Device & BehaviourArrow
Mobile App SecurityArrow
ResourcesArrow
ResourcesArrow
Company
Nav Icons
About Us
Why we built Sense.
Nav Icons
Help CentreComing Soon!
The latest industry news, updates and info.
Nav Icons
Privacy Policy
Get up and running on new features and techniques.
Nav Icons
Terms & Conditions
All the boring stuff that you (hopefully won't) need.
Resources
Nav Icons
Blogs
Latest information from the industry and use cases, new features, and other resources.
Nav Icons
Newsletters Coming Soon!
Relevant insights, new features, and much more, delivered straight to your inbox.
Nav Icons
Compliance Coming Soon!
We're always striving to reach new levels of compliance. Check out our latest updates now!
Simplify Fraud Detection Workflow
Demo IconWatch demoChat IconChat to sales
Header Icon
Our Commitment to NPCI Security Controls
on SIM and Device Binding
Sense is committed to delivering secure and compliant UPI solutions that meet the rigorous standards set by the National Payments Corporation of India (NPCI). The NPCI SIM Binding guidelines are designed to strengthen the security of UPI transactions by enforcing strict device and SIM verification protocols. These measures help prevent fraud, unauthorized access, and ensure the integrity of the customer onboarding process. This page outlines how Sense implements the key NPCI mandates for SIM binding, ensuring your UPI application remains compliant, secure, and user-friendly.
Table of contents
  • NPCI Mandated SIM Binding Controls
  • Implementation Instructions (As per NPCI Checklist)
  • Why Choose Sense for NPCI SIM Binding Compliance?
  • Get Started with Sense
NPCI Mandated SIM Binding ControlsNPCI Device & SIM Binding Checklist for UPI Applications
  1. Check SIM StateThe UPI application must check the SIM or eSIM status on both Android and iOS devices before proceeding with device binding.
  2. Device Binding Disallowed on Airplane ModeDevice binding must be rejected if the device is in Airplane Mode.
  3. Device Binding Completion in the Same Session
    • Android: Users should not toggle between apps or press any button during device binding.
    • iOS: Customers should not cancel or switch to another app during the device binding process.
  4. Device Binding Disallowed on Multiple Short Codes (Tokens)Device binding is not allowed if the same token is received from multiple mobile numbers.
  5. Length of Device Binding StringThe device binding string must be a minimum of 35 characters, using a combination of alphanumeric and special characters.
  6. Multiple Device Binding LimitsIf more than three tokens are generated during registration for the same device ID, the device ID must be blocked for 24 hours.
  7. Allowing Device Binding Only for Latest App VersionsDevice binding should be permitted only through the latest version of the app.
  8. SMS Token ExpiryThe end-to-end device binding timer must not exceed 45 seconds.
  9. Dynamic SMS TokenA dynamic SMS token must be generated for every registration attempt.
  10. Private API Solution for iOSAll UPI apps on the iOS platform must implement a private API solution for device binding.
  11. Customer Onboarding on iOS/Android Based Devices
    • iOS: Device binding is supported only from iOS 17 onwards, utilizing the SMS sent API.
    • Android: Device binding is allowed only from Android API version 23 and above.
  12. VMN Binding for SMS TokenEvery UPI app must ensure at least 10 Virtual Mobile Numbers (VMNs) are available for SMS token delivery.
  13. Application to Check for Successful SMS Sent Check or Auto Read OTP Validation
    • The application must read the sent items from SMS and validate that the SMS was sent to the intended VMN.
    • If a mobile device does not support SMS sent check, the app should trigger auto-read OTP functionality, disallowing manual entry of OTP.
    • Auto-read OTP must include sender ID validation as an additional security layer.
    • New registration must not be allowed for devices that do not support SMS sent check or auto-read OTP.
  14. Ongoing Compliance and TestingAll Payment Service Providers (PSPs) and Third Party Application Providers (TPAPs) are required to implement these controls and undertake periodic testing and deploy additional controls as deemed appropriate by NPCI.
Implementation Instructions (As per NPCI Checklist)

The UPI application/PSP should read the sent item from the SMS message box and validate that the SMS was sent to the intended VMN along with the correct token. Device binding should not occur if the token is not sent from the device where the UPI app is installed.

  • If a mobile device does not facilitate SMS sent check, the app should trigger auto OTP read functionality and disallow manual entry of OTP.
  • Auto-read OTP should be performed with sender ID validation, providing an additional layer of security for devices that do not facilitate SMS sent check.
  • New registration should not be allowed for devices that do not support SMS sent check or auto-read OTP.
Why Choose Sense for NPCI SIM Binding Compliance?
  • End-to-End Security: From device state checks to dynamic token generation, Sense covers all critical NPCI requirements.
  • Seamless User Experience: Our implementation minimizes friction while ensuring robust security.
  • Regulatory Assurance: Stay audit-ready with detailed logging and compliance reporting.
  • Cross-Platform Support: Full support for Android and iOS platforms, including latest OS versions and APIs.
  • Continuous Updates: We monitor NPCI guidelines and update our solutions proactively.
Get Started with Sense

Ensure your UPI application is fully compliant with NPCI SIM Binding guidelines. Contact us today to learn how Sense can help you implement these critical security controls efficiently and reliably.