Draft Cybersecurity Norms for PSOs

  • 07 Jun 2023

On 2nd June, 2023, the Reserve Bank of India (RBI) released draft cybersecurity directions for payment system operators (PSOs) and digital payments under the title- Draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators.

  • These directions are being issued under the Payment and Settlement Systems Act, 2007.


  • To improve safety and security of the payment systems operated by PSOs by providing a framework for overall information security preparedness with an emphasis on cyber resilience.

About the Directions


  • The Directions apply to all RBI-authorized non-bank payment system operators (PSOs).

Timelines for Implementation

Large non-bank PSOs: April 1, 2024

  • Payment Aggregators (PAs), card payment networks, large pepaid payment instrument (PPI) issuers, non-bank ATM networks, White Label ATM Operators, Clearing Corporation of India Limited (CCIL), National Payments Corporation of India (NPCI), NPCI Bharat Bill Pay Limited, TReDS, and Bharat Bill Payment Operating Units fall under this category.

Medium non-bank PSOs: April 1, 2026

  • Cross-border (in-bound) money transfer operators under Money Transfer Service Scheme (MTSS) and Medium PPI Issuers fall under this category.

Small non-bank PSOs: April 1, 2028

  • Small PPI Issuers and Instant Money Transfer Operators fall under this category.

Board of Directors (Board) of the PSO

  • The Board of Directors (Board) of the PSO shall be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience.

Cyber Crisis Management Plan (CCMP)

  • PSOs will be required to develop an approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond to, and recover from cyber threats and attacks.