RBI vide their following notification RBI/DPSS/2017-18/58 Master Direction DPSS.CO.PD.No.1164/02.14.006/2017-18 October 11, 2017 (Updated as on February 25, 2019) (Updated as on December 29, 2017 has issued Master Direction on Issuance and Operation of Prepaid Payment Instruments and to provide a framework for authorisation, regulation and supervision of entities operating payment systems for issuance of PPIs in the country.
PPIs are payment instruments that facilitate purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments. PPIs that can be issued in the country are classified under three types viz. (i) Closed System PPIs, (ii) Semi-closed System PPIs, and (iii) Open System PPIs.
AS per above RBI Notification, Authorised non-bank entities shall submit the System Audit Report, including cyber security audit conducted by CERT-IN empaneled auditors, within two months of the close of their financial year to the respective Regional Office of DPSS, RBI.
QSEAP METHODLOGY I
The scope of the Audit broadly shall include the following as per RBI:
Security controls shall be tested for effectiveness of control design and control operating effectiveness
Technology deployed so as to ensure that the authorised payment system is being operated in a safe, secure, sound and efficient manner.
Evaluation of the hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, disaster recovery plans, training of personnel managing systems and applications, documentation, etc.
Evaluating adequacy of Information Security Governance and processes of those which support payment systems.
Compliance as per security best practices, specifically the application security lifecycle and patch / vulnerability and change management aspects for the authorised system and adherence to the process flow approved by RBI.
Comment on the deviations, if any, in the processes followed from the process flow submitted to RBI while seeking authorisation.
The audit should cover compliance as per security best practices, specifically the application security lifecycle and patch/vulnerability and change management aspects for the system authorised and adherence to the process flow approved by the Reserve Bank.
We perform PPI audits for our clients with an established hybrid methodology by combining Functional Review, Policy & Processes Review, Infrastructure Review, Physical Security Review, Configuration Review, Application Security Review, Interfaces Review etc. as per Regulatory Guidelines, IT Acts, best practices and Standards prevailing in the Industry
During PPI reviews, we look for the following:
Application Architecture as per approved flow
Functional Aspects for efficiency & Effectiveness as per business logic
Authentication, authorization and access control
Logs & Audit Trails
Cyber / Network Security
Process controls such as Patch Management, Change Management, Incident Management
Operation Controls such as Review, Monitoring,Capacity Management..
Qseap works closely with the application owners during the process to ensure thorough communication and understanding of application scope, functionality and intended design. The outcome of a Code Review is a detailed report describing each code-security issue broken down by the vulnerability itself, analysis of the severity of the finding and recommended mitigations with code samples to resolve the issues for improved security in ways that are aligned with industry best practices. This allows the development team to understand the problem areas of their code in a better way and prevent mistakes in the future.
Qseap's Information System Assessments / review induces the following significant paybacks to the customers' projects:
Eliminates security-defects in the application before release / After Launch
Protection from vulnerabilities and attacks
Lesser updates and patches
Benefit over the competitor by having a reputation of safer-software
”And still may have some questions. I commend Nick for his customer service and supportive, polite manner.”
The Qseap style of life is elementary to perceive because we take everything as a wonder where opportunities, possibilities, adventures, fortunes and ideas pave the way to success and to be the winner which channelizes life for better tomorrows full of promises and that is the way we look at life.