Secure your business and stay compliant Talk to our Experts!

As a CERT-In empaneled and ISO 27001:2022 certified organization, DigiFortex is globally recognized in providing Information Security consulting. Our team started McAfee in India and holds 17 US patents. DigiFortex provides information security audit services for RBI’s PPI (Prepaid Payment Instrument). Our team ensures full compliance with RBI mandates by assessing and certifying that all end-to-end transaction data is securely stored within India.

Request free consultation - Click Here

What is RBI PPI (Prepaid Payment Instrument) Audit?

Prepaid Payment Instruments (PPIs) are tools that allow users to purchase goods and services, including financial and remittance services, using the stored value on these instruments.

In India, banks and non-bank entities can issue PPIs after receiving the required approval or authorization from the RBI under the Payment and Settlement Systems Act, 2007 (PSS Act).

The RBI has released a Master Direction on the Issuance and Operation of Prepaid Payment Instruments, which mandates that an information systems audit be conducted by Certified Information Systems Auditors (CISA).

The framework for Payment Instrument Providers is detailed in the Reserve Bank of India's Master Direction DPSS.CO.PD.No.1 164/02.14.006/2017-18.

Key Points

The RBI's PPI Audit is applicable to both bank and non-bank entities that issue Prepaid Payment Instruments (PPIs) in India. This includes any institution authorized by the RBI under the Payment and Settlement Systems Act, 2007, to offer PPIs for facilitating transactions, purchases, or remittances. These entities are required to undergo an annual audit to ensure compliance with the RBI's "Master Direction on Issuance and Operation of Prepaid Payment Instruments."

Payment Providers are required to strictly follow the RBI's master directions to ensure that customers have access to secure and reliable transaction methods.

Annual audits are mandatory for PPI issuers to obtain and maintain their PPI license.

Our Approach

As part of the RBI’s PPI Audit, DigiFortex will carry out the following services and assessments

DigiFortex will perform (based on applicability)

✔ Information System Audit
✔ SAR (System Audit Report)
✔ Data Localization Assessment
✔ vKYC VAPT (Vulnerability Assessment & Penetration Testing) & Security Audit
✔ Information System Audit for Change Management

For more detailed information, read below

  1. DigiFortex will perform system audit, including cyber security audit of the client’s PPI system in accordance with the Reserve Bank of India’s (RBI) Master Directions on Prepaid Instruments dated August 27, 2021, bearing reference number CO.DPSS.POLC.No.S-479/02.14.006/2021 22 (as amended from time to time) ("PPI MDs").
  2. DigiFortex shall prepare and share the consolidated System Audit Report (SAR), identifying its findings, and a compliance certificate i.e., “SAR Compliance Certificate”, validating the client’s compliance with the PPI MDs.
  3. For Data Localization, DigiFortex will conduct assessment of the client’s PPI systems, including the systems of any third-party service provider/intermediaries/vendors to validate the client’s compliance with RBI Directive on ‘Storage of Payment System Data’ (reference no. DPSS.CO.OD No.2785/06.08.005/2017-2018 and the FAQ ‘Storage of Payment System Data’ issued by the RBI.
  4. DigiFortex shall prepare and share the consolidated Data Localization Report identifying its finding of the aforesaid assessment and review and a compliance certificate validating the client’s compliance with the Data Localization Guidelines of RBI.
  5. DigiFortex will perform assessment of the video KYC (v-KYC) system architecture of the client to test its robustness and end-to-end encryption capabilities.
  6. DigiFortex will conduct assessment to validate the client’s technology and security compliance posture as per the Master Direction on Know Your Customer (KYC) Direction bearing ref no. DBR.AML.BC.No.81/14.01.001/2015-16, issued by the RBI ("KYC MDs").
  7. DigiFortex will conduct 'Vulnerability Assessment and Penetration Testing' of the v-KYC infrastructure of the client.
  8. DigiFortex will undertake security assessment of the systems of third-party vendors/services providers engaged by the client from time to time, to ensure that the systems and infrastructure of such third-party vendors / service providers is in compliance with the requirements specified by the client in the agreed terms with such third party.
  9. DigiFortex will conduct information system audit entailing a detailed examination of the change management process at the client site validating that any IT environment changes are business justified, documented and subject to a robust change management protocol as envisaged under the advisory ‘Strengthening Change Management and Access Control Mechanism of vendor managing Regulated Entities (REs) information systems’ issued by the Dept of Supervision Central Office Cyber Security & IT Risk (CSITE) Group ("Advisory").
  10. On the basis of the audit, DigiFortex will prepare and share a consolidated IS Audit report and a compliance certificate validating the client’s compliance with the Advisory.

Why DigiFortex?

As a CERT-In empaneled and ISO 27001:2022 certified organization, DigiFortex is globally recognized in providing Information Security consulting. Our team started McAfee in India and holds 17 US patents.

Our team is composed of globally certified experts, including ISO 27001 Lead Auditors for Information Security, Certified Information Privacy Professionals for Europe (CIPP/E) from the International Association of Privacy Professionals (IAPP), DSCI Certified Privacy Lead Assessors (DCPLA), CCSA, CISM, CISA, ISO 27001 LA, CEH, CRTP and more. Backed by diverse industry experience, our professionals provide comprehensive security and privacy solutions tailored to meet the highest standards.

A small glimpse of DigiFortex’s globally recognized work

  1. Completed the Prepaid Payment Instrument (PPI) audit for Amazon Pay, which included:
    1. IS Audit (Information System Audit)
    2. V-KYC (Video-based Know Your Customer)
    3. VAPT (Vulnerability Assessment and Penetration Testing)
    4. SAR (Security Assessment Report)
    5. RBI Data Localization compliance
  2. Conducted security assessments for the #1 U.S. financial institution, covering 17 of their websites across 17 countries.
  3. Performed a comprehensive Cloud Security Assessment for HDFC Bank.
  4. Provided IT audit services for the integration of HDFC’s system with the Government of India’s Solar Energy Corporation of India (SECI).
  5. Selected by Indian Bank to conduct a full security assessment of their data centers in Chennai and Mumbai.
  6. DigiFortex completed the Prepaid Payment Instrument (PPI) audit for Amazon Pay, which included:
    1. V-KYC (Video-based Know Your Customer)
    2. VAPT (Vulnerability Assessment and Penetration Testing)
    3. SAR (Security Assessment Report)
    4. RBI Data Localization compliance

Request free consultation - Click Here

For More Information

Contact Us

DigiFortex is a Cyber Security company focused on enhancing Security, Governance, Risk, Compliance (GRC) and Privacy postures for enterprises. Our flagship offerings are GRC, Advanced Penetration Testing(VA/PT), Cloud Security (CNAPP), Next-Gen Security Operation Center(SOC), MSSP, v-CISO and products for advanced Security Assessments.

© 2024 DigiFortex. All Rights Reserved.