Do not be surprised, if the ‘Balance Enquiry’ option is not visible in Google TeZ or PhonePe
The popularity of UPI is growing by leaps and bounds. The number of high-profile internet companies in line to enter the UPI bandwagon is high.
This has prompted National Payments Corporation of India (NPCI) to take steps to safeguard sensitive customer’s financial information.
NPCI vide its Cir No. NPCI/UPI/OC No. 44/2017-18 dt. January 11th 2018, has reiterated two important guidelines.
Guideline 01) Balance Inquiry in UPI – Optional for PSP & 3rd party UPI enabled App.
Guideline 02) No storage or usage of Customer Account Balance by PSP Bank or 3rd party as ‘Customer Sensitive payment data’.
NPCI vide the above circular has made it clear that the Security & integrity of customer data in the UPI framework is the responsibility of the PSP/Bank (Even in cases where the Bank/PSP & the outsourced technology service providers are different entities). Hence, respective banks have been advised to due diligence of their outsourced technology service provider as they are dealing with sensitive customer data.
NPCI has advised banks to refer to the following UPI circulars with regard to data storage, security and usage by the PSP/3rd party Apps:
Sr. UPI Circular # reference: Quote 1 NCI/UPI/OC No. 15/2016-17 Dated: 18th of January 2017
Point 6.c).h The PSP Bank should not share any customer data with merchant unless specified by industry regulator for e.g. SEBI, IRDA for brokers, mutual funds and Insurance.
2 NCI/UPI/OC No. 15A/2016-17 Dated: 27th of January 2017
Point 10 PSP Bank is not sharing any customer data with the merchant/P2P provider unless specified by industry regulator. E.g. SEBI, IRDA etc. (permitted only for specific regulated merchants). No authentication data shared outside PSP Bank.
3 NCI/UPI/OC No. 32/2017-18 Dated: 15th of September 2017
Point A. (Sub pint 2) & NCI/UPI/OC No. 15A/2017-18 Dated: 15th of September 2017
Sub point b) Storing customer data by app provider systems in Multi-bank model: We classify the data into two types, namely “Customer data” and “Customer payment sensitive data”:
2. Customer payment sensitive data:
Classified as customer account details (such as Account number) customer payment authenticationdata (such as device fingerprinting) required for authentication as first factor. This data can be only stored in PSP bank systems. Some of the data like account number can be shown in masked format to the customer on the app as per existing UPI PG.
Last 6 digits of the Debit Card, Expiry date of the debit card, UPI PIN, Issuer OTP should not be stored.
The ‘Balance enquiry’ feature to be moved from Default feature to Optional feature.
The primary reason for this advise, is to ensure that ‘customers’ balance’, is stored only in the respective Bank’s database and not in any 3rd party database.
Further to the above the PSP Banks, Large 3rd party App providers under the Multi bank model and the 3rd party Apps/merchants under the Single SDK model may please note the following guidelines for compliance:
Customer account Balance is classified as customer sensitive data and accordingly, the following is being advised:
a. PSP Banks, Large 3rd party players, 3rd party Apps under Single SDK model shall provide Balance Inquiry option to the customer as an “optional feature” basis their internal risk assessment.
b. Customer account balance shall not be stored or put to any use by either the PSP Bank or 3 rd party for any purposes (Internal or external). The storage of customer account balance is not permitted even in encrypted format at the PSP & 3rd party systems / Apps.