Additional Safety Features – UPI - ‘Balance Enquiry’ option may not be visible in Google TeZ or PhonePe
Do not be surprised, if the ‘Balance
Enquiry’ option is not visible in Google TeZ or PhonePe
The popularity of UPI is growing by
leaps and bounds. The number of high-profile internet companies in line to
enter the UPI bandwagon is high.
This has prompted National Payments
Corporation of India (NPCI) to take steps to safeguard sensitive customer’s
financial information.
NPCI vide its Cir No. NPCI/UPI/OC No.
44/2017-18 dt. January 11th 2018, has reiterated two important guidelines.
Guideline 01) Balance Inquiry in UPI –
Optional for PSP & 3rd party UPI enabled App.
Guideline 02) No storage or usage of Customer Account
Balance by PSP Bank or 3rd party as ‘Customer Sensitive payment data’.
NPCI vide the above circular has made it
clear that the Security & integrity
of customer data in the UPI framework is the responsibility of the PSP/Bank
(Even in cases where the Bank/PSP & the outsourced technology service
providers are different entities). Hence, respective banks have been advised to
due diligence of their outsourced technology service provider as they are
dealing with sensitive customer data.
NPCI has advised banks to refer to the
following UPI circulars with regard to data storage, security and usage by the
PSP/3rd party Apps:
Sr. UPI Circular # reference: Quote 1 NCI/UPI/OC No.
15/2016-17 Dated: 18th of January 2017
Point
6.c).h The PSP Bank should not share any customer data with merchant unless
specified by industry regulator for e.g. SEBI, IRDA for brokers, mutual funds
and Insurance.
2 NCI/UPI/OC No. 15A/2016-17 Dated: 27th of January 2017
Point
10 PSP Bank is not sharing any customer data with the merchant/P2P provider
unless specified by industry regulator. E.g. SEBI, IRDA etc. (permitted only
for specific regulated merchants). No authentication data shared outside PSP
Bank.
3 NCI/UPI/OC No. 32/2017-18 Dated: 15th of September 2017
Point
A. (Sub pint 2) & NCI/UPI/OC No. 15A/2017-18 Dated: 15th of September 2017
Sub
point b) Storing customer data by app provider systems in Multi-bank model: We
classify the data into two types, namely “Customer data” and “Customer payment
sensitive data”:
2. Customer payment sensitive data:
Classified
as customer account details (such as Account number) customer payment
authenticationdata (such as device fingerprinting) required for authentication
as first factor. This data can be only stored in PSP bank systems. Some of the
data like account number can be shown in masked format to the customer on the
app as per existing UPI PG.
Last 6 digits of the Debit Card,
Expiry date of the debit card, UPI PIN, Issuer OTP should not be stored.
The ‘Balance enquiry’ feature to
be moved from Default feature to Optional feature.
The
primary reason for this advise, is to ensure that ‘customers’ balance’, is stored
only in the respective Bank’s database and not in any 3rd party
database.
Further
to the above the PSP Banks, Large 3rd party App providers under the Multi bank model
and the 3rd party Apps/merchants under the Single SDK model may please note the
following guidelines for compliance:
Customer
account Balance is classified as customer sensitive data and accordingly, the following
is being advised:
a.
PSP Banks, Large 3rd party players, 3rd party Apps under Single SDK model shall
provide Balance Inquiry option to the customer as an “optional feature” basis
their internal risk assessment.
b.
Customer account balance shall not be stored or put to any use by either the
PSP Bank or 3 rd party for any purposes (Internal or external). The storage of
customer account balance is not permitted even in encrypted format at the PSP
& 3rd party systems / Apps.
Comments
Post a Comment