Compliance

RBI Digital Payment Security Controls: Are Your Web, API, and AI Applications Compliant?

7 min read Updated

2.72 billion attacks hit Banking and Financial Services in 2025, a 113% jump year-on-year, according to the Indusface State of AppSec Report 2026. RBI’s Annual Report 2025-26 shows bank fraud amounts hit Rs 48,021 crore in FY26, up 46% from FY25.

The one bright spot: digital payment fraud collapsed from 13,332 cases and Rs 517 crore in FY25 to just 293 cases and Rs 29 crore in FY26. That is what enforced compliance delivers. The risk did not vanish; it migrated to lending APIs, where advances frauds now account for 85% of all bank fraud by value.

RBI’s Master Direction (RBI/2020-21/74) has been in effect since August 2021. The digital fraud numbers prove the framework works. The lending fraud numbers prove that incomplete coverage does not. In August 2025, the FREE-AI Committee report (Framework for Responsible and Ethical Enablement of Artificial Intelligence) added new obligations for AI-enabled systems. This guide covers both, with exact clause references and AppTrana mappings.

60-Second RBI Compliance Check

Area RBI Requirement AppTrana Coverage
AI Cybersecurity AI cybersecurity risk identification and dynamic threat detection — FREE-AI Rec 19 Continuous DAST on AI application surfaces, real-time threat detection on AI interfaces, 24×7 expert support, SIEM integration.
AI Adversarial Testing Structured red team testing, semi-annual for high-risk apps — FREE-AI Rec 20 Certified AI Pen testing, continuous DAST between cycles. Only WAF vendor with integrated DAST and pen testing
AI Audit Readiness Comprehensive risk-based audit framework covering data, model, and decision outputs, with third-party audits for high-risk AI — FREE-AI Rec 24 Inbuilt DAST continuously audits AI application surfaces. SwyftComply autonomously remediates findings via virtual patching and delivers a verified zero open unprotected vulnerabilities report within 72 hours. Code fixes follow on normal development cycle. 365-day auditable WAF decision logs support audit readiness.
Application and API Security Secure communication protocols and encryption across all payment channels — Clause 13. Security controls for how applications handle, store, and protect payment data, tested against OWASP MASVS/ASVS, ISO 12812, NIST — Clause 31. Sensitive data masking — Clause 32.

TLS enforcement, OWASP Top 10 and API Top 10 protections, positive security model, behavioural abuse detection, and PAN/Aadhaar data masking in WAF logs.
Vulnerability Remediation Time-bound, no recurrence, verified — Clause 26 Autonomous virtual patching via SwyftComply. Zero open unprotected vulnerabilities within 72 hours at the edge. Code fixes follow on normal development cycle.”
WAF and DDoS Explicitly mandated — Clause 15 AI-powered WAAP, unmetered DDoS protection, active block mode from day one
VAPT Half-yearly Vulnerability Assessment, annual Pen Testing — Clause 24. Continuous scanning — Clause 25 Continuous DAST, AI penetration testing
Incident Response and AI Incident Reporting Updated contacts, payment incident SOPs — Clause 40.

Timely reporting of AI-related incidents under a regulator-established framework — FREE-AI Rec 22.

 Real-time incident characterisation, 24×7 managed expert support, structured audit-ready security event logs, real-time SIEM integration, near real-time incident dashboards, 365-day log retention.

 

Note: FREE-AI Committee recommendations are currently advisory. Given the RBI’s pattern of converting committee recommendations into circulars, regulated entities deploying AI systems should treat these as near-term compliance obligations.

RBI Compliance Requirements for Web, AI and API apps

Here is what each requirement means in practice and where most teams fall short.

Requirement 1: AI Cybersecurity (FREE-AI Rec 19, 20, 24)

In August 2025, the RBI’s FREE-AI Committee (Framework for Responsible and Ethical Enablement of Artificial Intelligence) published recommendations requiring regulated entities to embed AI-specific security controls across their operations. Three recommendations directly apply to cybersecurity:

  • Rec 19 requires continuous identification of potential security risks arising from AI use across hardware, software, and processes, with dynamic threat detection and response mechanisms in place.
  • Rec 20 requires structured adversarial testing across the full AI lifecycle, with frequency proportionate to the risk level of the application. Trigger-based testing should also be considered when major changes are made to the AI environment.
  • Rec 24 requires a comprehensive risk-based audit framework covering input data, model and algorithm, and output behaviour, with internal audits for all AI applications and third-party audits for high-risk use cases, reviewed at least biennially.

Where most teams fall short: AI security is treated as a pre-deployment checkpoint. Most teams have no ongoing process for evaluating AI models already running in production. Every major change to the AI environment is a potential trigger for a fresh security assessment, not just a scheduled annual review.

Requirement 2: Application and API Security (Clauses 13, 31, 32)

The Master Direction sets three obligations covering how regulated entities handle, protect, and transmit payment data:

  • Clause 13 requires all digital payment channel communication to adhere to a secure protocol standard, with appropriate levels of encryption implemented across the payment ecosystem.
  • Clause 31 requires security controls covering how applications handle, store, and protect payment data. APIs for secure data storage and communication must be implemented and used correctly. Testing must verify for OWASP Top 10, OWASP Mobile Top 10, and platform-specific risks, with reference standards including OWASP MASVS, OWASP ASVS, ISO 12812, and NIST threat catalogues
  • Clause 32 requires sensitive customer information including account numbers and card numbers to be masked or redacted when transmitted via SMS or email.

Where most teams fall short:  Encryption is enforced on primary payment endpoints but breaks down across third-party integrations and secondary channels. Security testing is treated as a launch gate rather than an ongoing requirement, with mobile application testing frequently skipped between releases. Sensitive data masking is applied at the display layer but payment data routinely appears unmasked in server logs, debug outputs, and SIEM exports, creating an audit liability that surfaces only during incident investigations.

Requirement 3: Vulnerability Remediation (Clause 26)

The Master Direction and FREE-AI together set parallel remediation obligations for web applications and AI systems:

  • Clause 26 requires regulated entities to compare results from earlier vulnerability scans to verify that vulnerabilities have been addressed through patching, compensating control, or documented residual risk acceptance with necessary approval. The same vulnerability cannot reappear in the next scan. All identified vulnerabilities must be fixed in a time-bound manner.

Where most teams fall short: A high severity finding surfaces mid-sprint. The code fix goes live three weeks later with no compensating control in place and nothing documented. That is a compliance liability with a paper trail.

Requirement 4: WAF and DDoS Protection (Clauses 15, 51)

The Master Direction sets two obligations covering application-layer protection for internet-facing payment platforms:

  • Clause 15 explicitly requires regulated entities to implement a WAF and DDoS mitigation techniques to secure digital payment products and services offered over the internet.
  • Clause 51 requires regulated entities to assess authentication-related attack risks on internet banking websites and implement appropriate controls based on that assessment, including adaptive authentication, strong CAPTCHA with anti-bot features, and server-side validation. DNS cache poisoning prevention and virtual keyboard support are also required.

Where most teams fall short: Auditors increasingly treat a WAF in monitoring mode as an incomplete control, since detection without enforcement does not demonstrate the intent of Clause 15. Infrastructure-level rate limiting does not handle short-burst attacks engineered to stay under detection thresholds. According to the Indusface State of AppSec Report, over 70% of BFS applications faced at least one monthly short-burst DDoS attack in 2025, with static rate-limiting stopping only 40% of attacks. The remaining 60% required AI behavioural models to detect and mitigate.

Requirement 5: VAPT (Clauses 24, 25, 27 and FREE-AI Rec 20)

The Master Direction sets four interconnected obligations covering the full vulnerability assessment and penetration testing lifecycle:

  • Clause 24 requires VA at least every six months and PT at least annually. In addition, VA and PT must be conducted whenever a new digital payment application or IT infrastructure is introduced, or when any major change is made to an existing application or infrastructure. Testing must cover OWASP compliance standards.
  • Clause 25 recommends that regulated entities run automated VA scanning tools continuously or on a more frequent basis across all critical, public-facing, or customer data-holding systems.
  • Clause 26 requires no recurrence of known vulnerabilities and time-bound remediation, as covered in Requirement 3.
  • Clause 27 requires all vulnerability scanning to be performed in authenticated mode, either through agents running locally or remote scanners with administrative rights on the system being tested.
  • FREE-AI Rec 20 adds a parallel obligation for AI applications, requiring structured adversarial testing across the full AI lifecycle. Trigger-based testing should be considered whenever major changes are made to the AI environment.

Where most teams fall short: Trigger-based testing under Clause 24(a) is the most commonly missed requirement. A major update goes live, VA and PT are skipped, and the gap surfaces when the auditor asks for testing evidence tied to that specific change. Unauthenticated scanning misses configuration vulnerabilities and privilege escalation paths that only appear with legitimate system access.

Requirement 6: Incident Response (Clauses 18, 40, FREE-AI Rec 22)

The Master Direction and FREE-AI together set three obligations covering incident detection, response, and reporting:

  • Clause 18 recommends that mobile and internet banking applications maintain effective logging and monitoring capabilities to track user activity, security changes, and identify anomalous behaviour and transactions.
  • Clause 40 requires regulated entities to maintain updated contact details of all service providers, intermediaries, external agencies, and other stakeholders for coordination in incident response. A mechanism to regularly update and verify these contacts must be in place. Specific SOPs to handle payment ecosystem incidents must also be formulated.
  • FREE-AI Rec 22 requires financial sector regulators to establish a dedicated AI incident reporting framework for regulated entities and FinTechs, encouraging timely detection and reporting of AI-related incidents through a tolerant, good-faith approach.

Where most teams fall short: Log retention windows that are too short are discovered during incident investigations, not before. A 30-day log retention policy frequently leaves no evidence to reconstruct the attack timeline. Clause 40’s contact list is often not maintained as a live document.

Where AppTrana Maps to RBI Requirements

AppTrana addresses key Master Direction requirements and FREE-AI obligations from a single platform, removing the vendor boundary gaps that create compliance risk.

AI Cybersecurity — Continuous DAST covers web and API surfaces connected to AI systems. Real-time threat detection, 24×7 expert support, and SIEM integration address Rec 19 obligations for dynamic threat detection and response across hardware, software, and processes.

AI Adversarial Testing — AppTrana’s inbuilt DAST and AI penetration testing directly address Rec 20 structured adversarial testing obligations, making AppTrana the only WAF vendor with both integrated.

AI Audit ReadinessSwyftComply delivers zero-vulnerability audit reports within 72 hours. DAST-based application audit via Indusface WAS covers input data and application surfaces. Rec 24 audit requirements are supported across data, model, and output layers.

Application and API Security — OWASP Top 10 and API Top 10 protections, TLS enforcement, and positive security model cover application and API security obligations under Clauses 13 and 31. Adaptive rate limiting and behavioural abuse detection address business logic abuse across payment APIs. PAN, Aadhaar, and other sensitive data masking in WAF logs satisfies Clause 32.

Vulnerability Remediation — SwyftComply deploys application-specific security rules at the edge autonomously, closing the exposure window before the code fix reaches a sprint. The virtual patch is the documented compensating control Clause 26 permits. An expert verified report showing zero open vulnerabilities is provided within 72 hours, with virtual patches as the documented compensating controls Clause 26 permits.

WAF and DDoS — Inline in active block mode from day one with a zero false positive guarantee, satisfying Clause 15. Behavioural DDoS mitigation handles short-burst and AI-driven attacks. Anti-bot detection and intelligent CAPTCHA with server-side validation satisfy Clause 51.

VAPT — AppTrana runs continuous automated scanning across OWASP Top 10, OWASP API Top 10, and business logic attack categories, with authenticated scanning for deeper visibility into configuration and session vulnerabilities. Vulnerability Assessment and penetration testing are delivered by Indusface certified security researchers as part of the standard service, satisfying Clauses 24, 25, 26, and 27.

Incident Response — Real-time anomaly detection satisfies Clause 18. 24×7 expert support characterises incidents immediately, giving security teams accurate information to initiate Clause 40 SOPs. 365-day full-verbosity log retention supports FREE-AI Rec 22 obligations, providing the structured audit-ready evidence trail required for AI-related incident reporting.

The next RBI audit will test whether your controls actually exist. Start a free trial with AppTrana and fix your compliance gaps before the deadline.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

Vinugayathri
Vinugayathri Chinnasamy

Vinugayathri Chinnasamy is an Assistant Product Marketing Manager at Indusface, focused on application security, penetration testing, and managed WAAP. She translates vulnerability research, compliance requirements, and real-world attack trends into practical, decision-ready insights for security and business teams.

Frequently Asked Questions (FAQs)

RBI’s Master Direction (RBI/2020-21/74), issued February 2021 and effective from August 2021, sets minimum security controls for digital payment products and services. It applies to all scheduled commercial banks excluding regional rural banks, small finance banks, payments banks, and credit card issuing NBFCs. It covers channels including internet banking, mobile payment applications, and card payments.

Clause 24 sets half-yearly VA and annual PT as the minimum scheduled cadence. Clause 25 additionally expects continuous automated scanning of all critical, public-facing, and sensitive-data systems. VA and PT must also be conducted following any new deployment or major infrastructure change under Clause 24(a). Scheduled cycles alone do not meet the full obligation.

Yes. Clause 15 states directly that regulated entities shall implement a Web Application Firewall solution and DDoS mitigation techniques to protect digital payment products and services offered over the internet. This is a mandatory obligation.

The FREE-AI Committee report, published August 2025, introduces recommendations for regulated entities deploying AI in their products and processes. It is a formal framework with direct obligations. Recommendations covering AI cybersecurity, adversarial security testing, business continuity, and incident reporting carry direct implications for application security teams managing AI-enabled products.

SwyftComply is AppTrana’s autonomous vulnerability remediation capability. When any scanner surfaces a vulnerability, the managed team generates an application-specific virtual patch, tests it against live traffic for false positive risk, and deploys it at the WAF within 72 hours. This satisfies the time-bound remediation and recurrence verification obligations in Clause 26 and produces a clean zero-vulnerability report for use with auditors.

AppTrana’s continuous DAST scanner runs against OWASP Top 10, OWASP API Top 10, and business logic vulnerability categories between formal VAPT cycles. New findings surface when they appear rather than at the next scheduled half-yearly assessment. Authenticated scanning satisfies Clause 27’s requirement for scanning to be performed in authenticated mode.