NPCI continues to invest in people, process and technology that are required to safeguard the IT Infrastructure, information generated by them and the digital identities that access such information – remains safe and secured by deploying state-of-the-art technologies for protecting and monitoring them. Maintaining privacy of details are of utmost priority at NPCI and NPCI assures all customers that data processed at our end is completely secured and not accessible by anyone unauthorized.
With the vision of serving every Indian with one or other Digital Payment solution, NPCI, passionately drives close to 2.5 Billion transactions on a monthly basis using its indigenously developed platforms like RuPay, UPI, IMPS, AePS, NETC, Bharat Bill Pay etc. These systems are built indigenously with high resiliency & protection to cater our vision of being the “Best Payments Network globally”.
Strong Corporate Governance at NPCI
NPCI faces many inspections as per the regulatory and Government compliances. Audits & Inspections of various nature are conducted periodically to enhance and strengthen Corporate Governance.
Some of the practices at NPCI include,
a) Secured software Coding practices including Code review & application security assessments
b) Regular internal audits across Information Communication Technology (ICT) Infrastructure
c) Continuous Vulnerability Assessment and Penetration Testing followed by periodic patching
d) External audits of Critical Applications
e) Regulatory inspection or audit from both regulator and Government Nodal agencies on periodic basis
f) 3rd Party audits such as compliance to PCIDSS, carried out by QSA’s (Qualified Security Assessor) qualified by PCI Council to validate adherence to PCIDSS Standards & compliance to ISO 27001, carried out by qualified ISO Lead Audit firms.
g) Surprise cyber security drills by third-party experts
NPCI ensures all findings are elaborately reviewed and remediated to the satisfaction of the auditors. Appropriate compensatory controls are deployed wherever necessary.
Lt. General Rajesh Pant, NCSC, “We conduct Special Cyber Audits as part of the nation’s effort to protect and safe guard all critical enterprises such as NPCI, UIDAI, NIC etc, thereby helping to ensure the overall National Security. NPCI has provided higher levels of access to NCSC that are not normally made available to any stakeholders during regular course of business, as an effort to strengthen its cyber defense. I wish to compliment the top leadership of NPCI and their CISO for inculcating a culture of strong Cyber Security Governance with a robust infrastructure which meets global security standards.”
Strong Cyber Security Practice & Data Security
NPCI strongly believes that Cyber Security is of utmost importance and aims to safeguard its assets and network against all kinds of prevalent cyber-attacks. Over the past years NPCI has deployed various technologies to upgrade its security posture leveraging a multi-layered defence approach to combat evolving cyber threats.
NPCI has adopted its Security framework inline to the NIST Framework to include Protect, Detect, Respond, Predict and Recover methodology. NPCI has embraced implementation of these policies, processes and guidelines to manage risks to its information assets, thus ensuring acceptable levels of risk.
Some of the state of the art technologies deployed at NPCI to thwart Cyber-attacks includes,
· Perimeter security controls including firewall, web application firewall, micro-segmentation of network, routing controls, secured switch configurations, proxy server, Anti-Distributed Denial of Service Solution, Anti – Advanced Persistent Threat etc.
· Information protection including Data Leakage Protection, Digital Rights Management, tokenization & encryption of sensitive data elements and active monitoring of both structured and unstructured data
· Safer & Secure connects to ecosystem players including communication channel encryption
· Various Detective controls including Deceptive technologies (Decoys) are used as early indicators to identify Cyber-attacks
· A dedicated team of highly trained professionals who have participated in various globally recognized & acclaimed Cyber Defense program manages the Security Operation Centre 24x7x365
· Privileged identity & access management solutions which further segregates the logical access and restricts user to access critical systems supported by Multi factor authentication
NPCI engages with safer RED TEAM and BREACH readiness assessments as well periodically. With the sophisticated security threats that our environment faces in current times, NPCI’s objective is to continuously fortify our security layers. In addition to steps we take, we welcome and invite experts, including relevant authorities, for regular reviews and audits to keep our controls sharp and best in class.
NPCI handles all sensitive information like card data in line with PCIDSS requirements. PCIDSS norms also allows clear card information under certain circumstances for permitted functions, with appropriate controls. We have been subject to regular PCIDSS audits through externals QSA’s, qualified by PCI council. NPCI is fully compliant to these standards. NPCI proactively has adopted global best practices in handling personal identifiable information (PII) and is one of the early practitioners in India.
Dilip Asbe, MD & CEO NPCI said, “We consider audits as an important governance layer for the IT systems that evolves constantly, for appropriateness and adequacy of controls deployed so as to ensure that the critical systems, processes and data under its purview remain safe and secure. As a process, NPCI has ensured that there are adequate controls across multiple levels and Audit findings are remediated immediately and closed to satisfaction of auditing entities.
At NPCI, we working together with all stakeholders to ensure safe, secure and convenient payment solutions for consumers. Our products are undergoing progressive developments on a continuous basis to ensure consumer gets the best of payments experience.”
In response to the some of the recent media reports, we reiterate that NPCI maintains high levels of security standards and an integrated approach to protect its infrastructure, a strong governance through proactive independent audits, and continue to provide a robust payments ecosystem.