NPCI UPI Cyber Security For Banks (OC-215A) represent a pivotal update to secure India’s booming digital payments ecosystem, processing over 15 billion transactions monthly. Released on May 21, 2025, these guidelines mandate lifecycle-wide controls, rate limiting, and CERT-In audits to mitigate API abuse and fraud.
Introduction to UPI API Security Landscape
Unified Payments Interface (UPI), managed by the National Payments Corporation of India (NPCI), has transformed digital payments in India since its 2016 launch. By February 2026, UPI handles real-time, peer-to-peer transactions via mobile apps from banks and third-party providers like PhonePe and Google Pay.
The 2025 guidelines address escalating threats like API flooding, bot-driven fraud, and non-customer-initiated calls that strain infrastructure. Building on 2020 circulars, OC-215A enforces end-to-end governance across SDLC phases: inventory, design, deployment, monitoring, and audits. Non-compliance risks penalties, throttling, or UPI network suspension.
Key drivers include UPI’s scale—15+ billion monthly transactions—and incidents of API misuse during peaks. PSP banks, acquiring banks, TPAPs, and partners must implement by July 31, 2025, with undertakings due August 31, 2025.
Core Objectives of the 2025 Guidelines
The guidelines aim to differentiate customer-initiated from system-initiated API calls, enforce positive security, and ensure resilience.
- Prioritize human-triggered flows over automated ones to prevent overload.
- Mandate rate limiting and anomaly detection for stability.
- Require continuous scanning, CERT-In empanelled audits, and documentation.
These controls extend to all UPI ecosystem players, emphasizing shared responsibility. For Indian regulators like RBI and CERT-In, alignment strengthens national cybersecurity posture.
Key Technical Provisions
- Transactions Per Second (TPS) and Rate Limiting
Banks and UPI apps must cap API TPS to thwart bots and misconfigurations. Controls include throttling bursts, exponential backoff on retries, and dropping excess requests across core APIs like balance checks and payments.
Implementation requires allow-listing invocation paths and peak-hour restrictions. This prevents DDoS-like scenarios from high-frequency calls, ensuring equitable resource access.
- Restricting Non-Customer Initiated API Calls
Automated calls—e.g., fetching account lists, validating addresses, or auto-updating merchant data—are now throttled or blocked during peaks. Only validated, user-triggered flows proceed.
Guidelines classify calls as:
- Customer-initiated: Direct app actions (e.g., scan-and-pay).
- System-initiated: Background tasks (e.g., key refreshes), limited to off-peak.
Enforcement uses behavioral analysis to block out-of-sequence requests.
- Positive Security Controls
APIs must enforce “allow-listed” paths, rejecting invalid payloads or unauthorized access. Input/output validation, schema enforcement, and human-vs-bot differentiation are mandatory.
Processes include:
- Frequent vulnerability scans.
- Authentication/authorization testing.
- Rate limit and error-handling validation.
Continuous API Scanning and Testing
Ongoing scans detect malformed payloads and access attempts. Integration with WAFs or WAAPs like Indusface AppTrana ensures compliance.
Detailed Compliance Requirements
API Inventory and Documentation
Entities must maintain exhaustive inventories of UPI APIs, documenting endpoints, payloads, rate limits, and invocation rules. Updates occur with every change, shared with NPCI on request.
Documentation covers SDLC phases, risks, mitigations, and audit trails—critical for CERT-In reviews.
Access Controls and Authentication
Multi-factor authentication (MFA), JWT/OAuth validation, and role-based access control (RBAC) are baseline. APIs reject unauthenticated or expired tokens instantly.
CORS and WebSocket policies prevent unauthorized cross-origin calls, aligning with OWASP API Security standards.
Data Protection Measures
Encryption in transit (TLS 1.3+) and at rest (AES-256) is compulsory. Sensitive data like VPA, PAN, or balances require tokenization or masking.
Guidelines prohibit logging full payloads; only anonymized metadata permitted for monitoring.
Monitoring and Anomaly Detection
Real-time monitoring flags anomalies like TPS spikes or geographic outliers. SIEM integration and CERT-In reporting for incidents are required.
Automated alerts trigger throttling; dashboards provide NPCI-visible compliance views.
Audit and Reporting Obligations
Annual CERT-In empanelled audits mandatory from 2026. Quarterly self-attestations detail controls, incidents, and remediations.
PSP banks submit undertakings by August 31, 2025, confirming queued/rate-limited system APIs.
Implementation Roadmap
- Phase 1: Assessment
Inventory APIs, classify calls, baseline TPS. Engage auditors for gap analysis.
- Phase 2: Controls Deployment
Roll out rate limiting, WAF rules, monitoring. Test in staging with synthetic loads.
- Phase 3: Go-Live and Monitoring
Production enforcement with fallback. Continuous tuning via logs.
Comparison: 2020 vs. 2025 Guidelines
| Aspect | 2020 Circular | 2025 OC-215A Guidelines |
|---|---|---|
| Scope | Basic checklists | Full SDLC governance |
| Rate Limiting | Recommended | Mandatory TPS caps, backoff |
| Non-Customer Calls | No restrictions | Throttled/blocked peaks |
| Audits | Ad-hoc | CERT-In annual, undertakings |
| Penalties | Warnings | Throttling/suspension |
| Monitoring | Periodic | Real-time anomaly detection |
This evolution reflects UPI’s maturity and threat landscape shifts.
Challenges for Compliance
Technical Hurdles
Legacy systems lack native rate limiting; refactoring needed. Distinguishing call types requires ML-based behavioral analytics.
Integration with diverse stacks (e.g., Java, Node.js) demands standardized middleware.
Operational Impacts
Peak-hour blocks disrupt auto-refreshes, affecting UX. Training teams on new workflows essential.
Fintechs partnering with banks face vendor audits, straining resources.
Best Practices for UPI API Security
Adopt API Gateways
Use gateways like Kong or AWS API Gateway for centralized limiting, auth, and logging. Configure allow-lists per endpoint.
Leverage WAAP Solutions
Tools like Indusface AppTrana automate scanning, bot mitigation, and schema validation—plug-and-play for UPI stacks.
Schema-First Design
Define OpenAPI specs upfront, enforce via proxies. Reject deviations at edge.
Incident Response Framework
Map to CERT-In playbook: detect, contain, report within 6 hours. Simulate quarterly.
For cybersecurity pros in India, align with RBI’s Master Directions and NCIIPC guidelines for holistic compliance.
Vendor and Tool Ecosystem
- AppTrana (Indusface): WAAP with UPI-specific rate limiting and scans.
- Levo.ai: API breach prevention via behavioral controls.
- Open-Source: Envoy Proxy for throttling; OWASP ZAP for testing.
Select CERT-In empanelled vendors for audits.
Case Studies: Early Adopters
PhonePe implemented TPS caps pre-2025, reducing fraud by 40%. HDFC Bank’s gateway cut peak anomalies 70% via allow-listing. (Note: Aggregated from public reports; specifics illustrative.)
Future Outlook and RBI Alignment
Post-2025, expect AI-driven fraud detection mandates. Integration with RBI’s Digital Payments Vision 2025 emphasizes resilience.
For compliance auditors, these guidelines benchmark against NIST API Security (SP 800-95) and OWASP Top 10.
Conclusion for Stakeholders
NPCI’s 2025 guidelines fortify UPI against API threats, demanding proactive governance. Banks and fintechs investing now gain competitive edges in trust and scalability.
Role of CertCube Labs Pvt Ltd.
CERT-In empanelment ensures auditors meet MeitY’s rigorous criteria for expertise in network, web app, compliance, and payment gateway audits.
CertCube Labs Pvt Ltd, specializes in NPCI UPI compliance audits. Their services include:
- End-to-end technical/process audits per NPCI/RBI guidelines.
- Gap analysis, risk assessments, remediation roadmaps.
- UPI-specific VAPT, covering rate limiting, auth flaws, API abuse vectors.
- Support for RuPay, IMPS, NFS; full lifecycle from assessment to closure.
As a Cert-IN empanelled firm, CertCube Labs offers tailored audits for banks/TPAPs, leveraging tools for continuous vulnerability management and SOC-like monitoring.