Technical Audit of Pre-paid Payment Instrument (PPI) issuers

After the revolution of digitization of payments in India, the use of alternate modes of payment, specifically e-wallets has gained momentum.

Closed System PPIs

Semi-closed System PPIs

Open System PPIs

Technical Audit of Pre-paid Payment Instrument (PPI) issuers

After the revolution of digitization of payments in India, the use of alternate modes of payment, specifically e-wallets has gained momentum. Keeping in mind the interest of common people and the risks they would subject themselves to while availing the facilities of virtual transaction methods, the Reserve Bank of India has laid down a framework for the Payment Instrument Providers so that the customers can rely on the proper and risk-free transaction methods.

It is mandated from RBI that “All authorised entities/banks issuing PPIs (Prepaid Payment Instruments) in the country are advised to carry out a special audit by the empanelled auditors of Indian Computer Emergency Response Team (CERT-In) on a priority basis and take immediate steps thereafter to comply with the findings of the audit report. The scope of the System Audit includes evaluation of the hardware structure, operating systems and critical applications, security and controls in place.”

 

 Need for PPI audit:

RBI vide notification dated December 9th, 2016 mandated all Prepaid Payment Instruments issuers or organisations applying for PPI license to undergo a special audit.

PPI Technical Security Audit helps the PPI issuers by providing them with the necessary recommendations needed to strengthen their security posture. On December 9th, 2016, RBI made this audit compulsory and it was done to prevent cyber-attacks and encourage people to take up digital transactions. If your organization uses Prepaid Payment Instrument, you need to undertake this audit and protect your company’s valuable assets.

PPIs are payment instruments that facilitate the purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments. PPIs that can be issued in the country are classified under three types viz. (i) Closed System PPIs, (ii) Semi-closed System PPIs, and (iii) Open System PPIs.

 

Closed System PPIs: These PPIs are issued by an entity for facilitating the purchase of goods and services from that entity only and do not permit cash withdrawal. As these instruments cannot be used for payments or settlement for third party services, the issuance and operation of such instruments are not classified as payment systems requiring approval/authorisation by the RBI.

Semi-closed System PPIs: These PPIs are used for the purchase of goods and services, including financial services, remittance facilities, etc., at a group of clearly identified merchant locations/establishments which have a specific contract with the issuer (or contract through a payment aggregator/payment gateway) to accept the PPIs as payment instruments. These instruments do not permit cash withdrawal, irrespective of whether they are issued by banks or non-banks.

Open System PPIs: These PPIs are issued only by banks and are used at any merchant for purchase of goods and services, including financial services, remittance facilities, etc. Banks issuing such PPIs shall also facilitate cash withdrawal at ATMs / Point of Sale (PoS) / Business Correspondents (BCs).