Guide to RBI’s Master Directions on Cyber Resilience for PSOs

Buchi Reddy B

CEO and Founder at Levo

Government-backed initiatives like UPI and Digital India enabled the Indian payment segment to take root and thrive, with an impressive 87% adoption rate, far outpacing the global average of 64%.

Digital transactions reached 164 billion in volume and ₹3 trillion in value by the end of the last fiscal year, making the market both lucrative and highly competitive.

Enterprises persistently and rapidly push the boundaries in high-stakes environments to ensure low customer churn.

APIs are the backbone of mobile apps and digital wallets, enabling secure, real-time transactions by connecting these platforms to payment gateways and financial institutions.

Yet, these very APIs that fuel innovation through new features like voice enabled payments also create new attack surfaces, leaving sensitive user data vulnerable to sophisticated cyber threats.

To counteract these (and many other) novel risks, the Reserve Bank of India has introduced the Cyber Resilience Master Directions, a regulatory framework many within the segment will have to comply with by as soon as 31st March 2025.

This blog will explore why API Security is critical across all four sections—not just for timely compliance with these master directions but also for maintaining a competitive edge in this unforgiving market.

Shift-Left: Now an RBI Mandated Approach

Shifting from the historically reactive compliance efforts, RBI’s cyber resilience mandates now demand cultural, operational, and Engineering shifts.

These notifications enforce what we have long advocated for- Compliance ownership by those closest to the technology i.e. Developer and Information Security Teams.

A board-approved and monitored information security policy will ensure that security is a foundational element of all payment products, not an afterthought patched in later.

Components of the Information Security Policy mandated in RBI’s Master Directions on Cyber Resilience and Digital Payment Security Controls

Post-approval, a technical leader like the ranks of a CISO, will be entrusted with the implementation and continuous assessment of the policy and cyber-resilience framework through:

Implementation Responsibilities of a technical leader like CISO to implement and monitor Information Security Policy

This isn’t a hands-off, boardroom-only responsibility. But an enterprise-wide action plan championed by technology leaders and enacted by implementers through these baseline security measures:

Baseline Security Measures to be followed across teams to ensure compliance with RBI’s Cyber Resilience and Digital Payment Security Controls

API Security- The Foundation of RBI’s Master Directions

According to Postman, 74% of all modern applications are API-first—a statistic likely higher in fintech, where speed, scalability, and operational flexibility are non-negotiable.

As you may already know, APIs have evolved from backend technologies to the backbone of payment platforms.

Enabling most of your platform’s functionality: KYC, transaction processing, and digital wallet functionality, interfacing directly with databases and internal systems.

Therefore financial APIs handle highly sensitive data with 60% of them handling PII and account authentication data and payment card details respectively with over 55% also handling payment card details and device location data.

RBI’s framework acknowledges both these consequential security risks by recommending these best practices:

API Security Practices recommend by RBI in its Master Directions for Cyber Resilience and Digital Payment Security Controls

We've explored how API Security practices—including API Visibility, Monitoring, and Pre-Production Security Testing—protect against malicious actors attempting to steal PII (bank account details, contact numbers, credit numbers) or funds from pre-paid instruments and digital wallets.

In today's interconnected enterprise networks, particularly those using distributed and microservices architectures, API security measures—or their absence—can significantly impact compliance efforts across all areas.

Let us demonstrate how:

1. API Visibility

Without proper API visibility—whether it's an inventory, documentation, or sensitive data classification—critical assets are left exposed.

Shockingly, 39% of fintechs can’t track third-party APIs handling sensitive data, and 32% are unaware of all APIs in use, including shadow or orphaned ones paralyzing all other security initiatives:

How a lack of comprehensive and accurate API Inventory, API Documentation, and Sensitive Data Classification expand attack surface across cloud, networks, and databases

2. API Authentication

While weak authentication schemes may provide a baseline defense, they fall dangerously short of securing your APIs. Alarmingly, 39% of attack attempts target authenticated APIs, exploiting vulnerabilities in poorly implemented AuthN mechanisms.

Suboptimal developer practices, such as hardcoding API keys amplify this risk. If an attacker compromises such a key, the ramifications can cascade across your ecosystem:

How weak API Authentication schemes expand attack surfaces across cloud, networks, and databases

To mitigate these risks, adopt robust AuthN frameworks like OAuth 2.0 and JWT. These mechanisms enforce granular access controls, token expiration policies, and secure key management, fortifying your API’s first line of defense.

3. API Authorization

Strong authentication is essential, but it's just the first layer. Without robust authorization, your APIs risk becoming open entry points for attackers. In fact, 35% of FinTech enterprises report challenges with unauthorized account access—underscoring the need for strict controls that limit users to their accounts and resources.

Weak or poorly implemented authorization systems, including missing Role-Based Access Control (RBAC), can have devastating consequences:

How weak or poorly implemented API Authorization schemes expand attack surfaces across cloud, networks, and databases

4. Pre-Production API Security Testing

Only 37% of enterprise teams prioritize security testing, leaving APIs vulnerable to account fraud and large-scale exploitation.

Attackers target these untested registration APIs to create fake accounts and abuse resources like promotional rewards and credits. This creates ripple effects throughout cloud, network, and data systems, multiplying the potential damage.

How a lack of Pre-Production API Security Testing expands attack surface across cloud, networks, and databases

Levo.ai: Automated API Security Platform

As iterated above, an API-induced breach is rarely an isolated event—it can potentially bring down your entire system.

Following essential API security best practices ensures compliance success and protects your entire infrastructure.

With 68% of developers deploying at least monthly and over 55% of enterprises managing at least 500 APIs, implementing these security practices manually has become impossible.

This is why Levo.ai has automated these processes and more:

1. Unmatched API Visibility:

Comprehensive API Inventory: We leverage your traffic and code repositories to build a complete API inventory, including internal, external, open-source, third-party, and inactive APIs (like zombie and shadow APIs)—discovering 90-250% more APIs without code or configuration changes.
Automatic API Documentation: We generate detailed API documentation through OpenAPI/Swagger specifications, including over 12 critical parameters such as version details, changelog, and request-response bodies.
Sensitive Data Mapping: Our platform automatically detects and maps all sensitive data flows through your APIs, including third-party and partner services, ensuring complete visibility.
Security Gap Identification: We identify endpoints handling sensitive data that have weak or no authentication, helping you address vulnerabilities before they threaten your customers and brand.
Flexible Data Tracking: We map all sensitive data types at both application and environment levels, letting you define new data types directly through the UI.

2. API Security Testing

Automated and continuous Security Testing throughout the SDLC to ensure no vulnerabilities are introduced during the build process:

We conduct thorough pre-production security tests to minimize enumeration attack risks, including injection flaws, SQL injections, NoSQL injections, and other exploitable misconfigurations in production.

Our platform automates testing various authorization scenarios, including horizontal and vertical access controls, object-level permissions, and advanced BOLA cases—all in addition to the OWASP API Security Top 10.

3. Continuous API Monitoring

Rather than relying on annual audits, we provide continuous, sensor-powered monitoring for your API traffic across all environments, with automatic alerts for policy deviations.

4. Vulnerability Management and Reporting

Users can download and export vulnerability reports daily, quarterly, or monthly from the platform, ensuring team-wide security awareness without requiring universal login access.

Reports include comprehensive test coverage for all endpoints and percentage-based metrics of secure versus vulnerable endpoints.

Track individual vulnerabilities through Splunk dashboards, Jira tickets, or Slack and Teams channels.

Book a demo through this link to see this in action!