Introduction to the NPCI UPI / TPAP Security Audit
The Unified Payments Interface (UPI) has become the settlement backbone of India's retail digital payments, processing tens of billions of transactions each month. Every consumer-facing app that lets a user pay, collect or manage money over UPI does so as a Third Party Application Provider (TPAP) riding on the systems of a sponsor bank that acts as the Payment Service Provider (PSP). Because a TPAP handles authentication factors, virtual payment addresses (VPAs), mandate creation, and the mobile application in which UPI credentials are entered, it sits squarely inside the security perimeter that the National Payments Corporation of India (NPCI) governs. The NPCI UPI / TPAP Security Audit is the structured, evidence-based assessment through which a TPAP demonstrates to its sponsor bank, to NPCI and, ultimately, to the Reserve Bank of India (RBI) that it operates the app, its APIs and its supporting infrastructure in line with the UPI Procedural Guidelines, the NPCI circulars on TPAP security, and the RBI's baseline cyber-security expectations for the payments ecosystem.
This guide is written for security, compliance, engineering and product leaders at TPAPs, PSP banks and the payment-technology providers that build UPI stacks. It explains what the audit covers, who is in scope, how the control areas are structured, and — most importantly — provides an auditor-grade master checklist enumerating every domain a competent assessor will test, together with the evidence they will expect to see. Throughout, we distinguish clearly between what the sponsor PSP bank is accountable for and what the TPAP must own, because the shared-responsibility boundary is one of the most misunderstood aspects of UPI security governance.
Copyright and source note
NPCI's UPI Procedural Guidelines, the TPAP security circulars, the UPI API specifications and related NPCI/RBI documents are proprietary materials issued to authorised participants. This guide is original explanatory material prepared by CyberSigma and does not reproduce NPCI or RBI copyrighted text. Control identifiers, domain names and terminology are described in our own words for educational purposes. Always obtain and audit against the current authoritative circulars and specification versions supplied to your organisation by NPCI and your sponsor bank; where this guide differs from an official document, the official document prevails.
What is the NPCI TPAP Audit
The NPCI TPAP Audit is a periodic security and compliance assessment of a Third Party Application Provider's UPI-facing environment. It is not a single monolithic certification like PCI DSS; rather it is a composite obligation stitched together from several NPCI and RBI instruments. In practice an assessor evaluates the TPAP against: the UPI Procedural Guidelines and their annexures; NPCI's circulars addressing TPAP onboarding, security requirements and the sharing of risk-and-compliance responsibilities between PSP and TPAP; the technical UPI API and Common Library (CL / UPI SDK) integration requirements; the applicable RBI directions such as the Master Direction on Digital Payment Security Controls and the outsourcing / IT governance directions; and, where card data or wallet balances are also handled, PCI DSS.
The audit takes the form of an independent review — typically by a CERT-In empanelled auditor — that produces a report used by the sponsor PSP bank to certify the TPAP to NPCI. NPCI mandates that this security assessment be carried out at least annually and after any material change to the application or its infrastructure. The output is normally a security audit report plus a compliance certificate, supported by a remediation tracker for any open findings. Unlike a self-attestation, the TPAP audit is expected to be conducted by an empanelled third party and countersigned in the assurance chain that runs TPAP to PSP bank to NPCI.
The audit's purpose is threefold: to protect the confidentiality and integrity of UPI credentials and payment instructions on the device and in transit; to ensure the TPAP cannot introduce fraud, data leakage or systemic risk into the shared UPI network; and to confirm that the TPAP has the governance, incident-response and resilience capabilities expected of a critical financial-infrastructure participant.
Who must comply
The obligation to undergo and evidence a TPAP security audit falls on any entity that provides a consumer or merchant application interface to UPI without itself being the account-holding or PSP bank. The table below summarises the principal categories and their obligations.
| Entity type | Role in UPI | Audit obligation |
|---|
| Third Party Application Provider (TPAP) | Provides the UPI app UI, VPA handle, mandate and collect flows; integrates the PSP/CL library | Primary responsibility: annual security audit of the app and supporting infrastructure; report submitted via sponsor PSP |
| Payment Service Provider (PSP) / sponsor bank | Holds the UPI licence, operates the PSP switch, sponsors the TPAP, owns credential-handling libraries | Owns overall UPI security certification; must ensure each sponsored TPAP is audited and compliant before go-live and annually |
| Technology Service Provider (TSP) / build partner | Develops or hosts parts of the TPAP stack on behalf of the TPAP or PSP | In scope as an outsourced provider; its controls are assessed as part of the TPAP audit and outsourcing due diligence |
| Payment aggregator / merchant app embedding UPI | Offers UPI as a payment option within a broader commerce app | In scope for the UPI components; also subject to RBI PA/PG and SAR requirements where applicable |
| Prepaid Payment Instrument (PPI) / wallet issuer on UPI | Enables UPI on wallet balances (UPI-on-wallet, interoperability) | In scope for TPAP-equivalent UPI controls plus PPI Master Direction obligations |
| Cloud / infrastructure hosting provider | Hosts TPAP workloads | Assessed indirectly through the TPAP's cloud-security and shared-responsibility evidence |
- Any app whose end-users create or manage a UPI VPA, link a bank account, set up an autopay mandate, or authorise a UPI PIN entry.
- Any entity that receives or processes the UPI transaction flows, callbacks or reconciliation data from the PSP switch.
- Multi-bank TPAPs sponsored by several PSP banks — each PSP relationship expects assurance, though a single consolidated audit report is typically produced.
- New TPAPs at onboarding (pre-go-live audit) and existing TPAPs on the recurring annual cadence and after major changes.
Structure of the NPCI TPAP Audit
There is no single official numbered control catalogue published for public consumption the way PCI DSS publishes twelve requirements; instead the audit scope is assembled from the security expectations spread across the UPI Procedural Guidelines, NPCI TPAP circulars, the UPI API/CL integration requirements and RBI's digital-payment security controls. For assessment purposes competent auditors organise these into a coherent set of control domains. The domain structure below is the working taxonomy CyberSigma uses to plan and execute a TPAP audit; it maps completely onto the underlying NPCI and RBI requirements while giving assessors a clean, testable structure.
| Domain ID | Domain | Focus | Primary source |
|---|
| D1 | Governance, risk and compliance | Board oversight, UPI security policy, PSP-TPAP responsibility matrix, licensing | UPI Procedural Guidelines; RBI IT governance |
| D2 | Application security (mobile app) | Secure coding, hardening, anti-tamper, root/jailbreak detection, obfuscation | NPCI TPAP security circular; RBI DPSC |
| D3 | UPI credential and PIN handling | UPI PIN capture via CL, device binding, credential non-storage | UPI API / Common Library requirements |
| D4 | Device binding, SMS and registration | Device fingerprint, SIM/SMS validation, hard-binding, re-registration | UPI Procedural Guidelines |
| D5 | API and integration security | PSP API auth, message signing, TLS, VPA and mandate APIs | UPI API specification |
| D6 | Cryptography and key management | Encryption in transit/at rest, HSM, key lifecycle, certificate management | RBI DPSC; NPCI crypto requirements |
| D7 | Network, infrastructure and cloud security | Segmentation, hardening, WAF, DDoS, cloud shared responsibility | RBI DPSC; cloud guidance |
| D8 | Identity and access management | RBAC, PIM/PAM, MFA for admins, joiner-mover-leaver | RBI DPSC |
| D9 | Data protection and privacy | Data classification, PII/DPDP, data minimisation, retention, localisation | RBI data localisation; DPDP Act |
| D10 | Fraud risk management and transaction monitoring | Velocity limits, device/behaviour risk, mule detection, RDA/complaint handling | NPCI fraud/risk circulars; RBI |
| D11 | Logging, monitoring and SOC | Centralised logs, SIEM, alerting, log retention, time sync | RBI DPSC |
| D12 | Vulnerability and patch management | VA/PT cadence, secure SDLC, dependency and CI/CD security | RBI DPSC; NPCI audit cadence |
| D13 | Incident response and forbidden-activity handling | IR plan, breach reporting to CERT-In/NPCI/RBI, fraud reporting timelines | RBI incident reporting; CERT-In |
| D14 | Business continuity and resilience | BCP/DR, RTO/RPO, capacity, availability SLAs | RBI DPSC; UPI availability expectations |
| D15 | Outsourcing and third-party risk | TSP due diligence, right-to-audit, sub-processor control | RBI outsourcing directions |
| D16 | Change and configuration management | Change control, environment separation, release governance | RBI DPSC |
| D17 | Customer protection and grievance redressal | Complaint handling, ODR, turnaround times, transparency | RBI customer protection; UPI grievance |
Master assessment checklist
This is the core of the audit. For each domain below we set out what a competent assessor verifies and the evidence a TPAP is expected to produce. Treat every row as a discrete test step; do not treat any domain as optional. Where a control is owned by the PSP bank rather than the TPAP, the TPAP must still evidence that the split responsibility is documented and that its own portion is met.
D1 — Governance, risk and compliance
| What to verify | Typical evidence |
|---|
| A board-approved UPI/information-security policy exists and is reviewed at least annually | Signed policy document, board/committee minutes, version history |
| A documented PSP-TPAP shared responsibility matrix defines who owns each control | Responsibility matrix, sponsor bank agreement, RACI |
| The TPAP is validly sponsored and onboarded per NPCI process | Sponsor agreement, NPCI onboarding confirmation, handle allocation |
| A named CISO / security owner and reporting line to the board exist | Org chart, appointment letter, committee charter |
| Security risk assessments are performed periodically and tracked to closure | Risk register, risk assessment reports, remediation tracker |
| Compliance calendar covers annual audit, VA/PT, and regulatory filings | Compliance calendar, evidence of prior year audit submission to PSP |
D2 — Application security (mobile app)
| What to verify | Typical evidence |
|---|
| Secure SDLC applied to the app; threat modelling performed for UPI flows | SDLC policy, threat models, design review records |
| Root / jailbreak detection and response implemented | Code references, config, VA/PT report confirming detection |
| Anti-tampering, integrity checks and code obfuscation applied to release builds | RASP/obfuscation config, build pipeline evidence, PT findings |
| Screen-capture, screen-recording and overlay protection on sensitive screens | Code/config, test evidence on PIN and balance screens |
| No sensitive data (PIN, full account, credentials) stored in local storage, logs or backups | Static/dynamic analysis results, device forensics from PT |
| App uses certificate pinning and rejects proxied/MITM traffic | PT report on MITM attempts, pinning configuration |
| Latest CL/UPI SDK version integrated; deprecated versions removed | SDK version manifest, dependency list, NPCI compatibility confirmation |
D3 — UPI credential and PIN handling
| What to verify | Typical evidence |
|---|
| UPI PIN is captured only through the sponsor PSP's Common Library keyboard, never a custom field | Integration design, code review of PIN flow, PT confirmation |
| The TPAP app never sees, transmits or stores the clear UPI PIN | Data-flow diagram, PT/DAST evidence, credential-handling attestation |
| Credential block encryption is handled inside the CL and passed opaquely | Architecture doc, CL integration evidence |
| Registration and set-UPI-PIN flows follow the mandated debit-card/Aadhaar OTP validation | Flow walkthrough, screenshots, test logs |
| No screenshot, clipboard or accessibility capture of the PIN entry surface is possible | Test evidence, security control configuration |
D4 — Device binding, SMS and registration
| What to verify | Typical evidence |
|---|
| Device hard-binding ties the account to a unique device fingerprint | Device binding design, code review, test evidence |
| SMS-based number verification confirms the SIM belongs to the registering device | SMS validation flow, logs of outbound verification SMS |
| Re-registration / device-change triggers fresh binding and appropriate cooling / limits | Policy, flow evidence, transaction-limit configuration |
| Multiple-account and multiple-VPA controls per device are enforced per NPCI limits | Configuration, monitoring reports |
| Dormant/de-registered device tokens are invalidated | Session/token lifecycle evidence, test logs |
D5 — API and integration security
| What to verify | Typical evidence |
|---|
| All PSP/NPCI API calls are mutually authenticated and message-signed as specified | API spec conformance, signature verification logs |
| TLS 1.2+ (preferably 1.3) enforced on all external interfaces; weak ciphers disabled | TLS scan report, server config |
| VPA creation, ReqPay, mandate (UPI Autopay) and collect APIs implement server-side validation | API design docs, code review, PT of business logic |
| Idempotency, replay protection and request/response integrity are enforced | Design evidence, PT replay-attack results |
| Rate limiting and abuse protection on public and partner endpoints | WAF/gateway config, throttling evidence |
| Collect-request and mandate flows guard against social-engineering abuse (limits, consent screens) | UX evidence, limit configuration, fraud controls |
D6 — Cryptography and key management
| What to verify | Typical evidence |
|---|
| Strong, current algorithms used; no deprecated ciphers or hashes | Crypto standard, config, scan results |
| Keys generated, stored and used within an HSM or equivalent secure module | HSM inventory, key-ceremony records |
| Documented key lifecycle: generation, rotation, revocation, destruction | Key management policy, rotation logs |
| Certificate inventory maintained; expiry monitored and alerted | Certificate register, monitoring/alerting evidence |
| Data at rest (PII, tokens) encrypted with managed keys and access controls | Encryption config, KMS access logs |
| Separation of duties and dual control for key operations | PAM logs, key-custodian records |
D7 — Network, infrastructure and cloud security
| What to verify | Typical evidence |
|---|
| Network segmentation isolates UPI/payment zones from corporate and internet zones | Network diagram, firewall rulebase, segmentation test |
| Servers, OS and containers are hardened to a defined baseline (CIS or equivalent) | Hardening standard, configuration scan reports |
| WAF and DDoS protection deployed on internet-facing services | WAF config, DDoS service evidence, test results |
| Cloud shared-responsibility model documented; cloud config hardened and monitored | Cloud responsibility matrix, CSPM reports |
| Ingress/egress controls, bastion access and no direct DB exposure | Firewall/security-group config, PT external scan |
| Data localisation: UPI/payment data stored and processed within India | Data-residency attestation, infra region evidence, RBI localisation compliance |
D8 — Identity and access management
| What to verify | Typical evidence |
|---|
| Role-based access control with least privilege across systems | RBAC matrix, access-review reports |
| MFA enforced for all administrative and remote access | MFA configuration, login logs |
| Privileged access managed and session-recorded via PAM | PAM policy, session recordings, vault evidence |
| Joiner-mover-leaver process revokes access promptly | JML records, deprovisioning tickets, periodic access recertification |
| No shared/generic accounts for production; individual accountability enforced | Account inventory, audit of service accounts |
| Periodic user access reviews performed and signed off | Access review reports with approvals |
D9 — Data protection and privacy
| What to verify | Typical evidence |
|---|
| Data classification scheme covers UPI, PII and financial data | Data classification policy, data inventory |
| Data minimisation: only necessary data collected and retained | Data-flow maps, retention schedule |
| DPDP Act obligations addressed: consent, purpose limitation, grievance officer | Privacy notice, consent records, DPO/grievance officer appointment |
| Retention and secure deletion enforced per policy and regulation | Retention policy, deletion logs |
| PII masking/tokenisation in logs, screens and non-production environments | Masking config, test-data-management evidence |
| Cross-border transfer restrictions and payment-data localisation observed | Data-residency evidence, transfer assessment |
D10 — Fraud risk management and transaction monitoring
| What to verify | Typical evidence |
|---|
| Real-time transaction monitoring with velocity, amount and device rules | Fraud engine config, rule catalogue, alert samples |
| Mule-account and suspicious-behaviour detection integrated with NPCI signals | Detection logic, integration with NPCI risk feeds |
| New-user and new-device transaction limits and cooling periods applied per NPCI norms | Limit configuration matrix, test evidence |
| Collect-request abuse and fraudulent-QR controls in place | Control design, blocked-transaction reports |
| Registered Device Association / complaint-handling and dispute processes operate to timelines | RDA/complaint SOP, resolution metrics |
| Reporting of confirmed fraud to NPCI/RBI (e.g., CPFIR) within mandated timelines | Fraud reporting records, submission acknowledgements |
D11 — Logging, monitoring and SOC
| What to verify | Typical evidence |
|---|
| Security-relevant events centrally logged to a SIEM | SIEM architecture, log source inventory |
| Log retention meets regulatory minimums and logs are tamper-protected | Retention config, WORM/immutability evidence |
| 24x7 SOC or equivalent monitoring with defined use cases and alerting | SOC SOP, use-case catalogue, alert-to-ticket samples |
| Time synchronisation (NTP) across all systems for reliable forensics | NTP config, time-sync validation |
| Correlation covers app, API, infra, fraud and access events | Correlation rules, sample investigations |
| Periodic log review and alert-tuning performed | Review records, tuning changelog |
D12 — Vulnerability and patch management
| What to verify | Typical evidence |
|---|
| Vulnerability assessment and penetration testing performed at least annually and after major change | VA/PT reports (app, API, infra), scope letters |
| Findings tracked to closure with risk-based SLAs | Remediation tracker, retest evidence |
| Patch management policy with defined timelines by severity | Patch policy, patch compliance reports |
| Secure dependency and SBOM management; known-CVE components remediated | SCA/SBOM reports, dependency update records |
| CI/CD pipeline security: secrets scanning, SAST/DAST gates | Pipeline config, scan gate evidence |
| Source-code security review for UPI-critical modules | SAST reports, manual review records |
D13 — Incident response and reporting
| What to verify | Typical evidence |
|---|
| Documented incident-response plan covering payment/security incidents | IR plan, playbooks, RACI |
| Breach reporting to CERT-In within mandated hours and to NPCI/RBI/PSP | Reporting SOP, prior notification records, acknowledgements |
| Defined severity classification and escalation matrix | Severity matrix, escalation contacts |
| Post-incident reviews and root-cause analyses conducted | PIR/RCA reports, corrective-action tracker |
| IR tabletop exercises or drills conducted periodically | Drill reports, participant logs |
| Coordination with sponsor PSP on UPI-network incidents | Communication records, joint-response evidence |
D14 — Business continuity and resilience
| What to verify | Typical evidence |
|---|
| BCP and DR plans exist with defined RTO/RPO for UPI services | BCP/DR documents, RTO/RPO definitions |
| DR drills conducted at least annually with documented outcomes | DR test reports, failover evidence |
| Capacity and performance managed to sustain UPI peak volumes and availability targets | Capacity plans, availability/SLA reports |
| Redundancy across availability zones / sites for critical components | Architecture diagram, resilience evidence |
| Dependency on sponsor PSP and NPCI switch availability accounted for in continuity plans | BCP dependency mapping |
D15 — Outsourcing and third-party risk
| What to verify | Typical evidence |
|---|
| Due diligence performed on TSPs and material service providers | Vendor due-diligence records, risk assessments |
| Contracts include right-to-audit, confidentiality, data-protection and NPCI/RBI compliance flow-down | Contracts / addenda, clause references |
| Sub-processors identified and controlled; no unauthorised sub-outsourcing | Sub-processor register, approval evidence |
| Periodic assurance obtained from providers (SOC 2, audit reports) | Vendor assurance reports, review records |
| Exit and data-return / destruction plans defined for critical providers | Exit plans, data-handling clauses |
D16 — Change and configuration management
| What to verify | Typical evidence |
|---|
| Formal change-management process with approvals and rollback for production | Change policy, sample change tickets |
| Segregation of development, test and production environments | Environment inventory, access separation evidence |
| Security review / approval gate for UPI-impacting changes | Change-advisory records, security sign-offs |
| Configuration baselines maintained and drift detected | Baseline docs, drift/CSPM reports |
| Release and versioning of the app coordinated with PSP/NPCI compatibility | Release notes, SDK compatibility confirmations |
D17 — Customer protection and grievance redressal
| What to verify | Typical evidence |
|---|
| Accessible grievance mechanism with published turnaround times | Grievance SOP, published TAT, contact channels |
| Integration with UPI dispute redressal / ODR and NPCI complaint systems | Dispute-handling evidence, ODR integration |
| Transparent transaction status, receipts and failure/refund handling | UX evidence, refund/auto-reversal reports |
| Nodal / grievance officer appointed and details published per RBI norms | Appointment records, website disclosure |
| Complaint metrics and turnaround times tracked and reviewed | Complaint MIS, TAT compliance reports |
Scoping the assessment
Scoping is decisive for a defensible TPAP audit. Because UPI is a shared-responsibility ecosystem, the assessor must first draw the boundary between what the TPAP builds and operates and what the sponsor PSP provides. Everything that touches UPI credentials, transaction initiation, VPA/mandate management, device binding, or the data flows to and from the PSP switch is in scope. Corporate systems are in scope where they can affect the payment environment (for example, shared identity providers, CI/CD pipelines that deploy the app, and SOC/SIEM tooling).
- In scope: the consumer/merchant mobile app and its release pipeline; backend services handling UPI flows, VPA and mandates; the CL/UPI SDK integration; APIs to the PSP and NPCI; hosting infrastructure (on-prem or cloud) for UPI workloads; supporting security tooling (SIEM, WAF, HSM/KMS, PAM); and third parties operating any of the above.
- Conditionally in scope: analytics, notification, KYC and support systems, to the extent they process UPI-related PII or can influence the payment environment.
- Out of scope (but responsibility-mapped): the PSP switch, the NPCI central infrastructure, and the account-holding banks' core systems — these belong to the PSP/bank/NPCI and must be evidenced in the responsibility matrix rather than tested by the TPAP audit.
- Scope must be re-evaluated at every material change: new payment features (e.g., UPI Autopay, UPI Lite, credit-on-UPI), new hosting regions, new TSPs, or a change of sponsor PSP.
Implementation approach
A TPAP that is preparing for its first audit — or remediating findings from a prior one — benefits from a phased programme. The four phases below move from discovery to sustained assurance.
Phase 1 — Discovery and gap assessment
- Activities: confirm sponsor PSP relationship and shared-responsibility matrix; inventory all UPI-facing components, data flows and third parties; map current controls to the 17 domains; run an initial gap assessment and lightweight app/API scan.
- Deliverables: scope statement and asset/data-flow inventory; PSP-TPAP responsibility matrix; gap-assessment report with prioritised findings; risk register seeded.
Phase 2 — Remediation and control build-out
- Activities: implement missing controls (root detection, cert pinning, PIN-via-CL confirmation, device binding, HSM/KMS, SIEM onboarding, RBAC/PAM, fraud rules); harden infrastructure to baseline; formalise policies (IR, BCP, change, outsourcing, privacy).
- Deliverables: remediation tracker updated to closure; control implementation evidence pack; approved policy set; hardening and configuration baselines.
Phase 3 — Independent audit and testing
- Activities: engage a CERT-In empanelled auditor; perform VA/PT of app, API and infrastructure; execute the master checklist domain-by-domain; validate credential-handling and device-binding through dynamic testing; collect and review evidence.
- Deliverables: VA/PT reports; security audit report with findings and ratings; compliance certificate draft; management responses to findings.
Phase 4 — Certification, submission and continuous assurance
- Activities: close residual findings and obtain retest sign-off; finalise the audit report and certificate; submit to the sponsor PSP for onward assurance to NPCI; establish continuous monitoring and the annual/change-triggered re-audit cadence.
- Deliverables: signed audit report and compliance certificate; PSP submission acknowledgement; continuous-assurance calendar and metrics dashboard.
Maturity and scoring model
NPCI's audit outcome is fundamentally pass/remediate against mandatory requirements, but a maturity model helps a TPAP track its trajectory and prioritise investment beyond the minimum bar. CyberSigma applies the five-level capability model below to each of the 17 domains.
| Level | Name | Description | Typical audit outcome |
|---|
| 1 | Initial / ad hoc | Controls absent or informal; reliance on the PSP without documentation | Not compliant; go-live blocked |
| 2 | Developing | Some controls implemented but inconsistent; key gaps in credential, device or logging domains | Major findings; remediation required before certification |
| 3 | Defined | Documented, mandated controls implemented across all domains; VA/PT performed | Compliant with minor findings; certifiable |
| 4 | Managed | Controls measured and monitored; fraud analytics and SOC use-cases tuned; metrics reviewed | Strong compliance; low residual risk |
| 5 | Optimising | Continuous improvement, threat-led testing, automation of assurance and rapid response | Best-in-class; exemplary posture |
Assessment and audit approach
The independent assessment follows a repeatable sequence so that findings are defensible and reproducible.
- Engagement and scoping: agree the boundary, obtain the PSP-TPAP responsibility matrix, and issue the scope and evidence request.
- Documentation review: assess policies, architecture, data-flow diagrams, prior audit reports and the risk register against the 17 domains.
- Control walkthroughs: interview owners for each domain and trace how mandated controls are designed and operated.
- Technical testing: perform VA/PT on the app, APIs and infrastructure, including MITM/pinning, root/tamper, PIN-handling, replay and business-logic tests.
- Configuration and log validation: sample-check hardening baselines, IAM, crypto/key management, SIEM coverage and retention.
- Evidence sampling: collect and validate artefacts for each checklist row, testing operating effectiveness over a period, not just design.
- Findings and rating: classify findings by severity, map to the responsible party (TPAP or PSP), and record management responses.
- Remediation and retest: verify closure of high-severity findings and obtain retest evidence.
- Reporting: issue the security audit report and compliance certificate with an executive summary and remediation tracker.
- Submission and follow-up: support submission to the sponsor PSP/NPCI and set the re-audit cadence and continuous-monitoring plan.
Evidence request list
The following categorised list is the evidence a TPAP should assemble before the audit begins; having it ready materially shortens fieldwork.
- Governance: board-approved security policy, PSP-TPAP responsibility matrix, sponsor agreement, NPCI onboarding confirmation, org chart, CISO appointment, risk register, compliance calendar.
- Application: SDLC and threat-modelling records, app hardening/RASP config, obfuscation and pinning configuration, CL/UPI SDK version manifest, prior app VA/PT reports.
- Credential and device: PIN-handling data-flow and design, device-binding design, SMS-validation logs, registration/set-PIN flow walkthroughs.
- APIs and crypto: API specification conformance, TLS scan reports, message-signing evidence, crypto standard, HSM/KMS inventory, key-management and rotation logs, certificate register.
- Infrastructure and cloud: network diagrams, firewall rulebase, hardening baselines and scan reports, WAF/DDoS config, cloud responsibility matrix and CSPM reports, data-residency evidence.
- IAM: RBAC matrix, MFA config, PAM policy and session logs, JML records, access-review sign-offs.
- Data and privacy: data classification and inventory, retention schedule, DPDP consent and grievance-officer records, masking/tokenisation evidence.
- Fraud and monitoring: fraud-rule catalogue, alert samples, mule/limit configuration, CPFIR/fraud-reporting records, SIEM architecture and log-source inventory, SOC use-cases.
- Resilience: BCP/DR plans, DR-drill reports, capacity and availability/SLA reports.
- Third party: vendor due-diligence records, contracts with right-to-audit clauses, sub-processor register, vendor assurance reports (SOC 2 etc.).
- Change and incident: change policy and sample tickets, environment inventory, IR plan and playbooks, prior incident/breach notifications and acknowledgements, PIR/RCA reports.
- Customer protection: grievance SOP and published TAT, dispute/ODR handling evidence, complaint MIS, nodal/grievance-officer disclosures.
Roles and responsibilities
| Role | Responsibility in the TPAP audit |
|---|
| Board / risk committee | Approve security policy and risk appetite; oversee UPI compliance and audit outcomes |
| CISO / security head | Own the control environment, remediation and audit engagement; primary auditor contact |
| TPAP compliance officer | Manage NPCI/RBI obligations, filings and PSP submissions; maintain compliance calendar |
| Engineering / app owners | Implement secure app, credential, device-binding and API controls; provide technical evidence |
| Infrastructure / cloud team | Maintain hardening, segmentation, crypto/KMS, backups and localisation |
| SOC / monitoring team | Operate SIEM, detection use-cases, alerting and incident triage |
| Fraud risk team | Operate transaction monitoring, limits and fraud reporting to NPCI/RBI |
| Sponsor PSP bank | Provide CL/SDK, own switch-side controls, certify the TPAP onward to NPCI |
| Independent auditor (CERT-In empanelled) | Conduct VA/PT and control assessment; issue report and certificate |
| Third-party / TSP providers | Provide assurance, honour right-to-audit and flow-down compliance obligations |
KPIs to track
- Percentage of mandatory controls implemented across the 17 domains (target 100% before certification).
- Number and ageing of open audit/VA/PT findings by severity, and mean time to remediate.
- VA/PT cadence adherence: annual and post-major-change tests completed on schedule.
- Patch compliance rate and mean time to patch critical vulnerabilities.
- Fraud detection rate, false-positive rate, and fraud-reporting timeliness to NPCI/RBI.
- UPI service availability / uptime against target and successful DR-drill completion.
- Percentage of privileged access under PAM and access-review completion rate.
- SIEM log-source coverage and mean time to detect / respond to security alerts.
- Grievance turnaround-time compliance and dispute-resolution rate.
- Third-party assurance coverage: percentage of material providers with current assurance reports.
Readiness checklist
- Sponsor PSP relationship confirmed and PSP-TPAP responsibility matrix documented
- Board-approved UPI/information-security policy in place and current
- Complete scope statement, asset inventory and data-flow diagrams prepared
- UPI PIN captured only via the PSP Common Library; app never sees or stores the PIN
- Root/jailbreak detection, anti-tamper, obfuscation and certificate pinning implemented
- Device hard-binding and SMS validation operational with new-user limits
- TLS 1.2+, message signing, replay protection and rate limiting on all APIs
- HSM/KMS-backed key management with documented lifecycle and certificate monitoring
- Network segmentation, hardening baselines, WAF/DDoS and cloud posture management in place
- RBAC, MFA for admins, PAM and periodic access reviews operating
- Data localisation, DPDP consent/grievance and masking controls implemented
- Real-time fraud monitoring, velocity limits and NPCI/RBI fraud reporting configured
- Centralised SIEM, 24x7 monitoring, log retention and NTP sync established
- Annual VA/PT completed with findings tracked to closure and retested
- IR plan, CERT-In/NPCI/RBI reporting SOP and tabletop drills in place
- BCP/DR with tested RTO/RPO and DR-drill evidence
- Outsourcing due diligence, right-to-audit clauses and sub-processor register complete
- Grievance mechanism, published TAT and ODR/dispute integration live
- Independent CERT-In empanelled auditor engaged and evidence pack assembled
Common gaps
- Treating the PSP as owning all security and failing to document or evidence the TPAP's own share of responsibilities.
- Custom PIN-entry fields or logging that inadvertently touch UPI credentials instead of relying solely on the Common Library.
- Missing or bypassable root/jailbreak detection, anti-tamper and certificate pinning, exposed by MITM tests.
- Weak or absent device hard-binding and SMS validation, enabling account takeover across devices.
- Collect-request and QR-code flows without adequate anti-social-engineering controls and consent screens.
- Inadequate transaction-monitoring rules and slow or missing fraud reporting to NPCI/RBI (e.g., CPFIR).
- Sensitive data stored outside India or logs/non-production environments containing unmasked PII, breaching localisation and DPDP norms.
- Key material handled outside an HSM/KMS, with no documented rotation or certificate-expiry monitoring.
- VA/PT performed but findings left open, or testing not repeated after major releases and feature launches.
- Third-party/TSP arrangements without right-to-audit clauses, sub-processor visibility or current assurance reports.
- Incident-response and BCP/DR plans that exist on paper but are never drilled, so reporting timelines are missed under pressure.
- Running deprecated CL/UPI SDK versions or app builds no longer compatible with NPCI requirements.
NPCI TPAP Audit mapped to other frameworks
TPAPs rarely operate under NPCI requirements alone. Mapping the TPAP control domains to adjacent frameworks lets an organisation reuse evidence and run a single integrated assurance programme.
| TPAP domain | RBI Digital Payment Security Controls | PCI DSS v4.0 | ISO/IEC 27001:2022 | DPDP Act 2023 |
|---|
| Governance & risk (D1) | Governance & IT risk management | Req 12 — Policy & programme | Clause 5-6; A.5 org controls | Sec. 8 obligations of data fiduciary |
| Application security (D2) | Application security lifecycle | Req 6 — Secure development | A.8.25-8.28 secure development | N/A |
| Credential & PIN handling (D3) | Authentication controls | Req 3 — Protect stored data | A.5.16-5.18 identity/auth | N/A |
| API & integration (D5) | Secure APIs & connectivity | Req 4 — Encrypt transmission | A.8.20-8.24 network/crypto | N/A |
| Cryptography & keys (D6) | Cryptographic controls | Req 3/4 — Crypto & key mgmt | A.8.24 use of cryptography | Sec. 8 security safeguards |
| Network & cloud (D7) | Infrastructure & network security | Req 1 — Network security controls | A.8.20-8.23 | N/A |
| IAM (D8) | Access management | Req 7-8 — Access & auth | A.5.15-5.18; A.8.2-8.5 | N/A |
| Data protection & privacy (D9) | Data security & localisation | Req 3 — Data protection | A.5.34 privacy; A.8.10-8.12 | Consent, purpose, rights |
| Fraud & monitoring (D10) | Fraud risk management | Req 10 — Logging & monitoring | A.5.7 threat intel; A.8.16 | N/A |
| Logging & SOC (D11) | Monitoring & incident detection | Req 10 — Log & monitor | A.8.15-8.16 | N/A |
| Vulnerability mgmt (D12) | Vulnerability & patch management | Req 6/11 — Vuln & testing | A.8.8 technical vulns | N/A |
| Incident response (D13) | Incident reporting to RBI/CERT-In | Req 12.10 — Incident response | A.5.24-5.28 incident mgmt | Sec. 8(6) breach notification |
| Resilience / BCP (D14) | Business continuity | Req 12 — supporting resilience | A.5.29-5.30 continuity | N/A |
| Outsourcing / TPRM (D15) | Outsourcing risk management | Req 12.8 — third-party mgmt | A.5.19-5.23 supplier | Sec. 8 processor obligations |
| Customer protection (D17) | Customer awareness & protection | N/A | A.5.34 | Data-principal rights & grievance |
How CyberSigma helps
Partner with CyberSigma for your NPCI TPAP audit
CyberSigma brings CERT-In empanelled auditors, PCI QSA expertise and deep UPI-ecosystem experience to every stage of the TPAP journey — from first-time onboarding to annual re-certification. We run the gap assessment against all 17 control domains, help you build the PSP-TPAP responsibility matrix, execute app/API/infrastructure VA/PT (including credential-handling, device-binding and MITM testing), and remediate findings with your engineering teams. We then conduct the independent security audit, issue the report and compliance certificate, and support submission to your sponsor PSP and NPCI. Because our methodology maps TPAP controls to RBI DPSC, PCI DSS, ISO 27001 and the DPDP Act, you get a single integrated assurance programme rather than repeated, siloed audits. Talk to CyberSigma to make your next UPI/TPAP audit faster, defensible and audit-ready.