The Reserve Bank of India (RBI) has issued the Cyber Security Controls Guidelines for Third-party ATM Switch Application Service Providers.
The RBI observed that a number of RBI Regulated Entities (RREs) manage their ATM Switch ecosystem through shared services of third party ATM Switch Application Service Providers (ASPs). Since these service providers also have exposure to the payment system landscape, it is felt that some cybersecurity controls are required to be put in place by them.
In view of this, the RREs shall ensure that the contract agreement signed between them and the third party ATM Switch ASP shall necessarily mandate the third party ATM Switch ASP to comply with the cyber security controls given in the Annex on an ongoing basis and to provide access to the RBI for on-site/off-site supervision. To this effect, the contract agreements shall be amended at the earliest or at the time of renewal, in any case not later than March 31, 2020.
The list of prescribed controls is indicative but not exhaustive. It may be mentioned that these controls are applicable to the ASPs limited to the IT ecosystem (such as physical infrastructure, hardware, software, reconciliation system, network interfaces, security solutions, hardware security module, middleware, associated people, processes, systems, data, information, etc.,) providing ATM switch services as well as any other type of payment system-related services to the RREs.
The RBI also said that the regulatory instructions will be issued from time to time in terms of circulars/advisories/alerts, as applicable to the ATM switch ecosystem shall be shared with the ASPs for necessary compliance.