Sunday, January 21, 2018

Additional Safety Features – UPI - ‘Balance Enquiry’ option may not be visible in Google TeZ or PhonePe

          Do not be surprised, if the ‘Balance Enquiry’ option is not visible in Google TeZ or PhonePe

          The popularity of UPI is growing by leaps and bounds. The number of high-profile internet companies in line to enter the UPI bandwagon is high.

          This has prompted National Payments Corporation of India (NPCI) to take steps to safeguard sensitive customer’s financial information.

          NPCI vide its Cir No. NPCI/UPI/OC No. 44/2017-18 dt. January 11th 2018, has reiterated two important guidelines.

          Guideline 01) Balance Inquiry in UPI – Optional for PSP & 3rd party UPI enabled App.

          Guideline 02)  No storage or usage of Customer Account Balance by PSP Bank or 3rd party as ‘Customer Sensitive payment data’.

NPCI vide the above circular has made it clear that the  Security & integrity of customer data in the UPI framework is the responsibility of the PSP/Bank (Even in cases where the Bank/PSP & the outsourced technology service providers are different entities). Hence, respective banks have been advised to due diligence of their outsourced technology service provider as they are dealing with sensitive customer data.

NPCI has advised banks to refer to the following UPI circulars with regard to data storage, security and usage by the PSP/3rd party Apps:

Sr. UPI Circular # reference: Quote 1 NCI/UPI/OC No. 15/2016-17 Dated: 18th of January 2017
Point 6.c).h The PSP Bank should not share any customer data with merchant unless specified by industry regulator for e.g. SEBI, IRDA for brokers, mutual funds and Insurance.

2 NCI/UPI/OC No. 15A/2016-17 Dated: 27th of January 2017
Point 10 PSP Bank is not sharing any customer data with the merchant/P2P provider unless specified by industry regulator. E.g. SEBI, IRDA etc. (permitted only for specific regulated merchants). No authentication data shared outside PSP Bank.

3 NCI/UPI/OC No. 32/2017-18 Dated: 15th of September 2017
Point A. (Sub pint 2) & NCI/UPI/OC No. 15A/2017-18 Dated: 15th of September 2017
Sub point b) Storing customer data by app provider systems in Multi-bank model: We classify the data into two types, namely “Customer data” and “Customer payment sensitive data”:

2. Customer payment sensitive data:
Classified as customer account details (such as Account number) customer payment authenticationdata (such as device fingerprinting) required for authentication as first factor. This data can be only stored in PSP bank systems. Some of the data like account number can be shown in masked format to the customer on the app as per existing UPI PG.

Last 6 digits of the Debit Card, Expiry date of the debit card, UPI PIN, Issuer OTP should not be stored.

The ‘Balance enquiry’ feature to be moved from Default feature to Optional feature.

       The primary reason for this advise, is to ensure that ‘customers’ balance’, is stored only in the respective Bank’s database and not in any 3rd party database.

Further to the above the PSP Banks, Large 3rd party App providers under the Multi bank model and the 3rd party Apps/merchants under the Single SDK model may please note the following guidelines for compliance:

Customer account Balance is classified as customer sensitive data and accordingly, the following is being advised:

a. PSP Banks, Large 3rd party players, 3rd party Apps under Single SDK model shall provide Balance Inquiry option to the customer as an “optional feature” basis their internal risk assessment.

b. Customer account balance shall not be stored or put to any use by either the PSP Bank or 3 rd party for any purposes (Internal or external). The storage of customer account balance is not permitted even in encrypted format at the PSP & 3rd party systems / Apps.

Sunday, January 14, 2018

PayUmoney Wallet – Please transfer unclaimed balances to charity

              Gurgaon-based payments major PayU India is shutting down its mobile wallet — PayUmoney at the end of January 31, 2018, a company statement said.

When a user opens the mobile wallet, it redirects users to the page where the instructions are given on how to send the unused balance to bank accounts. Citrus wallet, PayU India's another payment wallet will continue their operations, company said.

Will PayuMoney transfer the unclaimed balances to charity or what will happen to the unclaimed balances?

Trust the answer will be known in the coming weeks.


Tuesday, December 26, 2017

Hyderabad Metro TSavaari and TWallet please join hands together

          People of Hyderabad have embraced Hyderabad Metro services whole-heartedly. Since it’s launch last month, the numbers of daily commuters is only on the increase.  Apart from daily office goers, shoppers are also travelling on Hyderabad Metro to escape from the traffic snarls.

          New tourist spots are springing up around Hyderabad Metro Stations. Selfie spots are being demarcated and highlighted.

          Shops in and around Hyderabad Metro stations are witnessing new customers.  More than 2 lacs prepaid.

          The catchment area of Hyderabad Metro extends upto 2 kms from each Metro station. View this link to know more about Hyderabad metro’s catchment area.

          Passengers can choose a smart card or a token for travelling by Metro trains.  Frequent travellers are encouraged to choose smart cards over tokens. Smart cards not only save time but also offer additional 10% discount on all the trips made on Hyderabad Metro.

Smart cards can be purchased from Hyderabad Metro ticketing offices at the stations or ordered through TSavaari App.

Smart cards can be recharged through TSavaari App, Paytm and HMR Passenger website and by using Add Value Machine (AVM) located in paid area on the station concourse.

In addition to the above Paytm is offering a flat Rs. 20/- cash back on first time recharge of Rs. 100 or more per card for the passengers recharging their smart card through Paytm.

Fake Tokens – These are test tokens used by the Operations & Maintenance team of L&T Metro Rail for testing Automatic Fare Collection (AFC) system. These are mixed with the original tokens and are taken back from the system in due course.

Parking – In addition to the parking space provided by the Government, LTMRHL has parking facilities for passengers at Nagole, Parade Grounds, Rasoolpura, Balanagar, Kukkatpally and Miyapur.

          TSaavari is the official App of Hyderabad Metro. As on date, it has seen more than 50,000 downloads.
Main features of TSaavari:

TSaavari  Feature 01) Journey Planner: Plan your journey in Hyderabad with TSavaari App. It will provide details such as approximate fare, distance, number of stations and interchanges on any route. Through TSavaari you can locate your nearest Metro station using route information module. In the near future, TSaavari will show many travel options, including Hyderabad Metro Rail, local autos, OLA cabs & auto, MMTS and TSRTC buses.

TSaavari  Feature 02) In-App OLA integration allows commuters to book a ride from and to any Metro train station within seconds and continue your journey beyond to your destination.

TSaavari  Feature 03) Buy A Card: Commuters You can buy a smart card directly via the TSavaari App and get it delivered to your residential address for a nominal delivery charge. Alternatively, you can also collect it on your way from nearest Metro station.

TSaavari  Feature 04) Under  upcoming services, TSaavari Wallet link is displayed. This link indicates future plans for an inbuilt wallet too.

T Wallet - Any Time Any Where digital payment option for Everyone

7 features of TWallet

TWallet Feature 01) T Wallet is the official digital wallet of Telangana State, is launched by Hon’ble IT Minister on Jun 01, 2017.

TWallet Feature 02) T Wallet is available as a Any Time Any Where digital payment option for Everyone. Citizens can use T Wallet to make payments for both Government and Private transactions to avail services and is integrated many Government departments.

TWallet Feature 03) Civil Supplies ePOS system is being integrated with T Wallet to bring all 16000 FP shops in to the system. 1100 Streenidhi BC Points are also being integrated with T Wallet. T Wallet serves through Online (Desktop, laptop), Smart Phone, Feature Phone and even No phone.

TWallet Feature 04) Citizens with feature phone or no Phone can use Mee Seva centres to open T Wallet, Load money into wallet and making payments. No service  charge for using T Wallet.

TWallet Feature 06) T Wallet uses two factor authentication, through Aadhaar based Biometric authentication and OTP to Aadhaar linked phone number, for feature phone and no phone users. Is hosted on Azure platform and designed for high and secure performance.

TWallet Feature 07) Govt. payments such as Aasara Pensions, MNREGA payments will be pushed to eligible respective citizen’s T Wallet

7 reasons why TSaavari and TWallet should join hands together::

Reason 01) TWallet is Telangana’s Government official wallet. Hyderabad Metro is backed by Telangana Government.

Reason 02) Commercial establishments in Hyderabad Metro catchment area can be quickly encouraged to onboard TWallet as Hyderabad Metro riders are potential shoppers

Reason 03) Hyderabad Metro commuters will be quick to adopt TWallet as an integrated service in TSaavari.

Reason 04) The integrated service can joint promotion programs to popularise Digital Transactions.

Reason 05) The trust factor is already in place, there is no need to invent the wheel. Various paid facilities at Metro Stations can be quickly integrated into the TWallet.

Reason 06) An integrated service minimises recon issues and reduces the TAT to complete the transaction. An integrated service will increase the average holding amount in the wallet.

Reason 07) Ticketing options at various tourist facilities can be quickly integrated into TSaavari

Monday, December 25, 2017

DICGC – Has your Bank sent your account details as requested??

          DICGC vide its letter dt. July 12, 2017, has requested all its member banks to submit data of its Deposit Insurance holders.

          The data has to be submitted in a specified format. This data is in line with core principles as indicated in Chapter 15 4(a) on deposit insurance prescribed by IADI.

          The last date for submission of this data to DICGC is September 30, 2017.


  • ·       Serial number       
  • ·       Account_holder_number
  • ·       Unique_identification_number 
  • ·       Salutation   
  • ·       First_name 
  • ·       Middle_name         
  • ·       Last_name  
  • ·       Date_of_birth      
  • ·       Nationality  
  • ·       Aadhaar_Number 
  • ·       Passport_Number 
  • ·       PAN_Number        
  • ·       Name of Customer          
  • ·       A/c No.       
  • ·       Date of opening of A/     
  • ·       Type of A/c(SB, CD, FD, etc.)   
  • ·       Voter_ID_Number - 1    
  • ·       Driving_License_Number
  • ·       Mobile_number     
  • ·       Email ID      
  • ·       Whether KYC complied   
  • ·       Building_apt_house_number     
  • ·       Address1    
  • ·       Address2    
  • ·       Address3    
  • ·       City_Village
  • ·       Pincode        State
  • ·       Whether_Support_document_verified_for_address_proof?         
  • ·       Bank has Supporting_document_for_address_proof        
  • ·       Alternate Bank a/c if any

DICGC has reminded banks to remit the Premium payment within due date i.e. by November 30, 2017 through RTGS/NEFT only.

DICGC has reiterated that banks will be liable to pay penal interest, if the payment is received

by DICGC after Nov 30, 2017. For example, if the payment is received on Dec 01, 2017, the bank would be liable to pay penal interest @ Bank rate plus 8% from Oct 01 till Nov 30 (i.e. for 61 days).

 In view of the above, banks are advised to remit amount of premium plus GST on or before Nov 30, 2017 and ensure that Deposit Insurance (DI) Return is also sent immediately through mail/post.

A flyer on DICGC

Banks deregistered where Claim list submission is pending - Status as on October 31,2017

IDRBT Workshop @ Secure Coding Practices

          IDRBT is conducting a short-term course on ‘Secure Coding Practices’, helmed by Dr.V.Radha.

          The duration of the fully residential program is 5 days and the next program is from January 01 to January 05, 2018.


          The preferred access for bank customers is moving from offline mode to online mode. The numbers of bank customers accessing their bank accounts through their own devices is higher than the bank customers visiting bank branches.

          This places an enormous responsibility on Banks Information Technology team to protect the Banks digital channels from unauthorized access.

          IDRBT program on Secure Coding Practices is a step in that direction.

Banks are under stress to open APIs, develop new Applications for customers as well as employees around their core banking. Building new apps around core banking without proper understanding of OWASP top 10 security vulnerabilities like SQL Injection, Remote Code Execution etc might put the bank in higher risk zone.

Whether the bank develops the application on its own or buys it, it is advisable for the bankers to understand the OWASP vulnerabilities, how do they manifest and what are the remedial measures. For majority of the attacks, bad programming is the sole source of problem.

Security experts deploy remedial measures across the entire enterprise network stack right from Web application firewalls, to end-point security. It is like making the outer wall stronger to secure the weak inner applications. None of these solutions is needed if the programs are written with security in mind.

Core Objective of the Program:-

·       To bring awareness about  OWASP top 10.
·       Discuss and demonstrate the remedial measures;
·       Automated testing of applications;
·       Code Scanning and Code Analysis


  • ·       OWASP Top 10 – Overview

  • ·       PKI for Information Security in banking services

  • ·       SSL

  • ·       Web Application Security

  • ·       Cross Site Scripting and remedial measures

  • ·       Database Security

  • ·       SQL Injection and Remedial Measures

  • ·       Remote Code Execution – Buffer Overflow Attacks and remedial Measures

  • ·       Session Hijacking and remedial Measures

  • ·       Insecure Authentication and remedial Measures

  • ·       Insecure Data Storage and remedial measures

  • ·       Weak Encryption and remedial measures

  • ·       Testing Overview

  • ·       Automated Testing tools

  • ·       Secure Coding

OWASP is an active body advocating open standards  in the Application Security space.

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software.

OWASP mission is to make software security visible, so that individuals and organizations are able to make informed decisions. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.

Everyone is free to participate in OWASP. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide.

OWASP Top 10 vulnerabilities ::
A1:2017 - Injection
A2:2017 - Broken Authentication
A3:2017 - Sensitive Data Exposure
A4:2017 - XML External Entities (XXE)
A5:2017 - Broken Access Control
A6:2017 - Security Misconfiguration
A7:2017 - Cross-Site Scripting (XSS)
A8:2017 - Insecure Deserialization
A9:2017 - Using Components with Known Vulnerabilities
A10:2017 - Insufficient Logging & Monitoring…