication systems with vendors and partners
Removable Data
Prohibiting the use of removable devices without explicit authorization, and scanning authorized devices for malware with mandatory data erasure post-use.
Why Work with us?
CERT-IN Empaneled Security Auditor
CERT-In empanels CEREIV for digital security verification services, ensuring organizational readiness and system robustness.
Flexible Delivery
The CEREIV team acknowledges the need for flexibility in test scheduling to achieve optimal results for customers.
Are you ready for the next steps?
Related Insights
Navigating the Path to CERT-IN Compliance: A Step-by-Step Guide
Ensuring the security of India's internet infrastructure hinges significantly on the...
GST Suvidha Providers System Audit: A wholesome Approach
Who is a GST Suvidha Provider or GSP? GST Suvidha Provider or GSP focuses to an...
Process Guidelines For CERT-In Empanelled Information Security Auditing Organizations
Introduction to CERT-In CERT-In (the Indian Computer Emergency Response Team) is a...