Getting a payment gateway license is a difficult task, but maintaining it defies normal definition of difficulty. Perhaps that’s why, Reserve Bank of India have come up with security recommendations for those running payment gateways in India.
Payment gateway License in India is coveted by those who are financially stable enough and tech-oriented enough to provide a complex form of electronic transaction service. However, once the license is obtained, you need to maintain the status quo i.e., do whatever it takes to retain the license. If your payment gateway isn’t secure anymore and someone complaints about it, you’ll lose your license. If it falters in even a single transaction and some weakness is revealed, you’ll lose your license.
Thus, in this article, we are going to take you through the security recommendations that you should adhere to retain your RBI payment gateway license in India.
Information Security Governance
The holders of payment gateway certificate must carry out detailed security risk assessment. They can do so either via internal auditing or via a CERT empanelled auditor. The report of that assessment must then be presented to the board.
Data Security Standards
It’s important for the entities to implement best data security practices mentioned in the
- PCI DSS
- PA DSS
- Latest encryption standards
- Transport Channel Security
Security Incident Reporting
In case there are incidents of data breach and other crimes of same nature, it’s the job of the payment gateway license holder to inform the Reserve Bank of India of the same.
The entity should review the information security policy on an annual basis. The things to consider during this review are as follows:
- Alignment business objectives
- Responsibility of policy
Before onboarding a merchant, you, as the entity holding the payment gateway certification, must do a complete security assessment of that merchant.
It’s your duty to frame an IT policy that specifies the functions of the IT department and provides a detailed documentation of the same. It’s your responsibility that all the terms and conditions mentioned in that policy are implemented properly.
Following will be considered the major roles of the board of the payment gateway company:
- Approving Information Security policies
- Establishing necessary security processes
- Establishing the functions of information security
- Providing the company with necessary resources
IT steering committee
An IT steering committee shall be created consisting of members from all business departments. It would be the task of this committee to communicate and implement IT strategies keeping in mind the business goals of the company.
Access to Application
There should be a standard and a procedure to implement the application system. The access to that system should be approved by the application owner who will frame and implement application security policies on a regular basis.
All payment gateways must have pre-installed monitors to check for middleware, authentication events, database, cryptographic events, web services and more. These events should be assessed the system should be ready to face any issue that comes in future.
If you’re willing to pay the enormous payment gateway license cost, you should also be willing to take all these security recommendations into account. If you want to know more about them, reach out to Registrationwala.