Knowledge Center / NPCI Product Audits
NPCI · India

NPCI Product Security Audits (IMPS, RuPay, AePS, NACH, NFS, FASTag, CTS)

Security audits across NPCI’s payment products beyond UPI.

Introduction to NPCI Product Security Audits

The National Payments Corporation of India (NPCI) is the umbrella organisation for retail payments and settlement systems in India, operating under the Payment and Settlement Systems Act, 2007 and regulated by the Reserve Bank of India (RBI). NPCI owns and operates a portfolio of nationally critical payment products, including the Immediate Payment Service (IMPS), RuPay card scheme, Aadhaar enabled Payment System (AePS), National Automated Clearing House (NACH), National Financial Switch (NFS), FASTag on the National Electronic Toll Collection (NETC) rails, Cheque Truncation System (CTS) and the Unified Payments Interface (UPI) with its overlay services. Every bank, non-bank member, Payment System Provider (PSP), Third Party Application Provider (TPAP), technical service provider (TSP), aggregator and merchant that integrates with these rails must undergo periodic security certification and audit before go-live and on a recurring basis thereafter.

NPCI Product Security Audits are the mandated technical and process assurance reviews that verify a participant's implementation of an NPCI product conforms to the applicable Procedural Guidelines, technical specifications, API integration specifications, risk management framework circulars and the overarching security requirements laid down by NPCI and RBI. Unlike a generic information security audit, these audits are product-specific: an IMPS audit checks Remitter/Beneficiary flows, session and OTP controls and the NFS/IMPS switch interface, whereas a RuPay audit examines PCI DSS scope, HSM key ceremonies, EMV/tokenisation and the RuPay authorisation host. This guide provides an auditor-grade, product-by-product deep dive that serves both the assessor performing the certification and the engineering, risk and compliance teams building or remediating the controls.

Copyright and source note
NPCI Procedural Guidelines, API/technical specification bundles, the NPCI Risk Management circulars, RuPay Compliance Guidelines and the UPI Security Guidelines are proprietary, licensed documents released to members under NDA through the NPCI Connect / member portal. This guide is original CyberSigma commentary. It paraphrases publicly known control themes and cites the relevant circular families by name and identifier where applicable; it does not reproduce NPCI, RBI, UIDAI or PCI SSC copyrighted text. Always audit against the current, member-licensed version of each specification, as NPCI revises product specifications and OC (Operating Circular) versions frequently.

What is NPCI Product Audits

NPCI Product Audits is a family of product-scoped security certifications and periodic audits that a member entity must complete to obtain and retain the right to transact on a given NPCI rail. The audit universe is defined by three layers of authority: (1) statutory and regulatory instruments — the PSS Act 2007, RBI's Master Directions on Digital Payment Security Controls (RBI/2020-21/74, DoS.CO.CSITE.SEC.No.1852/31.01.015/2020-21), RBI's cyber security framework for banks (DBS.CO.CSITE/2016-17), and the RBI PA/PG guidelines for aggregators; (2) NPCI product Procedural Guidelines and Operating Circulars issued per product; and (3) scheme technical and security specifications such as the RuPay compliance and tokenisation specs, the UPI Procedural Guidelines and API specs, the AePS/Aadhaar authentication ecosystem requirements set by UIDAI, and the NACH/CTS operating specifications.

The audits are typically executed by a CERT-In empanelled auditor, and for card products additionally by a PCI QSA, culminating in a certification report, a compliance declaration and, for several products, a sign-off that NPCI accepts through the member/NPCI Connect portal before enabling the entity in production. Certification is not one-and-done: most products require an annual security audit, a fresh audit on any material change (new API version migration, new data centre, major architecture change), and continuous compliance with fraud and risk management (FRM) circulars issued through the year.

Each product carries a distinct control surface. IMPS is a real-time push credit rail over the NFS switch. RuPay is a card scheme with PCI DSS, EMV, HSM and tokenisation obligations. AePS relies on Aadhaar biometric/demographic authentication and therefore inherits UIDAI's Aadhaar Act 2016, AUA/KUA, ASA and biometric device (Registered Device / L1) requirements. NACH is a bulk mandate and clearing rail with e-mandate/API mandate and file integrity concerns. NFS is the ATM/interoperable switch network. FASTag/NETC covers RFID tag issuance, toll acquiring and reconciliation. CTS covers cheque image capture, IQA (Image Quality Assurance) and the CTS-2010 standard.

Who must comply

Any entity that connects to, processes, stores or transmits data on an NPCI rail is in scope. The obligation cascades from the sponsor/member bank down to every technical partner and outsourced provider under RBI's outsourcing and NPCI's third-party accountability principles.

Entity typeProducts typically in scopeNature of obligation
Scheduled commercial / small finance / payments banks (member banks)IMPS, RuPay, AePS, NACH, NFS, FASTag, CTS, UPIFull member certification + annual security audit per product; sponsor accountability for their TPAPs/TSPs
Non-bank PSPs and PPI issuersUPI (PSP), RuPay (prepaid), FASTag issuerCertification via sponsor bank; FRM and security audit compliance
Third Party Application Providers (TPAPs)UPI appsApp security audit, PSP sponsor sign-off, adherence to UPI Procedural Guidelines
Technical Service Providers (TSPs) / aggregators / switch vendorsProduct they host (IMPS switch, RuPay host, AePS host)Security audit of hosted stack; back-to-back compliance flow-down from member
Payment aggregators / gateways (RBI PA licensed)RuPay acquiring, UPI, NACH e-mandatePCI DSS + RBI PA/PG security audit + NPCI product audit
AUA/KUA and ASA entities (AePS)AePS, Aadhaar authUIDAI security audit + biometric device (RDService/L1) compliance + NPCI AePS audit
Toll acquirers / NETC concessionairesFASTag / NETCNETC operating spec compliance + security audit + reconciliation controls
Corporates / billers using NACHNACH (mandates, debit files)File security, mandate governance, sponsor bank oversight
Merchants and merchant TSPsRuPay POS/e-com, UPI QRPCI DSS scope (if handling PAN), QR/collect flow controls
  • Go-live prerequisite: no entity is enabled in production on a rail without a passed certification/audit and NPCI acceptance.
  • Annual recertification: most products mandate a fresh security audit at least once every financial year.
  • Change-triggered audit: migration to a new API/spec version, new DR/DC, or major architectural change re-triggers audit.
  • Flow-down: members remain accountable for the compliance posture of every downstream TSP/TPAP/aggregator they sponsor.

Structure of NPCI Product Audits

The audit programme is organised as a set of cross-cutting control domains that apply to every product, plus product-specific control families layered on top. The cross-cutting domains derive from RBI's Digital Payment Security Controls and the NPCI security baseline; the product families derive from each product's Procedural Guidelines, technical spec and risk circulars.

Domain / familyApplies toRepresentative control area
Governance, risk & compliance (GRC)All productsBoard-approved security policy, risk assessment, FRM committee, RBI/NPCI circular tracking
Network & infrastructure securityAll productsSegmentation, firewall/IPS, leased-line/MPLS to NPCI, DDoS, hardening
Application & API securityAll productsSecure SDLC, VAPT, API auth (message signing), input validation, session management
Cryptography & key managementIMPS, RuPay, AePS, NACH, CTSHSM usage, key ceremonies, PIN/OTP/message encryption, certificate lifecycle
Authentication & transaction integrityIMPS, UPI, AePS, RuPayTwo-factor auth, OTP/MPIN, device binding, message signing, non-repudiation
Fraud & risk management (FRM)All productsVelocity/limit rules, transaction monitoring, chargeback/dispute, negative lists
Data protection & privacyAll productsData localisation (RBI), Aadhaar data vault (AePS), tokenisation (RuPay), DPDP Act
Logging, monitoring & incident responseAll productsSIEM, 6-hour RBI/CERT-In incident reporting, forensic readiness
Business continuity & DRAll productsRTO/RPO, DR drills, switch failover, reconciliation continuity
Reconciliation & settlement integrityAll switch/clearing productsRaw file/settlement recon, TCC/RET, dispute (DMS/UDIR), NPCINet integrity
IMPS product familyIMPSRemitter/Beneficiary flow, P2P/P2A, MMID, IFSC+account, session & OTP
RuPay product familyRuPayPCI DSS, EMV, tokenisation, HSM, 3-D Secure, RuPay CVD/iCVV, chargeback
AePS / Aadhaar familyAePSAUA/KUA, ASA, Registered Devices (L1), Aadhaar Data Vault, biometric locking
NACH product familyNACHMandate (physical/e-mandate/API), sponsor/destination bank, file integrity, DMS
NFS / ATM familyNFSATM switch, key management (TMK/TPK/ZMK), interoperability, dispute (DMS)
FASTag / NETC familyFASTagTag issuance, mapper, toll acquiring, reconciliation, exception handling
CTS product familyCTSCTS-2010 standard, image capture, IQA, grey-scale/security features, presentment/return

Master assessment checklist

This is the core of the audit. Each control group below is enumerated with what the auditor must verify and the typical evidence the implementer must produce. The cross-cutting domains apply to every product; the product-specific families follow. No control area is skipped.

Governance, risk and compliance (GRC)

What to verifyTypical evidence
Board/senior-management approved information & payment security policy exists and is reviewed at least annuallySigned policy, board minutes, review dates
A designated CISO and risk/FRM committee with defined charter and NPCI liaisonOrg chart, committee charter, meeting minutes
Documented risk assessment covering the specific NPCI product and its data flowsRisk register, DFDs, risk treatment plan
Mechanism to track and implement RBI/NPCI/UIDAI circulars and OC version changesCircular tracker, gap-closure records, sign-offs
Third-party / outsourcing risk governance with back-to-back security clauses (RBI outsourcing guidelines)Vendor contracts, due-diligence reports, right-to-audit clauses
Compliance calendar mapping annual audit, VAPT, DR drill and certification renewalsCompliance calendar, evidence of past cycles

Network and infrastructure security

What to verifyTypical evidence
Dedicated secure connectivity to NPCI (NPCINet / leased line / MPLS) with encryption and no internet exposure of the switchNetwork diagram, circuit IDs, firewall config
Segmentation isolating the NPCI/CDE zone from corporate and internet zonesVLAN/zoning diagram, firewall rulebase review
Firewall, IPS/IDS, WAF and DDoS protection deployed and rule-reviewed periodicallyDevice configs, rule review logs, DDoS SLA
Server/OS/DB/network device hardening to CIS or NPCI baselineHardening standards, config compliance scan reports
Patch and vulnerability management with defined SLAs by severityPatch register, VA scan reports, SLA tracker
Secure remote access (MFA, jump host, privileged access management)PAM records, MFA config, access logs

Application and API security

What to verifyTypical evidence
Secure SDLC with threat modelling, code review and security gatesSDLC policy, threat models, SAST/DAST reports
Annual application VAPT (and after major change) with closure of high/critical findingsVAPT report, remediation tracker, retest evidence
API integration per NPCI spec: message-level signing/verification, mutual TLS where requiredAPI design doc, signing key config, TLS certs
Input validation, output encoding and protection against OWASP Top 10Test cases, WAF rules, pen-test evidence
Session management: timeout, anti-replay (nonce/txn ID), no sensitive data in URLs/logsSession config, log samples, code review notes
Secure error handling that does not leak stack traces or PAN/Aadhaar/PINError handling standard, log/screen samples

Cryptography and key management

What to verifyTypical evidence
FIPS 140-2 (L3+) HSMs used for PIN, key and message cryptography where mandatedHSM inventory, certificates, deployment diagram
Documented key ceremony for generation, split-knowledge/dual-control, custody and rotationKey ceremony records, custodian sign-offs, KCV logs
Approved algorithms and key lengths (AES, RSA-2048+, 3DES only where legacy-mandated)Crypto standard, algorithm inventory
Certificate lifecycle management (issuance, expiry alerting, revocation) for NPCI/UIDAI certsCert inventory, expiry monitoring, CA records
No clear-text PIN/key/PAN/biometric at rest or in transit; encryption end-to-endDFDs, packet/DB inspection evidence, tokenisation config
Secure key destruction and compromise/rekey procedureDestruction logs, compromise runbook

Authentication and transaction integrity

What to verifyTypical evidence
Two-factor authentication for transactions (e.g., MPIN + device, OTP + PIN) per product ruleAuth flow doc, config, test evidence
Device binding / hard-binding and SIM/device change re-registration (UPI/mobile)Device registration logs, binding config
OTP controls: single-use, time-bound, throttled, delivered on registered channelOTP config, throttling rules, log samples
Message signing and non-repudiation for each NPCI API callSigning implementation, verification logs
Anti-automation / velocity throttling on auth attempts and enrolmentRate-limit config, lockout evidence
Beneficiary/registration cooling-off and limit ramps where mandatedRule config, product-guideline mapping

Fraud and risk management (FRM)

What to verifyTypical evidence
Real-time/near-real-time transaction monitoring engine with rules per NPCI FRM circularsFRM tool config, rule catalogue, alert samples
Velocity, amount, geo, device and beneficiary-based rules and dynamic limitsRule matrix, tuning records
Negative/deny lists, mule-account detection and NPCI shared-intelligence consumptionList management, integration evidence
Chargeback / dispute / customer-complaint handling within regulated TATDispute logs, TAT MIS, DMS/UDIR records
Fraud reporting to NPCI and RBI (CPFIR / relevant returns) within timelinesReporting records, acknowledgements
Customer risk communication, cooling period on new-beneficiary high-value transfersConfig, notification samples

Data protection, privacy and localisation

What to verifyTypical evidence
RBI payment-data localisation: all payment data stored only in India (end-to-end)Data-residency attestation, infra location proof, DPO sign-off
Aadhaar Data Vault implemented with reference-key tokenisation (AePS)ADV architecture, tokenisation config, audit trail
RuPay PAN tokenisation and PCI DSS storage controls (no prohibited data storage)Tokenisation flow, PCI ROC/SAQ, data-retention policy
Data classification, retention and secure disposal aligned to policy and DPDP Act 2023Classification matrix, retention schedule, disposal logs
Masking of PAN/Aadhaar/mobile in UI, logs and reportsMasking standard, screen/log evidence
Consent management and purpose limitation for customer dataConsent records, privacy notice

Logging, monitoring and incident response

What to verifyTypical evidence
Centralised logging/SIEM covering NPCI stack with tamper-evident, time-synced logsSIEM architecture, log source list, NTP config
Use-case-based alerting and 24x7 SOC coverageUse-case catalogue, SOC roster, alert MIS
Incident response plan with severity classification and NPCI notification pathIR plan, tabletop/drill evidence
RBI/CERT-In cyber-incident reporting within 6 hours of detectionReporting SOP, past incident records, acknowledgements
Log retention meeting regulatory minimums (typically ≥180 days online, per RBI/CERT-In)Retention config, archival evidence
Forensic readiness and evidence-preservation procedureForensic SOP, chain-of-custody templates

Business continuity and disaster recovery

What to verifyTypical evidence
Documented BCP/DR with defined RTO/RPO for the NPCI productBCP/DR plan, BIA, RTO/RPO matrix
Near-DR / DR site with periodic switchover drills including switch failoverDR drill reports, failover logs
Reconciliation and settlement continuity during DR operationDR recon procedure, drill evidence
Backup, restoration testing and offline/immutable copiesBackup logs, restore test records
Capacity and resilience for peak (festival/salary-day) transaction volumesCapacity plan, load-test reports

Reconciliation and settlement integrity

What to verifyTypical evidence
Daily raw-file / settlement reconciliation against NPCI reports (TCC/RET, net settlement)Recon reports, break-resolution logs
Automated exception and dispute handling via NPCI DMS / UDIR / relevant portalDMS/UDIR records, ageing MIS
Integrity and completeness controls on files exchanged with NPCI (hash/checksum, sequence)File-integrity config, checksum logs
Segregation of duties in settlement and GL postingSoD matrix, access review
Unreconciled item ageing within regulated TAT and provisioningAgeing report, escalation records

IMPS product family

What to verifyTypical evidence
Remitter and Beneficiary flows implemented per IMPS Procedural Guidelines (P2P via MMID+mobile, P2A via IFSC+account)IMPS design doc, spec-version mapping
Session security, transaction timeout and duplicate/replay prevention on the IMPS interfaceSession config, anti-replay evidence
Two-factor / OTP + MPIN authentication and per-txn limits per RBI/NPCI rulesAuth config, limit matrix
NFS/IMPS switch interface hardening, message signing and heartbeat handlingSwitch config, signing keys
Beneficiary validation, name-match and mule/fraud checks on credit legValidation logic, FRM rule mapping
TCC/RET dispute processing and remitter credit-reversal within TATDispute logs, reversal TAT MIS

RuPay product family

What to verifyTypical evidence
Valid PCI DSS certification (ROC/AOC) covering the RuPay CDEPCI ROC/AOC, ASV scans, QSA report
EMV chip / contactless and iCVV/CVD2 validation per RuPay compliance specEMV test results, personalisation spec
Card tokenisation (CoF / device tokenisation) per RuPay + RBI tokenisation guidelinesToken vault config, tokenisation flow
HSM-based PIN block, ARQC/ARPC and key management for the authorisation hostHSM config, key ceremony, cryptogram test
3-D Secure / risk-based authentication for CNP transactions3DS config, ACS/DS integration evidence
Chargeback, dispute and clearing/settlement per RuPay operating regulationsChargeback MIS, dispute cycle evidence

AePS / Aadhaar authentication family

What to verifyTypical evidence
Valid AUA/KUA and ASA agreements and UIDAI compliance for Aadhaar authenticationUIDAI licences, ASA agreement, audit report
Registered Device (RDService / L1) usage with encrypted biometric capture (no stored biometrics)Device certification, PID block config
Aadhaar Data Vault with reference-key tokenisation and strict access controlADV design, access logs, audit trail
End-to-end encryption of PID / biometric data using UIDAI public keyEncryption config, key management evidence
AePS transaction limits, velocity and fraud controls (per NPCI AePS FRM circulars)FRM rule config, limit matrix
Aadhaar masking, consent and UIDAI audit-log retentionMasking evidence, consent records, log retention

NACH product family

What to verifyTypical evidence
Mandate lifecycle controls for physical, e-mandate (net-banking/debit-card) and API mandateMandate flow doc, e-sign/OTP config
Sponsor-bank / destination-bank role controls and file authorisationRole matrix, file-auth workflow
Input/debit and mandate-file integrity (checksum, sequence, digital signing)File-integrity config, signing evidence
Presentation/settlement cycle adherence and return (reject) handlingCycle MIS, return-code handling
Dispute management (DMS) and unauthorised-debit resolution within TATDMS records, complaint TAT MIS
Mandate data protection and access control on customer bank/UMRN dataAccess review, masking evidence

NFS / ATM switch family

What to verifyTypical evidence
ATM/switch key hierarchy (TMK, TPK, ZMK, ZPK) managed in HSM under dual controlKey inventory, ceremony records
Interoperable transaction handling per NFS spec and message-format complianceSwitch config, ISO 8583 message tests
PIN security end-to-end, no clear PIN, PIN-block format compliancePIN-block config, HSM evidence
ATM/terminal fraud controls, geo/velocity, hotlistingFRM rules, hotlist integration
Dispute resolution via NPCI DMS and TAT complianceDMS records, TAT MIS
Reconciliation of NFS switch settlement filesRecon reports, break logs

FASTag / NETC family

What to verifyTypical evidence
Tag issuance, KYC and mapper registration per NETC operating specIssuance SOP, mapper records, KYC evidence
Toll acquiring, tag-read integrity and transaction message securityAcquiring config, message-integrity evidence
Blacklist/exception-list synchronisation and low-balance handlingException-list sync logs, config
Reconciliation between acquirer, issuer and NPCI settlementRecon reports, dispute MIS
Chargeback / dispute and customer-complaint handling within TATDispute records, TAT MIS
Data protection on vehicle/customer/VRN and mapper dataAccess review, masking evidence

CTS product family

What to verifyTypical evidence
Cheque capture and image compliance with CTS-2010 standard (grey-scale + security features)Capture config, CTS-2010 test evidence
Image Quality Assurance (IQA) at capture and at presentmentIQA rule config, reject MIS
Digital signing / encryption of cheque images and data files exchanged with the gridSigning config, key management
Presentment, return (bounce) and re-presentment cycle controlsCycle MIS, return-code handling
Positive Pay System (PPS) integration for high-value chequesPPS config, validation evidence
Fraud controls on image alteration and duplicate presentmentFRM rules, duplicate-detection evidence

Scoping

Scoping determines which control families, systems, data stores and third parties fall inside the audit boundary. Under-scoping is the single most common cause of certification rejection and post-go-live incidents; over-scoping inflates cost and timeline. Scope must be documented, agreed with NPCI/sponsor and re-validated each cycle.

  • Product scope: identify every NPCI rail the entity transacts on (IMPS, RuPay, AePS, NACH, NFS, FASTag, CTS) and the specific spec/OC version in production for each.
  • System scope: all systems that store, process or transmit product data — switches, hosts, HSMs, API gateways, databases, SIEM, and the CDE for card products.
  • Data scope: PAN, PIN, biometric/Aadhaar, UMRN/mandate, cheque images, VRN, settlement files; map each to its data flow and residency.
  • Network scope: NPCINet/leased-line segments, DMZ, CDE, DR site and management planes.
  • Third-party scope: TSPs, aggregators, TPAPs, cloud providers and their sub-processors, with flow-down compliance obligations.
  • Environment scope: production plus DR; segregation from dev/test; and any shared/multi-tenant infrastructure.
  • Exclusions: explicitly document out-of-scope systems with justification and compensating controls.
Scoping tip
For RuPay, apply PCI DSS scoping and segmentation testing rigorously — any system with connectivity to the CDE is in scope. For AePS, remember UIDAI scope extends to every component touching PID/biometric data, and the Aadhaar Data Vault plus its access paths are always in scope.

Implementation approach

A phased approach de-risks certification. Each phase below lists the key activities and the concrete deliverables an auditor will expect to see.

Phase 1 – Discovery and gap assessment

  • Activities: inventory in-scope products/systems, obtain current NPCU/UIDAI/RBI specs and OC versions, map data flows, run a gap assessment against every control family in the master checklist.
  • Deliverables: scope document, data-flow diagrams, control-gap report with severity, remediation roadmap and effort estimate.

Phase 2 – Design and remediation

  • Activities: design/fix segmentation, HSM key ceremonies, API message signing, tokenisation/ADV, FRM rules, logging and DR; update policies and runbooks.
  • Deliverables: updated security architecture, hardened configs, key-ceremony records, policy set, remediation-closure tracker.

Phase 3 – Testing and validation

  • Activities: application/infra VAPT, configuration compliance scans, segmentation testing (card products), functional/security test of NPCI API flows, DR drill.
  • Deliverables: VAPT report with closure, scan reports, segmentation test results, DR drill report, retest evidence.

Phase 4 – Certification audit and NPCI sign-off

  • Activities: CERT-In empanelled (and PCI QSA for RuPay) audit, evidence review, findings closure, preparation of certification report and compliance declaration.
  • Deliverables: signed audit/certification report, compliance declaration, NPCI/sponsor submission and acceptance record.

Phase 5 – Continuous compliance and surveillance

  • Activities: circular tracking, FRM tuning, periodic VAPT, quarterly recon health-checks, annual recertification and change-triggered re-audit.
  • Deliverables: compliance calendar, circular-closure log, ongoing MIS, next-cycle audit plan.

Maturity and capability model

CyberSigma uses a five-level capability model to benchmark an entity's NPCI product security posture beyond a binary pass/fail, helping prioritise investment and demonstrate improvement across audit cycles.

LevelNameCharacteristics
1Initial / ad hocControls undocumented; reliance on individuals; frequent audit findings; reactive fraud handling
2DevelopingBasic policies and controls exist but inconsistently applied; manual recon; limited monitoring
3DefinedControls documented and standardised across the product; annual audit passed; SIEM and FRM operational
4ManagedMetrics-driven; automated recon and FRM tuning; tested DR; proactive circular closure; low finding recurrence
5OptimisedContinuous assurance; threat-intelligence-driven FRM; automated compliance evidence; leading practice shared with NPCI ecosystem

Assessment and audit approach

  1. Engagement scoping and kick-off: confirm products, spec/OC versions, systems, third parties and audit objectives; agree evidence request list and timeline.
  2. Documentation review: policies, procedures, architecture, data-flow diagrams, key-ceremony records, prior audit/VAPT reports and circular-closure logs.
  3. Control walkthroughs and interviews: with GRC, network, application, crypto/HSM, FRM, SOC and settlement teams to understand design and operation.
  4. Technical testing: VAPT, configuration/hardening review, segmentation testing (card products), API security testing and log/SIEM validation.
  5. Product-specific validation: exercise IMPS/RuPay/AePS/NACH/NFS/FASTag/CTS flows against the applicable spec, including cryptographic and message-integrity checks.
  6. Sampling and evidence corroboration: sample transactions, disputes, recon breaks, access reviews and change tickets to confirm operating effectiveness.
  7. Findings analysis and rating: classify gaps by severity against NPCI/RBI mandates and business risk; identify root cause.
  8. Remediation and retest: track closure of high/critical findings and retest to confirm effectiveness before sign-off.
  9. Reporting and certification: issue the certification/audit report, compliance declaration and management summary.
  10. NPCI/sponsor submission and continuous surveillance planning: submit for acceptance and define the ongoing compliance cycle.

Evidence request list

  • Governance: security policy, board minutes, CISO/FRM committee charter, risk register, circular tracker, outsourcing contracts.
  • Architecture & network: network/data-flow diagrams, NPCINet circuit details, firewall/segmentation configs, hardening standards.
  • Application & API: SDLC policy, threat models, SAST/DAST/VAPT reports, API design and message-signing configuration.
  • Cryptography: HSM inventory and certificates, key-ceremony records, custodian sign-offs, KCV logs, crypto standard.
  • Authentication & FRM: auth flow docs, OTP/MPIN configs, FRM rule catalogue, alert and dispute MIS, fraud-reporting acknowledgements.
  • Data protection: data-localisation attestation, tokenisation/ADV design, masking evidence, retention and disposal records, consent records.
  • Logging & IR: SIEM architecture, log-source list, use-case catalogue, incident register, CERT-In/RBI reporting records.
  • BCP/DR: BCP/DR plan, BIA, DR drill and failover reports, backup/restore test records, capacity/load-test reports.
  • Reconciliation & settlement: daily recon reports, DMS/UDIR records, file-integrity/checksum logs, unreconciled-item ageing.
  • Product-specific: IMPS/RuPay/AePS/NACH/NFS/FASTag/CTS spec-version mapping, PCI ROC/AOC (RuPay), UIDAI licences (AePS), CTS-2010 test evidence.
  • People & access: org chart, access-review reports, SoD matrix, PAM logs, training/awareness records.
  • Change management: change register, spec-migration records, prior certification and acceptance letters.

Roles and responsibilities

RoleResponsibility
Board / senior managementApprove policy, own risk appetite, ensure resourcing and accountability
CISO / Information SecurityOwn the control framework, drive remediation, liaise with NPCI/RBI on security
Product / Payments operationsOperate the NPCI rail, own settlement, recon and dispute TAT
Fraud Risk Management (FRM) teamRun monitoring, tune rules, handle fraud reporting to NPCI/RBI
Application & API engineeringImplement spec-compliant, securely coded integrations and remediate findings
Infrastructure / network teamMaintain segmentation, NPCINet connectivity, hardening and patching
Cryptography / HSM custodiansRun key ceremonies under dual control, manage certificates and key lifecycle
SOC / monitoring team24x7 detection, alerting, incident triage and CERT-In reporting
Compliance / GRCTrack circulars, manage audit cycle, evidence and certification submissions
Internal auditIndependent assurance and follow-up on remediation
Third-party / TSP / TPAP ownersDeliver flow-down compliance and provide audit evidence for hosted components
External auditor (CERT-In / PCI QSA)Independently assess and certify against NPCI/RBI/PCI requirements

KPIs to track

  • Certification status and days-to-expiry per NPCI product.
  • Open high/critical audit and VAPT findings, and mean time to remediate.
  • Percentage of RBI/NPCI/UIDAI circulars closed within due date.
  • Fraud rate (bps) and fraud value per product, versus NPCI ecosystem benchmarks.
  • Dispute/chargeback volume and resolution within regulated TAT.
  • Reconciliation break count and unreconciled-item ageing.
  • Incident count, mean time to detect/respond, and CERT-In/RBI reporting within 6 hours.
  • DR drill success rate and achieved RTO/RPO versus target.
  • Patch SLA adherence and configuration-compliance score.
  • HSM key-ceremony and certificate-expiry compliance (zero overdue).
  • Transaction success/decline rate and technical-decline (TD) percentage per product.

Readiness checklist

  • Current NPCI spec/OC versions and applicable RBI/UIDAI circulars identified and mapped.
  • Scope document, data-flow diagrams and third-party inventory finalised and agreed.
  • Board-approved security policy and FRM governance in place and current.
  • Segmentation, NPCINet connectivity and infrastructure hardening validated.
  • HSM key ceremonies documented; no clear-text PIN/PAN/biometric anywhere.
  • API integrations spec-compliant with message signing and anti-replay controls.
  • Tokenisation / Aadhaar Data Vault / PCI DSS controls implemented as applicable.
  • FRM rules live with transaction monitoring, limits and negative lists.
  • SIEM, SOC and 6-hour incident-reporting SOP operational.
  • BCP/DR tested with successful switch failover and recon continuity.
  • Daily reconciliation, DMS/UDIR dispute handling and TAT MIS in place.
  • VAPT complete with high/critical findings closed and retested.
  • Data localisation attested and privacy/DPDP controls evidenced.
  • Evidence pack assembled and prior certification/acceptance letters available.

Common gaps

  • Running an outdated NPCI API/spec (OC) version and missing a mandated migration deadline.
  • Weak segmentation — the NPCI switch/CDE reachable from corporate or internet zones.
  • Clear-text or improperly encrypted PIN/PAN/biometric in logs, DB or transit.
  • HSM key ceremonies undocumented or lacking dual control / split knowledge.
  • FRM rules static and untuned, leading to high false negatives and mule-account fraud.
  • Reconciliation breaks left ageing beyond TAT with weak dispute (DMS/UDIR) handling.
  • Payment-data localisation gaps via cloud sub-processors or offshore analytics.
  • Aadhaar Data Vault missing or biometrics improperly stored (AePS non-compliance).
  • RuPay entity relying on an expired or scope-narrowed PCI DSS certification.
  • Incident reporting to CERT-In/RBI beyond the 6-hour window; no forensic readiness.
  • Third-party TSP/TPAP compliance not flowed down or evidenced by the sponsor.
  • DR untested for switch failover and settlement continuity; unrealistic RTO/RPO.

NPCI Product Audits mapped to other frameworks

NPCI control themeMaps to (other framework / regulation)
Overall security controls baselineRBI Master Direction on Digital Payment Security Controls (2021)
Governance, risk & CISO structureRBI Cyber Security Framework for Banks (2016); ISO/IEC 27001 A.5
Card data protection (RuPay)PCI DSS v4.0; PCI PIN Security; EMVCo specifications
Card tokenisation (RuPay CoF)RBI Tokenisation (CoFT) guidelines; PCI DSS tokenisation guidance
Aadhaar / biometric protection (AePS)Aadhaar Act 2016; UIDAI AUA/KUA & Registered Device (L1) framework
Data localisation & privacyRBI storage-of-payment-data directive (2018); DPDP Act 2023
Incident reportingCERT-In Directions (April 2022) – 6-hour reporting; RBI incident reporting
Cryptography & key managementFIPS 140-2/3; ISO/IEC 27001 A.10; PCI PIN/HSM standards
Application & API securityOWASP Top 10 / ASVS; ISO/IEC 27001 A.14
Aggregator/gateway controlsRBI PA/PG Guidelines (2020, as amended)
Business continuityISO 22301; RBI BCP guidance
Fraud reporting & riskRBI CPFIR / fraud-reporting returns; NPCI FRM circulars

How CyberSigma helps

Partner with CyberSigma for NPCI Product Security Audits
CyberSigma is a CERT-In empanelled auditor and PCI QSA firm with deep, product-specific expertise across IMPS, RuPay, AePS, NACH, NFS, FASTag and CTS. We run end-to-end engagements — scoping and gap assessment against the current NPCI/RBI/UIDAI specifications, remediation design (segmentation, HSM key ceremonies, API message signing, tokenisation, Aadhaar Data Vault, FRM tuning), VAPT and segmentation testing, DR validation, and the final certification audit with NPCI/sponsor-ready reporting. Our accelerators include a control library mapped to every NPCI product family, an evidence-pack template, a circular-tracking service and ongoing surveillance so you stay continuously certified. Talk to CyberSigma to plan your next NPCI product audit or to remediate findings before your renewal deadline.

Frequently asked questions

Are NPCI circulars public?
No — NPCI product operating and technical circulars are largely not a public register; audit criteria must be sourced from the member, sponsor bank and NPCI Partner Portal at the audit cut-off date.

Need help with NPCI Product Audits?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.