Platform

Why Rakuten SixthSense

Protect all your APIs from threats automatically with industry-first solutions

Why API Security

APIs power over 80% of internet traffic, but their security remains neglected

Instant API Threat Scan

Think your APIs are secure?

Find out in 5 minutes with an Instant Vulnerability Scan. No integration required.

Try Now

Solutions

INDUSTRIES

COMPLIANCES

RBI

Cert-in

NIST

PCIDSS

HIPAA

SOC2

Explore Compliances

Comply with global
regulations in minutes

APIs power your applications and carry sensitive data. Global mandates require organizations to secure PII across API networks....

Pricing

Resources

Educate

Blogs

Case Studies

Review & Reports

eBooks

Featured

The first step towards securing your APIs is understanding the risks. Find out all about the OWASP Top 10 API risks...

Integrations

Kong

NGINX

AWS

GCP

See More Integrations

Documentation

Security Center

Your API Security Snapshot

Vulnerability

Centralized Flaw Tracking

API Endpoints

Inventory and Deep Analysis

Analytics

Operational and Usage Insights

Anomaly

Behavioral and Threat Detection

Admin Panel

Control and Governance

See Complete Documentation

New

See how it works

Find out how Rakuten SixthSense maps your endpoints, gives you developer-friendly insights, and highlights vulnerabilities and anomalies

Product Tour Get Started Free

EBook

API Security for Non-Bank
Indian Payment Companies

APIs are the connective tissue of your payments business-linking apps, merchants, issuers, and processors.

The Reserve Bank of India's Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank PSOs (July 30, 2024) recognise this reality and explicitly call out API Security across four pillars:

RBI Four Pillars - Authentication & Authorization, Confidentiality, Integrity, Availability & Threat Protection

Read

Rakuten SixthSense API Security

Mapped to RBI's API Mandate

Feature	RBI Requirement	How Rakuten SixthSense does it
Authentication & Authorization	PSOs must establish identity of users and communicating applications (microservices, third party apps) accessing API	○Observes and validates auth mechanisms from live API traffic for both public and service-to-service calls ○Auto-detects and flags BOLA/BFLA attempts ○Monitors usage patterns of static API keys/tokens, identifying potential compromise or misuse
Confidentiality – ensure message content isn't read illicitly	PSOs must ensure confidentiality of API message content	○Automatically identifies and tags sensitive data (PII, PCI, PHI, financial details) within headers & payloads ○Actively monitors responses/payloads for unauthorised or accidental exposure
Integrity – resources are reliably transferred	PSOs must ensure integrity of message content during transfer and reliable/accurate transfer of resources (data/transactions)	○Deep, real time schema conformance on requests/responses; ○Workflow sequence/state awareness to flag breaches ○Provides logging & audit trails for forensic/post incident analysis
Availability & Threat Protection	APIs available for legitimate use; anomalous activities identified & mitigated	○Continuously baselines API traffic to detect deviations, e.g., unusual spikes → potential DDoS ○Detects suspicious user behavior, e.g., abnormal data transfer → potential exfiltration) ○Real-time blocking to inline enforcement points (Ingress Controller, WAF, API Gateway) ○Adaptive rate limiting based on behaviour/attack pattern
Alignment to standards/frameworks	PSO shall adhere to relevant standards and globally recognised frameworks on API security	○Designed to detect OWASP API Security Top 10 vulnerabilities and in line with NIST practices; supports OpenAPI/Swagger, OAuth 2.0, JWT ○Provides comprehensive logging, audit, and reporting to demonstrate adherence to RBI and regulatory requirements (e.g., PCI-DSS, ISO 27001)