DPSS.CO.No. 1167/06.07.002/2010-2011

25th November, 2010

All the entities authorised under PSS Act, 2007.

Dear Sir,

Minimum Check to be followed for the Payment Systems operated
under the PSS Act, 2007

It has been decided that the operators of the payment system authorised by the Reserve Bank of India should at the minimum observe the following practices

• A Strong password policy should be implemented with a history of password usage being maintained. Periodical change of passwords has to be strictly enforced with the system barring the user from reusing the three previous passwords.
• Regular review of the logs of the application system, database and the operating system should be done.
• A well documented and tested Business Continuity and Disaster Recovery Plan should be put in place with proper logs.
• Network scanning / monitoring should be done on regular basis for the Denial of Service (DOS) attack as well as other intrusion and spy ware.

2. In order that these minimum practices are being followed a system audit should be conducted by a CISA qualified auditor. Pending the above, we advise that these minimum practices should be introduced (if not already done so) and a certificate of compliance may be submitted to the RBI by 31st December, 2010.

Yours faithfully

(G.Srinivas)
General Manager