Latest news with #Cert-in
&w=3840&q=100)
Business Standard
27-05-2025
- Business
- Business Standard
Why your UPI app may soon restrict balance and account info requests
The corporation that manages the Unified Payments Interface (UPI) has issued fresh operational guidelines for apps to prevent system overloads and improve the reliability of the popular digital finance system. The guidelines of the National Payments Corporation of India (NPCI) will be effective from August 1, 2025, and are aimed at controlling the volume and frequency of certain high-load API (Application Programming Interface) calls. What it means for UPI users NPCI has identified several non-financial API calls, such as balance enquiries, account listings, and mandate checks, as contributing factors to system slowdowns. To manage these more effectively, NPCI has prescribed the following restrictions: Balance enquiry: Limited to 50 requests per app per customer in a 24-hour rolling window. Issuer banks must also include available balance in every successful UPI transaction message to reduce separate enquiries. List of linked accounts: Limited to 25 times per app per customer per day. Each retry must be customer-initiated in case of failure. Autopay mandates: Execution must happen outside peak hours (10 am to 1 pm and 5 pm to 9.30 pm). Only one attempt and up to three retries per mandate are allowed. List of public keys and verified merchants: Payment services providers (PSP) may only request these once per day, and only during non-peak hours. Transaction Status Checks: Must follow a staggered approach as per earlier guidelines issued by NPCI. Focus on system discipline NPCI has directed all PSP and acquiring banks to monitor and queue both customer-initiated and system-generated API traffic. Systems must not act as direct pass-throughs for backend requests, which can strain UPI's infrastructure. Peak hours are now officially defined as 10 am to 1 pm and 5 pm to 9:30 pm. All non-essential, non-customer-initiated API calls must be restricted during these times. Compliance deadline and audits All UPI members must implement these rules by July 31, 2025. Additionally, banks are required to conduct immediate audits of their systems via Cert-in empanelled auditors, and share the findings with NPCI by August 31, 2025.
Time of India
15-05-2025
- Politics
- Time of India
Centre flags cyber threats after halt in fighting with Pakistan
New Delhi: After the ceasefire between India and Pakistan, several advisories have been sent out this week within the government of India to guard against the ongoing cyber warfare , ET has learnt. On May 12, the National Informatics Centre (NIC) is learnt to have cautioned all ministries and government departments on the "heightened threat perception in cyberspace" and the security measures that need to be undertaken to protect all government communication. On May 10, all secretaries across ministries were asked to initiate an "internal Cyber Security Preparedness Exercise" in view of the "growing cyber threats and incidents across the nation". It was observed that the rapid advancement of technologies has "widened the attack surface and intensified the complexity of cyber risks". On April 24, an ' emergency security alert ' of high 'severity' was issued to safeguard all government websites, applications and ICT infrastructure and all 'critical' government applications were placed behind specialised firewalls. The Ministry of Electronics & Information Technology, NIC and India's computer emergency response team, Cert-in, among others have been fighting heavy cyber-attacks since the April 22 terror attack. ET first reported on how over 30-40 major cyber attacks were being warded off daily across government interfaces with the financial and power sectors and data centres being the primary targets. Live Events Most of the cyber attacks have aimed at defacement, data breach and rendering the website dysfunctional by flooding it with artificial traffic. Pointing to the "prevailing geo-political situation and increased threat perception in cyberspace", all were advised to be alert and to ensure proper cyber security hygiene and best practices were followed both at personal desktop/laptop level as well as at application, database, server, data centre and network level. All organisations have been asked to ensure immediate implementation of cybersecurity best practices ranging from regular password changes, use of strong and unique passwords, avoidance of suspicious or spam emails to ensuring removal of unmanaged LAN network devices from the network, upgrading the operating systems of all PCs/devices to the latest versions/patches, and removing obsolete equipment from the network. Each ministry has been directed to conduct internal cyber security preparedness exercises through their deputed Chief Information Security Officers to "stay ahead of the evolving cyber threats and foster a proactive, adaptive security culture at all levels". The critical nature of the e-office which hosts all government communication was also underlined by the NIC and Cert-in with several advisories on following VPN access protocol strictly, avoidance of public computers and devices and so on. It was underlined that government personnel must not store credentials on phone/computer or exchange any sensitive information through third party messaging apps/email or social media. Specific security instructions have been sent to all those involved in testing, audit, operations and troubleshooting of any government website or application or database or ICT infrastructure/services.
&w=3840&q=100)
Business Standard
07-05-2025
- Business
- Business Standard
Govt steps up vigil as cyberattacks rise since Pahalgam terror attack
Tells Cert-in, banks, power stations to be on high alert Aashish Aryan Shreya Jai Harsh Kumar New Delhi Listen to This Article The central government has asked all digital systems to remain in a state of high alert in anticipation of possible cyberattacks on critical digital infrastructures, sources told Business Standard on Wednesday. These infrastructures include power generating stations, national electricity grid, banks, hospitals, defence installations, telecom companies, and public sector enterprises (PSEs). The Ministry of Electronics and Information Technology (Meity) has asked the Indian Computer Emergency Response Team (Cert-In) to remain on constant vigil against possible cyberattacks, including distributed denial of service (DDOS), malware, denial of service (DOS), and social engineering, a senior government official said. 'We have observed an increase
&w=3840&q=100)
Business Standard
28-04-2025
- Business
- Business Standard
NPCI directs UPI members to follow new API guidelines to avoid disruptions
The National Payments Corporation of India (NPCI) has directed members of the unified payments interface (UPI) network to adhere to its guidelines on application programming interface (API) calls, whose overuse resulted in an outage of the real-time payments system earlier this month. APIs are sets of protocols and tools that enable secure data exchanges between banking systems and the UPI network. The retail payments body, in a circular, said that payment service provider (PSP) banks and acquiring banks should ensure that API requests to UPI should be monitored and moderated for appropriate use. This includes restricting too many repeat APIs of the same or older transactions. Members have been directed to comply with the latest guidelines, failing which they may face action, including penal provisions. Further, the NPCI has directed banks to initiate 'first check transaction status API' after 90 seconds from the authentication of the original transaction. 'After the timers are changed, members may initiate the same after 45-60 seconds of the initiation or authentication of the original transaction,' it said in the circular. PSP banks or acquiring banks have been asked to initiate a maximum of three 'check transaction status' APIs, preferably within two hours from the initiation or authentication of the original transaction. NPCI may also consider implementing rate limiters on select APIs in consultation with the steering committee and subject to other approvals. The circular further said that banks should consider a transaction to have failed if they receive an error from a list of conditions, and not initiate any further 'check transaction status' API calls. Banks are required to get their systems audited by a Cert-in empanelled auditor immediately and annually to review API use and existing systems behaviour, NPCI said in its circular. The payments body has requested members to reach out if they have suggestions within the next four weeks. It added that the 'standalone use of APIs for purposes other than intended is prohibited, unless approved.' The circular follows a surge in 'check transaction status' API calls by PSP banks to the real-time payments system at a high transactions-per-second rate repeatedly. On April 12, UPI services suffered their fourth disruption in three weeks. A root-cause analysis by NPCI revealed that banks had been sending an excessive number of 'check transaction status' API calls that put a strain on the system that contributed to the outage.
