S.No

Digital Payments Security Control

How Endpoint Central helps

4

REs shall formulate a policy for digital payment products and services with the approval of their Board. The contours of the policy, while discussing the parameters of any “new product” including its alignment with the overall business strategy and inherent risk of the product, risk management/ mitigation measures, compliance with regulatory instructions, customer experience, etc., should explicitly discuss about payment security requirements from Functionality, Security and Performance (FSP) angles such as:

• Necessary controls to protect the confidentiality of customer data and integrity of data and processes associated with the digital product/ services offered;

• Availability of requisite infrastructure e.g. human resources, technology, etc. with necessary back up;

• Assurance that the payment product is built in a secure manner offering robust performance ensuring safety, consistency and rolled out after necessary testing for achieving desired FSP;

• Capacity building and expansion with scalability (to meet the growth for efficient transaction processing);

• Minimal customer service disruption with high availability of systems/ channels (to have minimal technical declines);

• Efficient and effective dispute resolution mechanism and handling of customer grievance; and

• Adequate and appropriate review mechanism followed by swift corrective action, in case any one of the above requirements is hampered or having high potential to get hampered.

The Board and Senior Management shall be responsible for implementation of this policy. The policy shall be reviewed periodically, at least on a yearly basis. REs may formulate this policy separately for its different digital products or include the same as part of their overall product policy. Further, the policy document should require that every digital payment product/ services offered addresses the mechanics, clear definition of starting point, critical intermittent stages/ points and end point in the digital payment cycle, security aspects, validations till the digital payment is settled, clear pictorial representation of digital path and exception handling. In addition, signing off of the above requirements, mechanism for carrying out User Acceptance Tests (UAT) in multiple stages before roll out, sign off from multiple stakeholders (post UAT) and data archival requirements shall also be taken in to account. The need for an external assessment of the entire process including the logic, build and security aspects of the application(s) supporting the digital product should be clearly articulated.

Endpoint Central offers advanced data leakage prevention capabilities, enabling the detection and classification of personally identifiable information (PII). It provides complete control over data flow within your IT environment by allowing administrators to configure policies for data transfers through cloud services and peripheral devices.

8

REs shall conduct risk assessments with regard to the safety and security of digital payment products and associated processes and services as well as suitability and appropriateness of the same vis-a-vis the target users, both prior to establishing the service(s) and regularly thereafter. The risk assessment should take into account –

• The technology stack and solutions used;

• Known vulnerabilities at each of the touchpoints of the digital product and the remedial action taken by the entity;

• Dependence on third party service providers and oversight over such providers;

• Risk arising out of integration of digital payment platform with other systems both internal and external to the RE, including core systems and systems of payment systems operators, etc.;

• The customer experience, convenience and technology adoption required to use such products;

• Reconciliation process;

• Interoperability aspects;

• Data storage, security and privacy protection as per extant laws/ instructions;

• Operational risk including fraud risk;

• Business continuity and service availability;

• Compliance with extant cyber security requirements; and

• Compatibility aspects.

Such assessment shall cover the surrounding ecosystem as well. The assessment of risks shall address the need to protect and secure payment data1 and evaluate the resilience of systems. The internal Risk and Control Self-Assessment (RCSA) exercise shall cover the risks (inherent) & controls vis-à-vis the probability and impact of threats to arrive at residual risk. In such an exercise, it is imperative for REs to maintain database of all systems and applications storing customer data in the payment ecosystem and compliance with applicable PCI standards in each of the systems (notwithstanding mandatory requirements of certification/ standard accreditation).

Endpoint Central has a vulnerability age matrix and vulnerability severity summary, which can provide rich insights about the impact of patch implementation. Besides, Endpoint Central also provides comprehensive reports on vulnerable systems and missing patches in your IT

For both critical and non-critical information systems, Endpoint Central provides for risk-based vulnerability management so that admins can prioritize the vulnerabilities based on metrics like CVSS score, patch availability, and much more.

Endpoint Central has comprehensive reporting capability. Apart from providing deep insights about endpoint estate, it can also be used for governance and auditing purposes.

For auditing critical computers having sensitive applications, User Logon reports can help admins track users' access to critical endpoints.

A DPO Dashboard has rich insights on Bitlocker status, vulnerable system status, firewall status and much more.

Endpoint Central can help admins to encrypt end-users Windows devices using its Bitlocker Management and Mac devices with FileVault encryption.

Endpoint Central also helps you comply with Banking related compliances like PCI DSS, RBI Cybersecurity Framework and RBI IT GRC

10

REs shall develop sound internal control systems and take into account the operational risk before offering digital payment products and related services. This would include ensuring that adequate safeguards are in place to protect integrity of data, customer confidentiality and security of data.

Endpoint Central offers advanced data leakage prevention capabilities, enabling the detection and classification of personally identifiable information (PII). It provides complete control over data flow within your IT environment by allowing administrators to configure policies for data transfers through cloud services and peripheral devices.

11

REs shall ensure that the digital payment architecture is robust and scalable, commensurate with the transaction volumes and customer growth. The IT strategy of the RE shall ensure that a robust capacity management plan is in place to meet evolving demand. REs shall also put in place review mechanism of IT/ IT Security architecture and technology platform overhaul on a periodic basis based on Board-approved policy.

Endpoint Central has Summary Server architecture to meet the scalable needs of the payment systems. It can manage up to 2,00,000 endpoints.

13

The communication protocol in the digital payment channels (especially over Internet) shall adhere to a secure standard. An appropriate level of encryption and security shall be implemented in the digital payment ecosystem.

Endpoint Central uses FIPS 140-2 compliant algorithms. Users can enable FIPS mode to run their IT on a highly secure environment, and leverages 256-bit Advanced Encryption Standard (AES) encryption protocols during remote troubleshooting operations

Endpoint Central can help admins to encrypt end-users Windows devices using its Bitlocker Management and Mac devices with FileVault encryption.
 

16

The key length (for symmetric/ asymmetric encryption, hashing), algorithms (for encryption, signing, exchange of keys, creation of message digest, random number generators), cipher suites, digital certificates and applicable protocols used in transmission channels, processing of data, authentication purpose, shall be strong, adopting internationally accepted and published standards that are not deprecated/ demonstrated to be insecure/ vulnerable and the configurations involved in implementing such controls are in general, compliant with extant instructions and the law of the land.

25

REs may also run automated VA scanning tools to automatically scan all systems on the network that are critical, public facing or store customer sensitive data on a continuous/ more frequent basis.

Endpoint Central provides comprehensive vulnerability management in terms of constant assessment and visibility of threats from a single console. Apart from vulnerability assessment, it also provides built-in remediation of the vulnerabilities detected.

For both critical and non-critical information systems, Endpoint Central provides risk-based vulnerability management so that admins can prioritize the vulnerabilities based on metrics like CVSS score, CVE impact type, Patch availability, and much more.

Endpoint Central provides a unified console for ITops and SecOps to manage and secure endpoints. Endpoint Central has role-based access control so that security functions of the IT can be assigned to independent security experts.

Endpoint Central provides comprehensive patch support for Windows, Linux, and macOSs and Windows Server OS. It also can patch 1,000+ third party applications, hardware drivers, and BIOS.

Endpoint Central also integrates with other Vulnerability assessment solutions like Tenable

26

REs shall compare the results from earlier vulnerability scans to verify/ ascertain that vulnerabilities are addressed either by patching, implementing a compensating control, or documenting and accepting the residual risk with necessary approval and that there is no recurrence of the known vulnerabilities. The identified vulnerabilities should be fixed in a time-bound manner.

27

REs shall ensure that all vulnerability scanning is performed in authenticated mode either with agents running locally on the system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested

Endpoint Central's light-weight agent will be deployed into your Windows, Mac and Linux endpoints. The agent will perform the vulnerability scan in your enterprise, and will be posted to Endpoint Central server.

67

REs shall follow various payment card standards (over and above PCI-DSS and PA-DSS6) as per Payment Card Industry (PCI) prescriptions for comprehensive payment card security as per applicability/ readiness of updated versions of the standards such as –

• PCI-PIN (secure management, processing, and transmission of personal identification number (PIN) data);

• PCI-PTS (security approval framework addresses the logical and/ or physical protection of cardholder and other sensitive data at point of interaction (POI) devices and hardware security modules (HSMs);

• PCI-HSM (securing cardholder-authentication applications and processes including key generation, key injection, PIN verification, secure encryption algorithm, etc.); and

• PCI-P2PE (security standard that requires payment card information to be encrypted instantly upon its initial swipe and then securely transferred directly to the payment processor).

Endpoint Central helps comply with banking related compliances like PCI DSS v4.0.1, RBI Cybersecurity Framework and RBI IT GRC

71

REs shall implement the following for improving the security posture of the ATM:

• Implement security measures such as BIOS password, disabling USB ports, disabling auto-run facility, applying the latest patches of operating system and other softwares, terminal security solution, time-based admin access, etc;

• Implement anti-skimming and whitelisting solution; and

• Upgrade all the ATMs with supported versions of operating system. Use of ATMs that have unsupported operating systems shall be prohibited.

Endpoint Central provides comprehensive patch support for Windows, Linux, and macOSs and Windows Server OS. It also can patch 1,000+ third party applications, hardware drivers, and BIOS.

Endpoint Central's OS Deployer feature helps in upgrading Windows 7, Windows 10 systems into Windows 11

Endpoint Central's Application Control module allows the admins to allowlist/ blocklist software applications in critical endpoints