NPCI – United Payment Interface (UPI) Audit

Unified Payments Interface (UPI) is an instant real-time payment system developed by the National Payments Corporation of India (NPCI) to facilitate the inter-bank transactions.

Configuration Review

Architecture Review

Vulnerability Assessment

Unified Payments Interface (UPI) is an instant real-time payment system developed by the National Payments Corporation of India (NPCI) to facilitate the inter-bank transactions. The interface is regulated by the Reserve Bank of India (RBI) and works by instantly transferring funds between two bank accounts on a mobile platform.

Banks need to think through their security strategies, governance models and predictive controls to build a secure UPI environment that ensures seamless user experience and at the same time balances security risks.

 

Requirements from Banks:

  • Ensure security of UPI environment and interfacing systems
  • Ensure security of identity on the mobile device
  • Introduce new security tools to protect the changing business model
  • Perform advanced and smart analytics for effective monitoring of security risks
  • Ensure compliance with regulatory requirements and adoption of industry standards
  • Maintain logs and security to help in forensics
  • Ensure you have appropriate response processes in place so that you are able to act quickly in the event of an incident being discovered
  • Share periodic knowledge/ security bulletins with customer

 

Scope of UPI Audit:

  • Evaluation of the hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, Disaster recovery plans
  • Training of personnel managing systems and applications, documentation, etc.
  • Process validation as per NPCI guidelines
  • The audit should cover compliance as per security best practices, specifically the application security lifecycle, patch/ vulnerability management, change management and adherence to the process flow as given by NPCI from time-to-time.
  • Mobile Application penetration testing (version number to be mentioned in the report) Associated Network-Server-Application (OS/ database/ web app details to be mentioned in the report)
  • Configuration Review (Secure-Configuration-Hardening)/ Architecture Review/ Vulnerability Assessment