To prevent the government's digital payments push getting hit by e-fraud , the Reserve Bank of India has immediately taken 3 risk reduction measures. It has ordered all prepaid payment instrument issuers ( RBI authorised banks and NBFCs) to get a special audit done of their systems by empanelled auditors of Indian Computer Emergency Response Team (CERT-In) on a priority basis and immediately comply with the audit report recommendations. PPIs have also been directed to take appropriate measures to mitigate phishing attacks considering that, given the digital push, a large number of users are likely to be first time users of the digital channels. PPIs have been instructed to take additional safety measures depending on risk perception or threats as they emerge.To ensure that its directive is followed, RBI has asked PPIs to send a confirmation giving the details of action plan, including the name and date of appointment of the auditor may please be conveyed to Department of Payment and Settlement System by December 21, 2016.The RBI notification issued on December 9, on Security and Risk Mitigation measures - Technical Audit of Prepaid Payment Instrument issuers clearly highlights the central bank's concern that the government's effort to make people move towards cashless means of payment does not hit a roadblock. The notification says that with the demonetisation of the earlier Rs 500/- and Rs 1000 notes, the use of alternate modes of payment, specifically e-wallets has gained momentum."While all efforts should continue to be made by entities (PPIs) for onboarding new customers and merchants, it needs to be borne in mind that any kind of cyber security incident affecting the digital channels/products, particularly at this juncture, may have significant system-wide ramifications and act as a dampener for the adoption of digital products by public at large," it adds.The notification further says: "As the rapid escalation in e-payments may put significant pressure on the existing digital infrastructure, it is imperative that the integrity of our digital ecosystem is maintained by ensuring that they remain robust and fully secure."The notification draws attention to the existing guidelines requiring authorised entities to submit system audit reports from a CISA/DISA qualified auditor on an annual basis. The scope of this System Audit includes evaluation of the hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, disaster recovery plans, training of personnel managing the systems and applications, documentation, etc.In view of this, all authorised entities/banks issuing PPIs in the country have been advised to conduct a special audit by auditors of Indian ComputerEmergency Response Team (CERT-In) on a priority basis. The audit should cover compliance as per security best practices, specifically the application security lifecycle and patch/vulnerability and change management aspects for the system authorised and adherence to the process flow approved by the Reserve Bank.Pre-paid payment instruments are payment instruments that facilitate purchase of goods and services, including funds transfer, against the value stored on such instruments. The value stored on such instruments represents the value paid for by the holders by cash, by debit to a bank account, or by credit card. The pre-paid instruments can be issued as smart cards, magnetic stripe cards, internet accounts, internet wallets, mobile accounts, mobile wallets, paper vouchers and any such instrument which can be used to access the pre-paid amount.