Cyber resilience compliance for payment-system operators (Bank Indonesia PBI 2/2024)

Indonesia's digital payment transactions run into the hundreds of millions each month, flowing through layers of infrastructure that most end users never see. Behind every payment tap sits a gateway authorising the transaction, a digital wallet holding the funds, a switching network linking issuer and acquirer, and clearing and settlement providers resolving millions of transfers every day. Each of those layers carries its own exposure. That is what Bank Indonesia addressed when it issued PBI 2/2024.

Unlike OJK, which supervises financial institutions such as banks and lending fintechs, Bank Indonesia oversees the payment system ecosystem specifically. PBI 2/2024 is BI's instrument for ensuring that operators licensed under its framework apply information security that can be demonstrated, not merely declared.

Who PBI 2/2024 applies to

PBI 2/2024 covers two broad categories of operators licensed by Bank Indonesia.

The first is payment service providers (PJP), which includes digital wallet operators, payment gateways, fund transfer services, card payment platforms, and other technology-based payment service providers. The second is payment infrastructure operators (PIP), which includes switching network operators, clearing service providers, and interbank settlement operators.

This scope is distinct from OJK's regulatory reach. POJK 11/2022 and SEOJK 29/2022 apply to commercial banks under OJK supervision, while PBI 2/2024 targets payment operators licensed by BI. A fintech company that holds a payment licence from BI while also running services regulated by OJK, for example because it also offers lending or investment products, may face both regulatory regimes at once. In that situation, the compliance team needs to map each regulator's requirements separately, though many technical controls overlap and investment on one side often satisfies obligations on the other.

Security obligations under the regulation

PBI 2/2024 requires operators to implement comprehensive information security risk management. This is not a static documentation exercise. It means an active process of identifying assets and risks, applying appropriate controls, and reviewing their effectiveness over time.

Among the obligations with the most direct impact on technical infrastructure, PBI 2/2024 explicitly mandates continuous system monitoring, security threat analysis, malware analysis, and periodic testing of detection systems. Operators are also required to maintain service continuity so that payment operations are not stopped by disruptions, to manage the security of third-party service providers that form part of their technology supply chain, and to report cyber incidents to Bank Indonesia according to the procedures in place.

Monitoring as a stated obligation

Before PBI 2/2024, many PJP and PIP operators ran security monitoring based on internal policy or business need rather than an explicit regulatory mandate. The regulation changes that directly.

Operators now need to be able to demonstrate to Bank Indonesia that they have the capacity to detect threats, analyse malware, and test their detection systems on a regular schedule. For PJP operators that do not yet have a sufficiently staffed in-house security team, this obligation is often more efficiently met through a managed SOC or MDR service from a provider already familiar with digital payment environments.

The incident reporting obligation adds an operational dimension that cannot be handled on the fly. When an incident occurs, the operator must not only contain it technically but also report it to Bank Indonesia according to the established procedure. Being ready for that requires more than technical capability alone. It takes documented response procedures, clear escalation paths within the organisation, and the ability to assemble a report that meets the regulator's expectations.

The diagram below shows the incident handling and reporting flow that PJP and PIP operators need to be prepared for under PBI 2/2024.

Regulatory context: BI versus OJK

For fintech companies building a compliance programme, distinguishing the two regulatory lines matters so that nothing falls through the gap. Bank Indonesia licenses payment system operators and supervises them under its framework, including PBI 2/2024. OJK supervises financial institutions, including banks, P2P lending fintechs under POJK 10/2022, and investment managers.

A company that holds only a payment licence from BI needs to ensure it meets BI's requirements. One that also holds an OJK licence, for example running both a payment and a lending product, needs to map the obligations of both regulators. Confusion between the two is not uncommon, partly because terms such as "information security" and "cyber resilience" appear in both BI and OJK regulations with slightly different contexts and control expectations.

For an overview of the OJK side of this picture for commercial banks, see our article on OJK cybersecurity requirements for Indonesian banks.

A path to compliance

Meeting PBI 2/2024 is not a one-time project. Continuous monitoring, periodic testing, and incident reporting run throughout the operator's operational life. The most efficient approach typically starts with assessing the current position, then building the capabilities that are missing, and finally embedding the recurring obligations into day-to-day operations.

1. 1

   Gap assessment

   Map PBI 2/2024 obligations against existing controls, policies, and procedures. Identify gaps in monitoring capability, incident response readiness, and third-party risk management.

2. 2

   Strengthen technical controls

   Deploy or upgrade monitoring capability, threat analysis, malware analysis, and detection-system testing in line with the regulation's explicit mandates.

3. 3

   Procedures and reporting readiness

   Document incident response procedures including the Bank Indonesia reporting path, and train the teams involved so they are ready when an incident occurs.

4. 4

   Ongoing operations and monitoring

   Run daily monitoring, periodic detection-system tests, and keep third-party risk assessments current as vendors and services change.

How Alpha Code helps

We begin with a gap assessment that maps the operator's information security posture against the specific obligations of PBI 2/2024. The output is not simply a list of problems but a prioritised map that distinguishes what is already met, what is partially in place, and what needs immediate attention.

For the monitoring and threat-analysis obligations, our SOC service provides continuous monitoring, log and anomaly analysis, and malware detection tuned to digital payment environments. We also help set up periodic detection-system testing as required by the regulation.

When an incident occurs, our incident response service covers technical containment alongside support for assembling the report to Bank Indonesia. Our team understands the content and structure that regulators generally expect in incident disclosures, so the operator is not learning that process for the first time under pressure.

On the governance side, our GRC consulting helps align information security policies and procedures, assess the security practices of third-party service providers, and prepare the documentation that Bank Indonesia reviews during examination.

Next steps

PBI 2/2024 is already in force. For PJP and PIP operators that have not yet completed a gap assessment, starting now is considerably better than waiting until a problem forces the issue. If you want to understand where your organisation stands against the obligations of PBI 2/2024, our team is ready to help you set out a concrete first step.