SBM Third party risk assessment - Adherence to Master circular on dev

S.no Description Control requirement

a) On iOS device Mobile data need to be validated
1 Check for SIM state
b) On Android Not to allow device binding when
Sim/e-SIM not present
Mobile application (iOS & Android) should not be
Device binding not allowed in airplane
2 allowed for device binding when the device is in
mode
airplane mode

a) On Android Device binding over Wi-Fi shall only be

permitted if the SIM/e-SIM/Telco based connectivity
checks as mentioned in Control 1 & 2.
3 Wi-Fi Mode

b) On iOS Device Mobile data is mandatory for device

binding

a) Android: Customer should not be allowed to toggle

between apps (or) Press any key until the device
binding is processed. The token must be invalidated if
customer moves out of active session . Auto
notification pertaining to SMS charges received on
customer device during the registration shall not be
considered as toggling
Completion of Device binding in same
4
session
B) iOS : Once the user is redirected to message app
and if the customer presses cancel or switches to
another app , then the application should reject the
device binding . For any user registered on iOS
devices, the customer onboarding PSP shall decline
the device binding, if the time taken for the control to
be passed from SMS composer window to application
exceeds 5 seconds.

PSP to Decline device binding if it receives same short

code(token) from multiple mobile numbers during
Device binding dis allowed on Multiple device binding timer set.
5
codes For ex: PSP receives short code 123 from mobile A
Mobile B during the device binding timer set , it
should then decline device binding.

SMS token length to be min of 35 characters with a

6 Length of Device binding string
7 Multiple device binding limits
Allow device binding only for the
8
latest app versions
mix of Alphanumeric and special Characters(space
shall not be considered as special character)
UPI app to block device ID for 24hrs where more than
3 tokens are generating during registration
The app should allow only customer registration
through the latest app version only. Incase user tries
to register on the older versions, the app should force
upgrade to the latest version
 The end to end device binding timer cannot exceed 45
seconds . The PSP bank may decide to reduce the time
9 SMS token enquiry
window at their end if they notice any device binding
related controls being bypassed.

The PSP bank must ensure that the SMS token is

dynamic and changes for every registration attempt.
Also invalidate the token if generated for a particular
10 Dynamic SMS token VMN but sent to different VMN .
Ex: Token generated for VMN 1 should not be
accepted if sent on any other VMN (Virtual Mobile
Number)

All UPI apps on iOS should implement the private API

solution . This solution prevents editing of encrypted
11 Private API solution for iOS
code and VMN number on SMS body, when a user
sends SMS to register on iOS

Customer onboarding for iOS shall be allowed on

iPhone devices which supports SMS sent API that is
available from iOS 17 onwards. (currently XS/XR series
Customer onboarding on iOS / and above devices support OS 17 which enable SMS
12 sent API
Android based devices
Customer onboarding for Android based devices shall
be allowed from android API version 23 and above
only.

Every UPI app to ensure at least 10 VMNs the Token

should be generated dynamically and sent randomly
13 VMN binding for SMS token to one of the VMN (unique).
Note: VMN's should not be in series and should not
repeat.

The UPI application/PSP should validate successful

'sent' check of SMS for Both iOS and Android devices.

Implementation instructions:
a) The UPI application / PSP should read the sent item
from SMS message box (where UPI app is installed)
and validated that SMS was sent to the intended VMN
along with the correct token.
This will help ensure that device binding will not
happen if token is not sent to VMN from the device
where UPI app is installed

Application to check for successful

14 'SMS sent check' OR 'Auto read OTP'
validation
 Application to check for successful
14 'SMS sent check' OR 'Auto read OTP'
validation b) If the mobile device does not facilitate the SMS sent
check then the application should trigger auto OTP
read functionality after polling of database for a token
creation request. Auto read OTP (manual entry of OTP
is not allowed) should be done along with the sender
ID validation (reading SMS only from whitelisted
numbers of the app). This will act as an additional
layer of security for handsets which do not facilitates
SMS sent check.

C) For the handsets which do not support both i.e.

successful SMS sent check or Auto read OTP , new
registration should not be allowed by PSP / App.
Master circular on device binding controls
Justification Evidence
 Does M2P perfrom end to end device
binding timer which does not exceed 45
seconds . Further, The PSP bank may
decide to reduce the time window at
their end if they notice any device
binding related controls being bypassed.

Does M2P ensure the SMS token is

dynamic

Kindly specify the API version which shall

be alowed for UPI transaction