Knowledge Center / NPCI TPAP Audit
NPCI · India

NPCI UPI / TPAP Security Audit

Security audit requirements for UPI Third-Party Application Providers and PSP banks.

In NPCI’s UPI ecosystem, Third-Party Application Providers (TPAPs) — the apps consumers use to make UPI payments — and their sponsor Payment Service Provider (PSP) banks must meet NPCI’s security and audit requirements. TPAPs undergo security audits by CERT-In empanelled auditors before going live and periodically thereafter. This is a practical guide to the requirement and process.

The UPI ecosystem and roles

EntityRole
NPCIOperates the UPI switch and sets procedural and security guidelines
PSP bankA bank that provides UPI PSP services and sponsors TPAPs; owns the UPI handle
TPAPThe third-party app (payment app) that provides the UPI interface to end users
Issuer / beneficiary banksThe remitter and payee banks holding customer accounts

When a security audit is required

  • Before go-live: a new TPAP/app must pass a security audit before launching on UPI.
  • Periodically thereafter: recurring security audits (typically annual) to remain compliant.
  • On significant change: major changes to the app, architecture or infrastructure may trigger reassessment.
  • The PSP bank’s UPI systems are also within NPCI’s security-assurance expectations.

Audit scope

  • Mobile application security testing (Android/iOS) — the UPI app and its SDKs.
  • API security testing of UPI and back-end APIs.
  • Infrastructure and network security assessment (servers, cloud, connectivity to the PSP/NPCI).
  • Data protection: secure handling, encryption and key management; restrictions on storing sensitive UPI data.
  • Compliance with NPCI UPI procedural guidelines and security circulars.
  • Identity, access control, logging and monitoring.

NPCI security requirements (typical)

  • Adherence to UPI procedural guidelines and applicable NPCI security circulars.
  • Secure coding and protection against the OWASP Mobile and API risk categories.
  • Encryption of data in transit and at rest; secure key management (often HSM-backed).
  • No storage of prohibited data elements; strict handling of UPI PIN and credentials (handled in the NPCI common library).
  • Strong device binding, session management and fraud controls.
  • Incident reporting and coordination with the PSP bank and NPCI.

Audit process

  1. Scope the app, APIs and infrastructure; agree the environment and access with the PSP bank.
  2. Perform mobile, API and infrastructure VAPT against NPCI/OWASP requirements.
  3. Review compliance with UPI procedural guidelines and security circulars.
  4. Document findings with severity and remediation guidance.
  5. Remediate and retest to closure.
  6. Issue the CERT-In empanelled security audit report for submission to the PSP bank / NPCI.

Evidence checklist

  • App architecture and data-flow diagrams (app ↔ PSP ↔ NPCI).
  • Mobile, API and infrastructure VAPT reports.
  • Encryption and key-management documentation.
  • Mapping to UPI procedural guidelines and NPCI security circulars.
  • Remediation evidence and retest results.
  • The final CERT-In empanelled security audit report.

Common gaps

  • Insecure data storage on the device or logging of sensitive elements.
  • Weak API authentication/authorisation or missing rate-limiting.
  • Insufficient device binding, session or root/jailbreak protections.
  • Findings closed without an independent retest.
  • Audit performed by a non-CERT-In-empanelled auditor.
How CyberSigma helps
CyberSigma is CERT-In empanelled — we perform UPI TPAP security audits (mobile, API and infrastructure) against NPCI and OWASP requirements, remediate with your team, retest, and issue the report your PSP bank and NPCI need.

Frequently asked questions

Who must perform the UPI TPAP audit?
NPCI requires the security audit to be performed by a CERT-In empanelled auditor. CyberSigma is CERT-In empanelled.
Do PSP banks also need auditing?
Yes — the sponsor PSP bank’s UPI systems and the TPAP both fall within NPCI’s security-assurance expectations.

Need help with NPCI TPAP Audit?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.