← All guides
Regulatory · 6 min read

UPI / TPAP Security Audit Guide

TPAPs must pass a CERT-In empanelled security audit before going live on UPI and periodically thereafter.

FreeGet "UPI / TPAP Security Audit Guide" as a PDF

Plus occasional, practical compliance guidance from our senior auditors. No spam — unsubscribe anytime.

1. Who is audited

The UPI app (TPAP), its sponsor PSP bank’s systems, and technology providers in the UPI stack.

2. Audit scope

  • Mobile app and API security testing.
  • Infrastructure and network security.
  • Compliance with NPCI procedural guidelines and circulars.
  • Secure handling of UPI data and credentials.

How CyberSigma helps

CERT-In empanelled, we perform UPI TPAP security audits — mobile, API and infrastructure — and issue the report NPCI and your PSP bank need.

This guide is educational and not legal advice. Requirements evolve — validate specifics against the current standard or regulation for your situation.

Turn this guide into a plan

Our CERT-In empanelled auditors can take you from reading about it to certified — with a scoped, guided programme.

Book a consultation →