NPCI – United Payment Interface (UPI) Audit
Unified Payments Interface (UPI) is an instant real-time payment system developed by the National Payments Corporation of India (NPCI) to facilitate the inter-bank transactions.
Configuration Review
Architecture Review
Vulnerability Assessment
Unified Payments Interface (UPI) is an instant real-time payment system developed by the National Payments Corporation of India (NPCI) to facilitate the inter-bank transactions. The interface is regulated by the Reserve Bank of India (RBI) and works by instantly transferring funds between two bank accounts on a mobile platform.
Banks need to think through their security strategies, governance models and predictive controls to build a secure UPI environment that ensures seamless user experience and at the same time balances security risks.
Requirements from Banks:
- Ensure security of UPI environment and interfacing systems
- Ensure security of identity on the mobile device
- Introduce new security tools to protect the changing business model
- Perform advanced and smart analytics for effective monitoring of security risks
- Ensure compliance with regulatory requirements and adoption of industry standards
- Maintain logs and security to help in forensics
- Ensure you have appropriate response processes in place so that you are able to act quickly in the event of an incident being discovered
- Share periodic knowledge/ security bulletins with customer
Scope of UPI Audit:
- Evaluation of the hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, Disaster recovery plans
- Training of personnel managing systems and applications, documentation, etc.
- Process validation as per NPCI guidelines
- The audit should cover compliance as per security best practices, specifically the application security lifecycle, patch/ vulnerability management, change management and adherence to the process flow as given by NPCI from time-to-time.
- Mobile Application penetration testing (version number to be mentioned in the report) Associated Network-Server-Application (OS/ database/ web app details to be mentioned in the report)
- Configuration Review (Secure-Configuration-Hardening)/ Architecture Review/ Vulnerability Assessment