Introduction to NPCI Product Security Audits
The National Payments Corporation of India (NPCI) is the umbrella organisation for retail payments and settlement systems in India, operating under the Payment and Settlement Systems Act, 2007 and regulated by the Reserve Bank of India (RBI). NPCI owns and operates a portfolio of nationally critical payment products, including the Immediate Payment Service (IMPS), RuPay card scheme, Aadhaar enabled Payment System (AePS), National Automated Clearing House (NACH), National Financial Switch (NFS), FASTag on the National Electronic Toll Collection (NETC) rails, Cheque Truncation System (CTS) and the Unified Payments Interface (UPI) with its overlay services. Every bank, non-bank member, Payment System Provider (PSP), Third Party Application Provider (TPAP), technical service provider (TSP), aggregator and merchant that integrates with these rails must undergo periodic security certification and audit before go-live and on a recurring basis thereafter.
NPCI Product Security Audits are the mandated technical and process assurance reviews that verify a participant's implementation of an NPCI product conforms to the applicable Procedural Guidelines, technical specifications, API integration specifications, risk management framework circulars and the overarching security requirements laid down by NPCI and RBI. Unlike a generic information security audit, these audits are product-specific: an IMPS audit checks Remitter/Beneficiary flows, session and OTP controls and the NFS/IMPS switch interface, whereas a RuPay audit examines PCI DSS scope, HSM key ceremonies, EMV/tokenisation and the RuPay authorisation host. This guide provides an auditor-grade, product-by-product deep dive that serves both the assessor performing the certification and the engineering, risk and compliance teams building or remediating the controls.
Copyright and source note
NPCI Procedural Guidelines, API/technical specification bundles, the NPCI Risk Management circulars, RuPay Compliance Guidelines and the UPI Security Guidelines are proprietary, licensed documents released to members under NDA through the NPCI Connect / member portal. This guide is original CyberSigma commentary. It paraphrases publicly known control themes and cites the relevant circular families by name and identifier where applicable; it does not reproduce NPCI, RBI, UIDAI or PCI SSC copyrighted text. Always audit against the current, member-licensed version of each specification, as NPCI revises product specifications and OC (Operating Circular) versions frequently.
What is NPCI Product Audits
NPCI Product Audits is a family of product-scoped security certifications and periodic audits that a member entity must complete to obtain and retain the right to transact on a given NPCI rail. The audit universe is defined by three layers of authority: (1) statutory and regulatory instruments — the PSS Act 2007, RBI's Master Directions on Digital Payment Security Controls (RBI/2020-21/74, DoS.CO.CSITE.SEC.No.1852/31.01.015/2020-21), RBI's cyber security framework for banks (DBS.CO.CSITE/2016-17), and the RBI PA/PG guidelines for aggregators; (2) NPCI product Procedural Guidelines and Operating Circulars issued per product; and (3) scheme technical and security specifications such as the RuPay compliance and tokenisation specs, the UPI Procedural Guidelines and API specs, the AePS/Aadhaar authentication ecosystem requirements set by UIDAI, and the NACH/CTS operating specifications.
The audits are typically executed by a CERT-In empanelled auditor, and for card products additionally by a PCI QSA, culminating in a certification report, a compliance declaration and, for several products, a sign-off that NPCI accepts through the member/NPCI Connect portal before enabling the entity in production. Certification is not one-and-done: most products require an annual security audit, a fresh audit on any material change (new API version migration, new data centre, major architecture change), and continuous compliance with fraud and risk management (FRM) circulars issued through the year.
Each product carries a distinct control surface. IMPS is a real-time push credit rail over the NFS switch. RuPay is a card scheme with PCI DSS, EMV, HSM and tokenisation obligations. AePS relies on Aadhaar biometric/demographic authentication and therefore inherits UIDAI's Aadhaar Act 2016, AUA/KUA, ASA and biometric device (Registered Device / L1) requirements. NACH is a bulk mandate and clearing rail with e-mandate/API mandate and file integrity concerns. NFS is the ATM/interoperable switch network. FASTag/NETC covers RFID tag issuance, toll acquiring and reconciliation. CTS covers cheque image capture, IQA (Image Quality Assurance) and the CTS-2010 standard.
Who must comply
Any entity that connects to, processes, stores or transmits data on an NPCI rail is in scope. The obligation cascades from the sponsor/member bank down to every technical partner and outsourced provider under RBI's outsourcing and NPCI's third-party accountability principles.
| Entity type | Products typically in scope | Nature of obligation |
|---|
| Scheduled commercial / small finance / payments banks (member banks) | IMPS, RuPay, AePS, NACH, NFS, FASTag, CTS, UPI | Full member certification + annual security audit per product; sponsor accountability for their TPAPs/TSPs |
| Non-bank PSPs and PPI issuers | UPI (PSP), RuPay (prepaid), FASTag issuer | Certification via sponsor bank; FRM and security audit compliance |
| Third Party Application Providers (TPAPs) | UPI apps | App security audit, PSP sponsor sign-off, adherence to UPI Procedural Guidelines |
| Technical Service Providers (TSPs) / aggregators / switch vendors | Product they host (IMPS switch, RuPay host, AePS host) | Security audit of hosted stack; back-to-back compliance flow-down from member |
| Payment aggregators / gateways (RBI PA licensed) | RuPay acquiring, UPI, NACH e-mandate | PCI DSS + RBI PA/PG security audit + NPCI product audit |
| AUA/KUA and ASA entities (AePS) | AePS, Aadhaar auth | UIDAI security audit + biometric device (RDService/L1) compliance + NPCI AePS audit |
| Toll acquirers / NETC concessionaires | FASTag / NETC | NETC operating spec compliance + security audit + reconciliation controls |
| Corporates / billers using NACH | NACH (mandates, debit files) | File security, mandate governance, sponsor bank oversight |
| Merchants and merchant TSPs | RuPay POS/e-com, UPI QR | PCI DSS scope (if handling PAN), QR/collect flow controls |
- Go-live prerequisite: no entity is enabled in production on a rail without a passed certification/audit and NPCI acceptance.
- Annual recertification: most products mandate a fresh security audit at least once every financial year.
- Change-triggered audit: migration to a new API/spec version, new DR/DC, or major architectural change re-triggers audit.
- Flow-down: members remain accountable for the compliance posture of every downstream TSP/TPAP/aggregator they sponsor.
Structure of NPCI Product Audits
The audit programme is organised as a set of cross-cutting control domains that apply to every product, plus product-specific control families layered on top. The cross-cutting domains derive from RBI's Digital Payment Security Controls and the NPCI security baseline; the product families derive from each product's Procedural Guidelines, technical spec and risk circulars.
| Domain / family | Applies to | Representative control area |
|---|
| Governance, risk & compliance (GRC) | All products | Board-approved security policy, risk assessment, FRM committee, RBI/NPCI circular tracking |
| Network & infrastructure security | All products | Segmentation, firewall/IPS, leased-line/MPLS to NPCI, DDoS, hardening |
| Application & API security | All products | Secure SDLC, VAPT, API auth (message signing), input validation, session management |
| Cryptography & key management | IMPS, RuPay, AePS, NACH, CTS | HSM usage, key ceremonies, PIN/OTP/message encryption, certificate lifecycle |
| Authentication & transaction integrity | IMPS, UPI, AePS, RuPay | Two-factor auth, OTP/MPIN, device binding, message signing, non-repudiation |
| Fraud & risk management (FRM) | All products | Velocity/limit rules, transaction monitoring, chargeback/dispute, negative lists |
| Data protection & privacy | All products | Data localisation (RBI), Aadhaar data vault (AePS), tokenisation (RuPay), DPDP Act |
| Logging, monitoring & incident response | All products | SIEM, 6-hour RBI/CERT-In incident reporting, forensic readiness |
| Business continuity & DR | All products | RTO/RPO, DR drills, switch failover, reconciliation continuity |
| Reconciliation & settlement integrity | All switch/clearing products | Raw file/settlement recon, TCC/RET, dispute (DMS/UDIR), NPCINet integrity |
| IMPS product family | IMPS | Remitter/Beneficiary flow, P2P/P2A, MMID, IFSC+account, session & OTP |
| RuPay product family | RuPay | PCI DSS, EMV, tokenisation, HSM, 3-D Secure, RuPay CVD/iCVV, chargeback |
| AePS / Aadhaar family | AePS | AUA/KUA, ASA, Registered Devices (L1), Aadhaar Data Vault, biometric locking |
| NACH product family | NACH | Mandate (physical/e-mandate/API), sponsor/destination bank, file integrity, DMS |
| NFS / ATM family | NFS | ATM switch, key management (TMK/TPK/ZMK), interoperability, dispute (DMS) |
| FASTag / NETC family | FASTag | Tag issuance, mapper, toll acquiring, reconciliation, exception handling |
| CTS product family | CTS | CTS-2010 standard, image capture, IQA, grey-scale/security features, presentment/return |
Master assessment checklist
This is the core of the audit. Each control group below is enumerated with what the auditor must verify and the typical evidence the implementer must produce. The cross-cutting domains apply to every product; the product-specific families follow. No control area is skipped.
Governance, risk and compliance (GRC)
| What to verify | Typical evidence |
|---|
| Board/senior-management approved information & payment security policy exists and is reviewed at least annually | Signed policy, board minutes, review dates |
| A designated CISO and risk/FRM committee with defined charter and NPCI liaison | Org chart, committee charter, meeting minutes |
| Documented risk assessment covering the specific NPCI product and its data flows | Risk register, DFDs, risk treatment plan |
| Mechanism to track and implement RBI/NPCI/UIDAI circulars and OC version changes | Circular tracker, gap-closure records, sign-offs |
| Third-party / outsourcing risk governance with back-to-back security clauses (RBI outsourcing guidelines) | Vendor contracts, due-diligence reports, right-to-audit clauses |
| Compliance calendar mapping annual audit, VAPT, DR drill and certification renewals | Compliance calendar, evidence of past cycles |
Network and infrastructure security
| What to verify | Typical evidence |
|---|
| Dedicated secure connectivity to NPCI (NPCINet / leased line / MPLS) with encryption and no internet exposure of the switch | Network diagram, circuit IDs, firewall config |
| Segmentation isolating the NPCI/CDE zone from corporate and internet zones | VLAN/zoning diagram, firewall rulebase review |
| Firewall, IPS/IDS, WAF and DDoS protection deployed and rule-reviewed periodically | Device configs, rule review logs, DDoS SLA |
| Server/OS/DB/network device hardening to CIS or NPCI baseline | Hardening standards, config compliance scan reports |
| Patch and vulnerability management with defined SLAs by severity | Patch register, VA scan reports, SLA tracker |
| Secure remote access (MFA, jump host, privileged access management) | PAM records, MFA config, access logs |
Application and API security
| What to verify | Typical evidence |
|---|
| Secure SDLC with threat modelling, code review and security gates | SDLC policy, threat models, SAST/DAST reports |
| Annual application VAPT (and after major change) with closure of high/critical findings | VAPT report, remediation tracker, retest evidence |
| API integration per NPCI spec: message-level signing/verification, mutual TLS where required | API design doc, signing key config, TLS certs |
| Input validation, output encoding and protection against OWASP Top 10 | Test cases, WAF rules, pen-test evidence |
| Session management: timeout, anti-replay (nonce/txn ID), no sensitive data in URLs/logs | Session config, log samples, code review notes |
| Secure error handling that does not leak stack traces or PAN/Aadhaar/PIN | Error handling standard, log/screen samples |
Cryptography and key management
| What to verify | Typical evidence |
|---|
| FIPS 140-2 (L3+) HSMs used for PIN, key and message cryptography where mandated | HSM inventory, certificates, deployment diagram |
| Documented key ceremony for generation, split-knowledge/dual-control, custody and rotation | Key ceremony records, custodian sign-offs, KCV logs |
| Approved algorithms and key lengths (AES, RSA-2048+, 3DES only where legacy-mandated) | Crypto standard, algorithm inventory |
| Certificate lifecycle management (issuance, expiry alerting, revocation) for NPCI/UIDAI certs | Cert inventory, expiry monitoring, CA records |
| No clear-text PIN/key/PAN/biometric at rest or in transit; encryption end-to-end | DFDs, packet/DB inspection evidence, tokenisation config |
| Secure key destruction and compromise/rekey procedure | Destruction logs, compromise runbook |
Authentication and transaction integrity
| What to verify | Typical evidence |
|---|
| Two-factor authentication for transactions (e.g., MPIN + device, OTP + PIN) per product rule | Auth flow doc, config, test evidence |
| Device binding / hard-binding and SIM/device change re-registration (UPI/mobile) | Device registration logs, binding config |
| OTP controls: single-use, time-bound, throttled, delivered on registered channel | OTP config, throttling rules, log samples |
| Message signing and non-repudiation for each NPCI API call | Signing implementation, verification logs |
| Anti-automation / velocity throttling on auth attempts and enrolment | Rate-limit config, lockout evidence |
| Beneficiary/registration cooling-off and limit ramps where mandated | Rule config, product-guideline mapping |
Fraud and risk management (FRM)
| What to verify | Typical evidence |
|---|
| Real-time/near-real-time transaction monitoring engine with rules per NPCI FRM circulars | FRM tool config, rule catalogue, alert samples |
| Velocity, amount, geo, device and beneficiary-based rules and dynamic limits | Rule matrix, tuning records |
| Negative/deny lists, mule-account detection and NPCI shared-intelligence consumption | List management, integration evidence |
| Chargeback / dispute / customer-complaint handling within regulated TAT | Dispute logs, TAT MIS, DMS/UDIR records |
| Fraud reporting to NPCI and RBI (CPFIR / relevant returns) within timelines | Reporting records, acknowledgements |
| Customer risk communication, cooling period on new-beneficiary high-value transfers | Config, notification samples |
Data protection, privacy and localisation
| What to verify | Typical evidence |
|---|
| RBI payment-data localisation: all payment data stored only in India (end-to-end) | Data-residency attestation, infra location proof, DPO sign-off |
| Aadhaar Data Vault implemented with reference-key tokenisation (AePS) | ADV architecture, tokenisation config, audit trail |
| RuPay PAN tokenisation and PCI DSS storage controls (no prohibited data storage) | Tokenisation flow, PCI ROC/SAQ, data-retention policy |
| Data classification, retention and secure disposal aligned to policy and DPDP Act 2023 | Classification matrix, retention schedule, disposal logs |
| Masking of PAN/Aadhaar/mobile in UI, logs and reports | Masking standard, screen/log evidence |
| Consent management and purpose limitation for customer data | Consent records, privacy notice |
Logging, monitoring and incident response
| What to verify | Typical evidence |
|---|
| Centralised logging/SIEM covering NPCI stack with tamper-evident, time-synced logs | SIEM architecture, log source list, NTP config |
| Use-case-based alerting and 24x7 SOC coverage | Use-case catalogue, SOC roster, alert MIS |
| Incident response plan with severity classification and NPCI notification path | IR plan, tabletop/drill evidence |
| RBI/CERT-In cyber-incident reporting within 6 hours of detection | Reporting SOP, past incident records, acknowledgements |
| Log retention meeting regulatory minimums (typically ≥180 days online, per RBI/CERT-In) | Retention config, archival evidence |
| Forensic readiness and evidence-preservation procedure | Forensic SOP, chain-of-custody templates |
Business continuity and disaster recovery
| What to verify | Typical evidence |
|---|
| Documented BCP/DR with defined RTO/RPO for the NPCI product | BCP/DR plan, BIA, RTO/RPO matrix |
| Near-DR / DR site with periodic switchover drills including switch failover | DR drill reports, failover logs |
| Reconciliation and settlement continuity during DR operation | DR recon procedure, drill evidence |
| Backup, restoration testing and offline/immutable copies | Backup logs, restore test records |
| Capacity and resilience for peak (festival/salary-day) transaction volumes | Capacity plan, load-test reports |
Reconciliation and settlement integrity
| What to verify | Typical evidence |
|---|
| Daily raw-file / settlement reconciliation against NPCI reports (TCC/RET, net settlement) | Recon reports, break-resolution logs |
| Automated exception and dispute handling via NPCI DMS / UDIR / relevant portal | DMS/UDIR records, ageing MIS |
| Integrity and completeness controls on files exchanged with NPCI (hash/checksum, sequence) | File-integrity config, checksum logs |
| Segregation of duties in settlement and GL posting | SoD matrix, access review |
| Unreconciled item ageing within regulated TAT and provisioning | Ageing report, escalation records |
IMPS product family
| What to verify | Typical evidence |
|---|
| Remitter and Beneficiary flows implemented per IMPS Procedural Guidelines (P2P via MMID+mobile, P2A via IFSC+account) | IMPS design doc, spec-version mapping |
| Session security, transaction timeout and duplicate/replay prevention on the IMPS interface | Session config, anti-replay evidence |
| Two-factor / OTP + MPIN authentication and per-txn limits per RBI/NPCI rules | Auth config, limit matrix |
| NFS/IMPS switch interface hardening, message signing and heartbeat handling | Switch config, signing keys |
| Beneficiary validation, name-match and mule/fraud checks on credit leg | Validation logic, FRM rule mapping |
| TCC/RET dispute processing and remitter credit-reversal within TAT | Dispute logs, reversal TAT MIS |
RuPay product family
| What to verify | Typical evidence |
|---|
| Valid PCI DSS certification (ROC/AOC) covering the RuPay CDE | PCI ROC/AOC, ASV scans, QSA report |
| EMV chip / contactless and iCVV/CVD2 validation per RuPay compliance spec | EMV test results, personalisation spec |
| Card tokenisation (CoF / device tokenisation) per RuPay + RBI tokenisation guidelines | Token vault config, tokenisation flow |
| HSM-based PIN block, ARQC/ARPC and key management for the authorisation host | HSM config, key ceremony, cryptogram test |
| 3-D Secure / risk-based authentication for CNP transactions | 3DS config, ACS/DS integration evidence |
| Chargeback, dispute and clearing/settlement per RuPay operating regulations | Chargeback MIS, dispute cycle evidence |
AePS / Aadhaar authentication family
| What to verify | Typical evidence |
|---|
| Valid AUA/KUA and ASA agreements and UIDAI compliance for Aadhaar authentication | UIDAI licences, ASA agreement, audit report |
| Registered Device (RDService / L1) usage with encrypted biometric capture (no stored biometrics) | Device certification, PID block config |
| Aadhaar Data Vault with reference-key tokenisation and strict access control | ADV design, access logs, audit trail |
| End-to-end encryption of PID / biometric data using UIDAI public key | Encryption config, key management evidence |
| AePS transaction limits, velocity and fraud controls (per NPCI AePS FRM circulars) | FRM rule config, limit matrix |
| Aadhaar masking, consent and UIDAI audit-log retention | Masking evidence, consent records, log retention |
NACH product family
| What to verify | Typical evidence |
|---|
| Mandate lifecycle controls for physical, e-mandate (net-banking/debit-card) and API mandate | Mandate flow doc, e-sign/OTP config |
| Sponsor-bank / destination-bank role controls and file authorisation | Role matrix, file-auth workflow |
| Input/debit and mandate-file integrity (checksum, sequence, digital signing) | File-integrity config, signing evidence |
| Presentation/settlement cycle adherence and return (reject) handling | Cycle MIS, return-code handling |
| Dispute management (DMS) and unauthorised-debit resolution within TAT | DMS records, complaint TAT MIS |
| Mandate data protection and access control on customer bank/UMRN data | Access review, masking evidence |
NFS / ATM switch family
| What to verify | Typical evidence |
|---|
| ATM/switch key hierarchy (TMK, TPK, ZMK, ZPK) managed in HSM under dual control | Key inventory, ceremony records |
| Interoperable transaction handling per NFS spec and message-format compliance | Switch config, ISO 8583 message tests |
| PIN security end-to-end, no clear PIN, PIN-block format compliance | PIN-block config, HSM evidence |
| ATM/terminal fraud controls, geo/velocity, hotlisting | FRM rules, hotlist integration |
| Dispute resolution via NPCI DMS and TAT compliance | DMS records, TAT MIS |
| Reconciliation of NFS switch settlement files | Recon reports, break logs |
FASTag / NETC family
| What to verify | Typical evidence |
|---|
| Tag issuance, KYC and mapper registration per NETC operating spec | Issuance SOP, mapper records, KYC evidence |
| Toll acquiring, tag-read integrity and transaction message security | Acquiring config, message-integrity evidence |
| Blacklist/exception-list synchronisation and low-balance handling | Exception-list sync logs, config |
| Reconciliation between acquirer, issuer and NPCI settlement | Recon reports, dispute MIS |
| Chargeback / dispute and customer-complaint handling within TAT | Dispute records, TAT MIS |
| Data protection on vehicle/customer/VRN and mapper data | Access review, masking evidence |
CTS product family
| What to verify | Typical evidence |
|---|
| Cheque capture and image compliance with CTS-2010 standard (grey-scale + security features) | Capture config, CTS-2010 test evidence |
| Image Quality Assurance (IQA) at capture and at presentment | IQA rule config, reject MIS |
| Digital signing / encryption of cheque images and data files exchanged with the grid | Signing config, key management |
| Presentment, return (bounce) and re-presentment cycle controls | Cycle MIS, return-code handling |
| Positive Pay System (PPS) integration for high-value cheques | PPS config, validation evidence |
| Fraud controls on image alteration and duplicate presentment | FRM rules, duplicate-detection evidence |
Scoping
Scoping determines which control families, systems, data stores and third parties fall inside the audit boundary. Under-scoping is the single most common cause of certification rejection and post-go-live incidents; over-scoping inflates cost and timeline. Scope must be documented, agreed with NPCI/sponsor and re-validated each cycle.
- Product scope: identify every NPCI rail the entity transacts on (IMPS, RuPay, AePS, NACH, NFS, FASTag, CTS) and the specific spec/OC version in production for each.
- System scope: all systems that store, process or transmit product data — switches, hosts, HSMs, API gateways, databases, SIEM, and the CDE for card products.
- Data scope: PAN, PIN, biometric/Aadhaar, UMRN/mandate, cheque images, VRN, settlement files; map each to its data flow and residency.
- Network scope: NPCINet/leased-line segments, DMZ, CDE, DR site and management planes.
- Third-party scope: TSPs, aggregators, TPAPs, cloud providers and their sub-processors, with flow-down compliance obligations.
- Environment scope: production plus DR; segregation from dev/test; and any shared/multi-tenant infrastructure.
- Exclusions: explicitly document out-of-scope systems with justification and compensating controls.
Scoping tip
For RuPay, apply PCI DSS scoping and segmentation testing rigorously — any system with connectivity to the CDE is in scope. For AePS, remember UIDAI scope extends to every component touching PID/biometric data, and the Aadhaar Data Vault plus its access paths are always in scope.
Implementation approach
A phased approach de-risks certification. Each phase below lists the key activities and the concrete deliverables an auditor will expect to see.
Phase 1 – Discovery and gap assessment
- Activities: inventory in-scope products/systems, obtain current NPCU/UIDAI/RBI specs and OC versions, map data flows, run a gap assessment against every control family in the master checklist.
- Deliverables: scope document, data-flow diagrams, control-gap report with severity, remediation roadmap and effort estimate.
Phase 2 – Design and remediation
- Activities: design/fix segmentation, HSM key ceremonies, API message signing, tokenisation/ADV, FRM rules, logging and DR; update policies and runbooks.
- Deliverables: updated security architecture, hardened configs, key-ceremony records, policy set, remediation-closure tracker.
Phase 3 – Testing and validation
- Activities: application/infra VAPT, configuration compliance scans, segmentation testing (card products), functional/security test of NPCI API flows, DR drill.
- Deliverables: VAPT report with closure, scan reports, segmentation test results, DR drill report, retest evidence.
Phase 4 – Certification audit and NPCI sign-off
- Activities: CERT-In empanelled (and PCI QSA for RuPay) audit, evidence review, findings closure, preparation of certification report and compliance declaration.
- Deliverables: signed audit/certification report, compliance declaration, NPCI/sponsor submission and acceptance record.
Phase 5 – Continuous compliance and surveillance
- Activities: circular tracking, FRM tuning, periodic VAPT, quarterly recon health-checks, annual recertification and change-triggered re-audit.
- Deliverables: compliance calendar, circular-closure log, ongoing MIS, next-cycle audit plan.
Maturity and capability model
CyberSigma uses a five-level capability model to benchmark an entity's NPCI product security posture beyond a binary pass/fail, helping prioritise investment and demonstrate improvement across audit cycles.
| Level | Name | Characteristics |
|---|
| 1 | Initial / ad hoc | Controls undocumented; reliance on individuals; frequent audit findings; reactive fraud handling |
| 2 | Developing | Basic policies and controls exist but inconsistently applied; manual recon; limited monitoring |
| 3 | Defined | Controls documented and standardised across the product; annual audit passed; SIEM and FRM operational |
| 4 | Managed | Metrics-driven; automated recon and FRM tuning; tested DR; proactive circular closure; low finding recurrence |
| 5 | Optimised | Continuous assurance; threat-intelligence-driven FRM; automated compliance evidence; leading practice shared with NPCI ecosystem |
Assessment and audit approach
- Engagement scoping and kick-off: confirm products, spec/OC versions, systems, third parties and audit objectives; agree evidence request list and timeline.
- Documentation review: policies, procedures, architecture, data-flow diagrams, key-ceremony records, prior audit/VAPT reports and circular-closure logs.
- Control walkthroughs and interviews: with GRC, network, application, crypto/HSM, FRM, SOC and settlement teams to understand design and operation.
- Technical testing: VAPT, configuration/hardening review, segmentation testing (card products), API security testing and log/SIEM validation.
- Product-specific validation: exercise IMPS/RuPay/AePS/NACH/NFS/FASTag/CTS flows against the applicable spec, including cryptographic and message-integrity checks.
- Sampling and evidence corroboration: sample transactions, disputes, recon breaks, access reviews and change tickets to confirm operating effectiveness.
- Findings analysis and rating: classify gaps by severity against NPCI/RBI mandates and business risk; identify root cause.
- Remediation and retest: track closure of high/critical findings and retest to confirm effectiveness before sign-off.
- Reporting and certification: issue the certification/audit report, compliance declaration and management summary.
- NPCI/sponsor submission and continuous surveillance planning: submit for acceptance and define the ongoing compliance cycle.
Evidence request list
- Governance: security policy, board minutes, CISO/FRM committee charter, risk register, circular tracker, outsourcing contracts.
- Architecture & network: network/data-flow diagrams, NPCINet circuit details, firewall/segmentation configs, hardening standards.
- Application & API: SDLC policy, threat models, SAST/DAST/VAPT reports, API design and message-signing configuration.
- Cryptography: HSM inventory and certificates, key-ceremony records, custodian sign-offs, KCV logs, crypto standard.
- Authentication & FRM: auth flow docs, OTP/MPIN configs, FRM rule catalogue, alert and dispute MIS, fraud-reporting acknowledgements.
- Data protection: data-localisation attestation, tokenisation/ADV design, masking evidence, retention and disposal records, consent records.
- Logging & IR: SIEM architecture, log-source list, use-case catalogue, incident register, CERT-In/RBI reporting records.
- BCP/DR: BCP/DR plan, BIA, DR drill and failover reports, backup/restore test records, capacity/load-test reports.
- Reconciliation & settlement: daily recon reports, DMS/UDIR records, file-integrity/checksum logs, unreconciled-item ageing.
- Product-specific: IMPS/RuPay/AePS/NACH/NFS/FASTag/CTS spec-version mapping, PCI ROC/AOC (RuPay), UIDAI licences (AePS), CTS-2010 test evidence.
- People & access: org chart, access-review reports, SoD matrix, PAM logs, training/awareness records.
- Change management: change register, spec-migration records, prior certification and acceptance letters.
Roles and responsibilities
| Role | Responsibility |
|---|
| Board / senior management | Approve policy, own risk appetite, ensure resourcing and accountability |
| CISO / Information Security | Own the control framework, drive remediation, liaise with NPCI/RBI on security |
| Product / Payments operations | Operate the NPCI rail, own settlement, recon and dispute TAT |
| Fraud Risk Management (FRM) team | Run monitoring, tune rules, handle fraud reporting to NPCI/RBI |
| Application & API engineering | Implement spec-compliant, securely coded integrations and remediate findings |
| Infrastructure / network team | Maintain segmentation, NPCINet connectivity, hardening and patching |
| Cryptography / HSM custodians | Run key ceremonies under dual control, manage certificates and key lifecycle |
| SOC / monitoring team | 24x7 detection, alerting, incident triage and CERT-In reporting |
| Compliance / GRC | Track circulars, manage audit cycle, evidence and certification submissions |
| Internal audit | Independent assurance and follow-up on remediation |
| Third-party / TSP / TPAP owners | Deliver flow-down compliance and provide audit evidence for hosted components |
| External auditor (CERT-In / PCI QSA) | Independently assess and certify against NPCI/RBI/PCI requirements |
KPIs to track
- Certification status and days-to-expiry per NPCI product.
- Open high/critical audit and VAPT findings, and mean time to remediate.
- Percentage of RBI/NPCI/UIDAI circulars closed within due date.
- Fraud rate (bps) and fraud value per product, versus NPCI ecosystem benchmarks.
- Dispute/chargeback volume and resolution within regulated TAT.
- Reconciliation break count and unreconciled-item ageing.
- Incident count, mean time to detect/respond, and CERT-In/RBI reporting within 6 hours.
- DR drill success rate and achieved RTO/RPO versus target.
- Patch SLA adherence and configuration-compliance score.
- HSM key-ceremony and certificate-expiry compliance (zero overdue).
- Transaction success/decline rate and technical-decline (TD) percentage per product.
Readiness checklist
- Current NPCI spec/OC versions and applicable RBI/UIDAI circulars identified and mapped.
- Scope document, data-flow diagrams and third-party inventory finalised and agreed.
- Board-approved security policy and FRM governance in place and current.
- Segmentation, NPCINet connectivity and infrastructure hardening validated.
- HSM key ceremonies documented; no clear-text PIN/PAN/biometric anywhere.
- API integrations spec-compliant with message signing and anti-replay controls.
- Tokenisation / Aadhaar Data Vault / PCI DSS controls implemented as applicable.
- FRM rules live with transaction monitoring, limits and negative lists.
- SIEM, SOC and 6-hour incident-reporting SOP operational.
- BCP/DR tested with successful switch failover and recon continuity.
- Daily reconciliation, DMS/UDIR dispute handling and TAT MIS in place.
- VAPT complete with high/critical findings closed and retested.
- Data localisation attested and privacy/DPDP controls evidenced.
- Evidence pack assembled and prior certification/acceptance letters available.
Common gaps
- Running an outdated NPCI API/spec (OC) version and missing a mandated migration deadline.
- Weak segmentation — the NPCI switch/CDE reachable from corporate or internet zones.
- Clear-text or improperly encrypted PIN/PAN/biometric in logs, DB or transit.
- HSM key ceremonies undocumented or lacking dual control / split knowledge.
- FRM rules static and untuned, leading to high false negatives and mule-account fraud.
- Reconciliation breaks left ageing beyond TAT with weak dispute (DMS/UDIR) handling.
- Payment-data localisation gaps via cloud sub-processors or offshore analytics.
- Aadhaar Data Vault missing or biometrics improperly stored (AePS non-compliance).
- RuPay entity relying on an expired or scope-narrowed PCI DSS certification.
- Incident reporting to CERT-In/RBI beyond the 6-hour window; no forensic readiness.
- Third-party TSP/TPAP compliance not flowed down or evidenced by the sponsor.
- DR untested for switch failover and settlement continuity; unrealistic RTO/RPO.
NPCI Product Audits mapped to other frameworks
| NPCI control theme | Maps to (other framework / regulation) |
|---|
| Overall security controls baseline | RBI Master Direction on Digital Payment Security Controls (2021) |
| Governance, risk & CISO structure | RBI Cyber Security Framework for Banks (2016); ISO/IEC 27001 A.5 |
| Card data protection (RuPay) | PCI DSS v4.0; PCI PIN Security; EMVCo specifications |
| Card tokenisation (RuPay CoF) | RBI Tokenisation (CoFT) guidelines; PCI DSS tokenisation guidance |
| Aadhaar / biometric protection (AePS) | Aadhaar Act 2016; UIDAI AUA/KUA & Registered Device (L1) framework |
| Data localisation & privacy | RBI storage-of-payment-data directive (2018); DPDP Act 2023 |
| Incident reporting | CERT-In Directions (April 2022) – 6-hour reporting; RBI incident reporting |
| Cryptography & key management | FIPS 140-2/3; ISO/IEC 27001 A.10; PCI PIN/HSM standards |
| Application & API security | OWASP Top 10 / ASVS; ISO/IEC 27001 A.14 |
| Aggregator/gateway controls | RBI PA/PG Guidelines (2020, as amended) |
| Business continuity | ISO 22301; RBI BCP guidance |
| Fraud reporting & risk | RBI CPFIR / fraud-reporting returns; NPCI FRM circulars |
How CyberSigma helps
Partner with CyberSigma for NPCI Product Security Audits
CyberSigma is a CERT-In empanelled auditor and PCI QSA firm with deep, product-specific expertise across IMPS, RuPay, AePS, NACH, NFS, FASTag and CTS. We run end-to-end engagements — scoping and gap assessment against the current NPCI/RBI/UIDAI specifications, remediation design (segmentation, HSM key ceremonies, API message signing, tokenisation, Aadhaar Data Vault, FRM tuning), VAPT and segmentation testing, DR validation, and the final certification audit with NPCI/sponsor-ready reporting. Our accelerators include a control library mapped to every NPCI product family, an evidence-pack template, a circular-tracking service and ongoing surveillance so you stay continuously certified. Talk to CyberSigma to plan your next NPCI product audit or to remediate findings before your renewal deadline.