We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / NPCI TPAP Audit
NPCI · India

NPCI UPI / TPAP Security Audit

Security audit requirements for UPI Third-Party Application Providers and PSP banks.

Introduction to the NPCI UPI / TPAP Security Audit

The Unified Payments Interface (UPI) has become the settlement backbone of India's retail digital payments, processing tens of billions of transactions each month. Every consumer-facing app that lets a user pay, collect or manage money over UPI does so as a Third Party Application Provider (TPAP) riding on the systems of a sponsor bank that acts as the Payment Service Provider (PSP). Because a TPAP handles authentication factors, virtual payment addresses (VPAs), mandate creation, and the mobile application in which UPI credentials are entered, it sits squarely inside the security perimeter that the National Payments Corporation of India (NPCI) governs. The NPCI UPI / TPAP Security Audit is the structured, evidence-based assessment through which a TPAP demonstrates to its sponsor bank, to NPCI and, ultimately, to the Reserve Bank of India (RBI) that it operates the app, its APIs and its supporting infrastructure in line with the UPI Procedural Guidelines, the NPCI circulars on TPAP security, and the RBI's baseline cyber-security expectations for the payments ecosystem.

This guide is written for security, compliance, engineering and product leaders at TPAPs, PSP banks and the payment-technology providers that build UPI stacks. It explains what the audit covers, who is in scope, how the control areas are structured, and — most importantly — provides an auditor-grade master checklist enumerating every domain a competent assessor will test, together with the evidence they will expect to see. Throughout, we distinguish clearly between what the sponsor PSP bank is accountable for and what the TPAP must own, because the shared-responsibility boundary is one of the most misunderstood aspects of UPI security governance.

Copyright and source note
NPCI's UPI Procedural Guidelines, the TPAP security circulars, the UPI API specifications and related NPCI/RBI documents are proprietary materials issued to authorised participants. This guide is original explanatory material prepared by CyberSigma and does not reproduce NPCI or RBI copyrighted text. Control identifiers, domain names and terminology are described in our own words for educational purposes. Always obtain and audit against the current authoritative circulars and specification versions supplied to your organisation by NPCI and your sponsor bank; where this guide differs from an official document, the official document prevails.

What is the NPCI TPAP Audit

The NPCI TPAP Audit is a periodic security and compliance assessment of a Third Party Application Provider's UPI-facing environment. It is not a single monolithic certification like PCI DSS; rather it is a composite obligation stitched together from several NPCI and RBI instruments. In practice an assessor evaluates the TPAP against: the UPI Procedural Guidelines and their annexures; NPCI's circulars addressing TPAP onboarding, security requirements and the sharing of risk-and-compliance responsibilities between PSP and TPAP; the technical UPI API and Common Library (CL / UPI SDK) integration requirements; the applicable RBI directions such as the Master Direction on Digital Payment Security Controls and the outsourcing / IT governance directions; and, where card data or wallet balances are also handled, PCI DSS.

The audit takes the form of an independent review — typically by a CERT-In empanelled auditor — that produces a report used by the sponsor PSP bank to certify the TPAP to NPCI. NPCI mandates that this security assessment be carried out at least annually and after any material change to the application or its infrastructure. The output is normally a security audit report plus a compliance certificate, supported by a remediation tracker for any open findings. Unlike a self-attestation, the TPAP audit is expected to be conducted by an empanelled third party and countersigned in the assurance chain that runs TPAP to PSP bank to NPCI.

The audit's purpose is threefold: to protect the confidentiality and integrity of UPI credentials and payment instructions on the device and in transit; to ensure the TPAP cannot introduce fraud, data leakage or systemic risk into the shared UPI network; and to confirm that the TPAP has the governance, incident-response and resilience capabilities expected of a critical financial-infrastructure participant.

Who must comply

The obligation to undergo and evidence a TPAP security audit falls on any entity that provides a consumer or merchant application interface to UPI without itself being the account-holding or PSP bank. The table below summarises the principal categories and their obligations.

Entity typeRole in UPIAudit obligation
Third Party Application Provider (TPAP)Provides the UPI app UI, VPA handle, mandate and collect flows; integrates the PSP/CL libraryPrimary responsibility: annual security audit of the app and supporting infrastructure; report submitted via sponsor PSP
Payment Service Provider (PSP) / sponsor bankHolds the UPI licence, operates the PSP switch, sponsors the TPAP, owns credential-handling librariesOwns overall UPI security certification; must ensure each sponsored TPAP is audited and compliant before go-live and annually
Technology Service Provider (TSP) / build partnerDevelops or hosts parts of the TPAP stack on behalf of the TPAP or PSPIn scope as an outsourced provider; its controls are assessed as part of the TPAP audit and outsourcing due diligence
Payment aggregator / merchant app embedding UPIOffers UPI as a payment option within a broader commerce appIn scope for the UPI components; also subject to RBI PA/PG and SAR requirements where applicable
Prepaid Payment Instrument (PPI) / wallet issuer on UPIEnables UPI on wallet balances (UPI-on-wallet, interoperability)In scope for TPAP-equivalent UPI controls plus PPI Master Direction obligations
Cloud / infrastructure hosting providerHosts TPAP workloadsAssessed indirectly through the TPAP's cloud-security and shared-responsibility evidence
  • Any app whose end-users create or manage a UPI VPA, link a bank account, set up an autopay mandate, or authorise a UPI PIN entry.
  • Any entity that receives or processes the UPI transaction flows, callbacks or reconciliation data from the PSP switch.
  • Multi-bank TPAPs sponsored by several PSP banks — each PSP relationship expects assurance, though a single consolidated audit report is typically produced.
  • New TPAPs at onboarding (pre-go-live audit) and existing TPAPs on the recurring annual cadence and after major changes.

Structure of the NPCI TPAP Audit

There is no single official numbered control catalogue published for public consumption the way PCI DSS publishes twelve requirements; instead the audit scope is assembled from the security expectations spread across the UPI Procedural Guidelines, NPCI TPAP circulars, the UPI API/CL integration requirements and RBI's digital-payment security controls. For assessment purposes competent auditors organise these into a coherent set of control domains. The domain structure below is the working taxonomy CyberSigma uses to plan and execute a TPAP audit; it maps completely onto the underlying NPCI and RBI requirements while giving assessors a clean, testable structure.

Domain IDDomainFocusPrimary source
D1Governance, risk and complianceBoard oversight, UPI security policy, PSP-TPAP responsibility matrix, licensingUPI Procedural Guidelines; RBI IT governance
D2Application security (mobile app)Secure coding, hardening, anti-tamper, root/jailbreak detection, obfuscationNPCI TPAP security circular; RBI DPSC
D3UPI credential and PIN handlingUPI PIN capture via CL, device binding, credential non-storageUPI API / Common Library requirements
D4Device binding, SMS and registrationDevice fingerprint, SIM/SMS validation, hard-binding, re-registrationUPI Procedural Guidelines
D5API and integration securityPSP API auth, message signing, TLS, VPA and mandate APIsUPI API specification
D6Cryptography and key managementEncryption in transit/at rest, HSM, key lifecycle, certificate managementRBI DPSC; NPCI crypto requirements
D7Network, infrastructure and cloud securitySegmentation, hardening, WAF, DDoS, cloud shared responsibilityRBI DPSC; cloud guidance
D8Identity and access managementRBAC, PIM/PAM, MFA for admins, joiner-mover-leaverRBI DPSC
D9Data protection and privacyData classification, PII/DPDP, data minimisation, retention, localisationRBI data localisation; DPDP Act
D10Fraud risk management and transaction monitoringVelocity limits, device/behaviour risk, mule detection, RDA/complaint handlingNPCI fraud/risk circulars; RBI
D11Logging, monitoring and SOCCentralised logs, SIEM, alerting, log retention, time syncRBI DPSC
D12Vulnerability and patch managementVA/PT cadence, secure SDLC, dependency and CI/CD securityRBI DPSC; NPCI audit cadence
D13Incident response and forbidden-activity handlingIR plan, breach reporting to CERT-In/NPCI/RBI, fraud reporting timelinesRBI incident reporting; CERT-In
D14Business continuity and resilienceBCP/DR, RTO/RPO, capacity, availability SLAsRBI DPSC; UPI availability expectations
D15Outsourcing and third-party riskTSP due diligence, right-to-audit, sub-processor controlRBI outsourcing directions
D16Change and configuration managementChange control, environment separation, release governanceRBI DPSC
D17Customer protection and grievance redressalComplaint handling, ODR, turnaround times, transparencyRBI customer protection; UPI grievance

Master assessment checklist

This is the core of the audit. For each domain below we set out what a competent assessor verifies and the evidence a TPAP is expected to produce. Treat every row as a discrete test step; do not treat any domain as optional. Where a control is owned by the PSP bank rather than the TPAP, the TPAP must still evidence that the split responsibility is documented and that its own portion is met.

D1 — Governance, risk and compliance

What to verifyTypical evidence
A board-approved UPI/information-security policy exists and is reviewed at least annuallySigned policy document, board/committee minutes, version history
A documented PSP-TPAP shared responsibility matrix defines who owns each controlResponsibility matrix, sponsor bank agreement, RACI
The TPAP is validly sponsored and onboarded per NPCI processSponsor agreement, NPCI onboarding confirmation, handle allocation
A named CISO / security owner and reporting line to the board existOrg chart, appointment letter, committee charter
Security risk assessments are performed periodically and tracked to closureRisk register, risk assessment reports, remediation tracker
Compliance calendar covers annual audit, VA/PT, and regulatory filingsCompliance calendar, evidence of prior year audit submission to PSP

D2 — Application security (mobile app)

What to verifyTypical evidence
Secure SDLC applied to the app; threat modelling performed for UPI flowsSDLC policy, threat models, design review records
Root / jailbreak detection and response implementedCode references, config, VA/PT report confirming detection
Anti-tampering, integrity checks and code obfuscation applied to release buildsRASP/obfuscation config, build pipeline evidence, PT findings
Screen-capture, screen-recording and overlay protection on sensitive screensCode/config, test evidence on PIN and balance screens
No sensitive data (PIN, full account, credentials) stored in local storage, logs or backupsStatic/dynamic analysis results, device forensics from PT
App uses certificate pinning and rejects proxied/MITM trafficPT report on MITM attempts, pinning configuration
Latest CL/UPI SDK version integrated; deprecated versions removedSDK version manifest, dependency list, NPCI compatibility confirmation

D3 — UPI credential and PIN handling

What to verifyTypical evidence
UPI PIN is captured only through the sponsor PSP's Common Library keyboard, never a custom fieldIntegration design, code review of PIN flow, PT confirmation
The TPAP app never sees, transmits or stores the clear UPI PINData-flow diagram, PT/DAST evidence, credential-handling attestation
Credential block encryption is handled inside the CL and passed opaquelyArchitecture doc, CL integration evidence
Registration and set-UPI-PIN flows follow the mandated debit-card/Aadhaar OTP validationFlow walkthrough, screenshots, test logs
No screenshot, clipboard or accessibility capture of the PIN entry surface is possibleTest evidence, security control configuration

D4 — Device binding, SMS and registration

What to verifyTypical evidence
Device hard-binding ties the account to a unique device fingerprintDevice binding design, code review, test evidence
SMS-based number verification confirms the SIM belongs to the registering deviceSMS validation flow, logs of outbound verification SMS
Re-registration / device-change triggers fresh binding and appropriate cooling / limitsPolicy, flow evidence, transaction-limit configuration
Multiple-account and multiple-VPA controls per device are enforced per NPCI limitsConfiguration, monitoring reports
Dormant/de-registered device tokens are invalidatedSession/token lifecycle evidence, test logs

D5 — API and integration security

What to verifyTypical evidence
All PSP/NPCI API calls are mutually authenticated and message-signed as specifiedAPI spec conformance, signature verification logs
TLS 1.2+ (preferably 1.3) enforced on all external interfaces; weak ciphers disabledTLS scan report, server config
VPA creation, ReqPay, mandate (UPI Autopay) and collect APIs implement server-side validationAPI design docs, code review, PT of business logic
Idempotency, replay protection and request/response integrity are enforcedDesign evidence, PT replay-attack results
Rate limiting and abuse protection on public and partner endpointsWAF/gateway config, throttling evidence
Collect-request and mandate flows guard against social-engineering abuse (limits, consent screens)UX evidence, limit configuration, fraud controls

D6 — Cryptography and key management

What to verifyTypical evidence
Strong, current algorithms used; no deprecated ciphers or hashesCrypto standard, config, scan results
Keys generated, stored and used within an HSM or equivalent secure moduleHSM inventory, key-ceremony records
Documented key lifecycle: generation, rotation, revocation, destructionKey management policy, rotation logs
Certificate inventory maintained; expiry monitored and alertedCertificate register, monitoring/alerting evidence
Data at rest (PII, tokens) encrypted with managed keys and access controlsEncryption config, KMS access logs
Separation of duties and dual control for key operationsPAM logs, key-custodian records

D7 — Network, infrastructure and cloud security

What to verifyTypical evidence
Network segmentation isolates UPI/payment zones from corporate and internet zonesNetwork diagram, firewall rulebase, segmentation test
Servers, OS and containers are hardened to a defined baseline (CIS or equivalent)Hardening standard, configuration scan reports
WAF and DDoS protection deployed on internet-facing servicesWAF config, DDoS service evidence, test results
Cloud shared-responsibility model documented; cloud config hardened and monitoredCloud responsibility matrix, CSPM reports
Ingress/egress controls, bastion access and no direct DB exposureFirewall/security-group config, PT external scan
Data localisation: UPI/payment data stored and processed within IndiaData-residency attestation, infra region evidence, RBI localisation compliance

D8 — Identity and access management

What to verifyTypical evidence
Role-based access control with least privilege across systemsRBAC matrix, access-review reports
MFA enforced for all administrative and remote accessMFA configuration, login logs
Privileged access managed and session-recorded via PAMPAM policy, session recordings, vault evidence
Joiner-mover-leaver process revokes access promptlyJML records, deprovisioning tickets, periodic access recertification
No shared/generic accounts for production; individual accountability enforcedAccount inventory, audit of service accounts
Periodic user access reviews performed and signed offAccess review reports with approvals

D9 — Data protection and privacy

What to verifyTypical evidence
Data classification scheme covers UPI, PII and financial dataData classification policy, data inventory
Data minimisation: only necessary data collected and retainedData-flow maps, retention schedule
DPDP Act obligations addressed: consent, purpose limitation, grievance officerPrivacy notice, consent records, DPO/grievance officer appointment
Retention and secure deletion enforced per policy and regulationRetention policy, deletion logs
PII masking/tokenisation in logs, screens and non-production environmentsMasking config, test-data-management evidence
Cross-border transfer restrictions and payment-data localisation observedData-residency evidence, transfer assessment

D10 — Fraud risk management and transaction monitoring

What to verifyTypical evidence
Real-time transaction monitoring with velocity, amount and device rulesFraud engine config, rule catalogue, alert samples
Mule-account and suspicious-behaviour detection integrated with NPCI signalsDetection logic, integration with NPCI risk feeds
New-user and new-device transaction limits and cooling periods applied per NPCI normsLimit configuration matrix, test evidence
Collect-request abuse and fraudulent-QR controls in placeControl design, blocked-transaction reports
Registered Device Association / complaint-handling and dispute processes operate to timelinesRDA/complaint SOP, resolution metrics
Reporting of confirmed fraud to NPCI/RBI (e.g., CPFIR) within mandated timelinesFraud reporting records, submission acknowledgements

D11 — Logging, monitoring and SOC

What to verifyTypical evidence
Security-relevant events centrally logged to a SIEMSIEM architecture, log source inventory
Log retention meets regulatory minimums and logs are tamper-protectedRetention config, WORM/immutability evidence
24x7 SOC or equivalent monitoring with defined use cases and alertingSOC SOP, use-case catalogue, alert-to-ticket samples
Time synchronisation (NTP) across all systems for reliable forensicsNTP config, time-sync validation
Correlation covers app, API, infra, fraud and access eventsCorrelation rules, sample investigations
Periodic log review and alert-tuning performedReview records, tuning changelog

D12 — Vulnerability and patch management

What to verifyTypical evidence
Vulnerability assessment and penetration testing performed at least annually and after major changeVA/PT reports (app, API, infra), scope letters
Findings tracked to closure with risk-based SLAsRemediation tracker, retest evidence
Patch management policy with defined timelines by severityPatch policy, patch compliance reports
Secure dependency and SBOM management; known-CVE components remediatedSCA/SBOM reports, dependency update records
CI/CD pipeline security: secrets scanning, SAST/DAST gatesPipeline config, scan gate evidence
Source-code security review for UPI-critical modulesSAST reports, manual review records

D13 — Incident response and reporting

What to verifyTypical evidence
Documented incident-response plan covering payment/security incidentsIR plan, playbooks, RACI
Breach reporting to CERT-In within mandated hours and to NPCI/RBI/PSPReporting SOP, prior notification records, acknowledgements
Defined severity classification and escalation matrixSeverity matrix, escalation contacts
Post-incident reviews and root-cause analyses conductedPIR/RCA reports, corrective-action tracker
IR tabletop exercises or drills conducted periodicallyDrill reports, participant logs
Coordination with sponsor PSP on UPI-network incidentsCommunication records, joint-response evidence

D14 — Business continuity and resilience

What to verifyTypical evidence
BCP and DR plans exist with defined RTO/RPO for UPI servicesBCP/DR documents, RTO/RPO definitions
DR drills conducted at least annually with documented outcomesDR test reports, failover evidence
Capacity and performance managed to sustain UPI peak volumes and availability targetsCapacity plans, availability/SLA reports
Redundancy across availability zones / sites for critical componentsArchitecture diagram, resilience evidence
Dependency on sponsor PSP and NPCI switch availability accounted for in continuity plansBCP dependency mapping

D15 — Outsourcing and third-party risk

What to verifyTypical evidence
Due diligence performed on TSPs and material service providersVendor due-diligence records, risk assessments
Contracts include right-to-audit, confidentiality, data-protection and NPCI/RBI compliance flow-downContracts / addenda, clause references
Sub-processors identified and controlled; no unauthorised sub-outsourcingSub-processor register, approval evidence
Periodic assurance obtained from providers (SOC 2, audit reports)Vendor assurance reports, review records
Exit and data-return / destruction plans defined for critical providersExit plans, data-handling clauses

D16 — Change and configuration management

What to verifyTypical evidence
Formal change-management process with approvals and rollback for productionChange policy, sample change tickets
Segregation of development, test and production environmentsEnvironment inventory, access separation evidence
Security review / approval gate for UPI-impacting changesChange-advisory records, security sign-offs
Configuration baselines maintained and drift detectedBaseline docs, drift/CSPM reports
Release and versioning of the app coordinated with PSP/NPCI compatibilityRelease notes, SDK compatibility confirmations

D17 — Customer protection and grievance redressal

What to verifyTypical evidence
Accessible grievance mechanism with published turnaround timesGrievance SOP, published TAT, contact channels
Integration with UPI dispute redressal / ODR and NPCI complaint systemsDispute-handling evidence, ODR integration
Transparent transaction status, receipts and failure/refund handlingUX evidence, refund/auto-reversal reports
Nodal / grievance officer appointed and details published per RBI normsAppointment records, website disclosure
Complaint metrics and turnaround times tracked and reviewedComplaint MIS, TAT compliance reports

Scoping the assessment

Scoping is decisive for a defensible TPAP audit. Because UPI is a shared-responsibility ecosystem, the assessor must first draw the boundary between what the TPAP builds and operates and what the sponsor PSP provides. Everything that touches UPI credentials, transaction initiation, VPA/mandate management, device binding, or the data flows to and from the PSP switch is in scope. Corporate systems are in scope where they can affect the payment environment (for example, shared identity providers, CI/CD pipelines that deploy the app, and SOC/SIEM tooling).

  • In scope: the consumer/merchant mobile app and its release pipeline; backend services handling UPI flows, VPA and mandates; the CL/UPI SDK integration; APIs to the PSP and NPCI; hosting infrastructure (on-prem or cloud) for UPI workloads; supporting security tooling (SIEM, WAF, HSM/KMS, PAM); and third parties operating any of the above.
  • Conditionally in scope: analytics, notification, KYC and support systems, to the extent they process UPI-related PII or can influence the payment environment.
  • Out of scope (but responsibility-mapped): the PSP switch, the NPCI central infrastructure, and the account-holding banks' core systems — these belong to the PSP/bank/NPCI and must be evidenced in the responsibility matrix rather than tested by the TPAP audit.
  • Scope must be re-evaluated at every material change: new payment features (e.g., UPI Autopay, UPI Lite, credit-on-UPI), new hosting regions, new TSPs, or a change of sponsor PSP.

Implementation approach

A TPAP that is preparing for its first audit — or remediating findings from a prior one — benefits from a phased programme. The four phases below move from discovery to sustained assurance.

Phase 1 — Discovery and gap assessment

  • Activities: confirm sponsor PSP relationship and shared-responsibility matrix; inventory all UPI-facing components, data flows and third parties; map current controls to the 17 domains; run an initial gap assessment and lightweight app/API scan.
  • Deliverables: scope statement and asset/data-flow inventory; PSP-TPAP responsibility matrix; gap-assessment report with prioritised findings; risk register seeded.

Phase 2 — Remediation and control build-out

  • Activities: implement missing controls (root detection, cert pinning, PIN-via-CL confirmation, device binding, HSM/KMS, SIEM onboarding, RBAC/PAM, fraud rules); harden infrastructure to baseline; formalise policies (IR, BCP, change, outsourcing, privacy).
  • Deliverables: remediation tracker updated to closure; control implementation evidence pack; approved policy set; hardening and configuration baselines.

Phase 3 — Independent audit and testing

  • Activities: engage a CERT-In empanelled auditor; perform VA/PT of app, API and infrastructure; execute the master checklist domain-by-domain; validate credential-handling and device-binding through dynamic testing; collect and review evidence.
  • Deliverables: VA/PT reports; security audit report with findings and ratings; compliance certificate draft; management responses to findings.

Phase 4 — Certification, submission and continuous assurance

  • Activities: close residual findings and obtain retest sign-off; finalise the audit report and certificate; submit to the sponsor PSP for onward assurance to NPCI; establish continuous monitoring and the annual/change-triggered re-audit cadence.
  • Deliverables: signed audit report and compliance certificate; PSP submission acknowledgement; continuous-assurance calendar and metrics dashboard.

Maturity and scoring model

NPCI's audit outcome is fundamentally pass/remediate against mandatory requirements, but a maturity model helps a TPAP track its trajectory and prioritise investment beyond the minimum bar. CyberSigma applies the five-level capability model below to each of the 17 domains.

LevelNameDescriptionTypical audit outcome
1Initial / ad hocControls absent or informal; reliance on the PSP without documentationNot compliant; go-live blocked
2DevelopingSome controls implemented but inconsistent; key gaps in credential, device or logging domainsMajor findings; remediation required before certification
3DefinedDocumented, mandated controls implemented across all domains; VA/PT performedCompliant with minor findings; certifiable
4ManagedControls measured and monitored; fraud analytics and SOC use-cases tuned; metrics reviewedStrong compliance; low residual risk
5OptimisingContinuous improvement, threat-led testing, automation of assurance and rapid responseBest-in-class; exemplary posture

Assessment and audit approach

The independent assessment follows a repeatable sequence so that findings are defensible and reproducible.

  1. Engagement and scoping: agree the boundary, obtain the PSP-TPAP responsibility matrix, and issue the scope and evidence request.
  2. Documentation review: assess policies, architecture, data-flow diagrams, prior audit reports and the risk register against the 17 domains.
  3. Control walkthroughs: interview owners for each domain and trace how mandated controls are designed and operated.
  4. Technical testing: perform VA/PT on the app, APIs and infrastructure, including MITM/pinning, root/tamper, PIN-handling, replay and business-logic tests.
  5. Configuration and log validation: sample-check hardening baselines, IAM, crypto/key management, SIEM coverage and retention.
  6. Evidence sampling: collect and validate artefacts for each checklist row, testing operating effectiveness over a period, not just design.
  7. Findings and rating: classify findings by severity, map to the responsible party (TPAP or PSP), and record management responses.
  8. Remediation and retest: verify closure of high-severity findings and obtain retest evidence.
  9. Reporting: issue the security audit report and compliance certificate with an executive summary and remediation tracker.
  10. Submission and follow-up: support submission to the sponsor PSP/NPCI and set the re-audit cadence and continuous-monitoring plan.

Evidence request list

The following categorised list is the evidence a TPAP should assemble before the audit begins; having it ready materially shortens fieldwork.

  • Governance: board-approved security policy, PSP-TPAP responsibility matrix, sponsor agreement, NPCI onboarding confirmation, org chart, CISO appointment, risk register, compliance calendar.
  • Application: SDLC and threat-modelling records, app hardening/RASP config, obfuscation and pinning configuration, CL/UPI SDK version manifest, prior app VA/PT reports.
  • Credential and device: PIN-handling data-flow and design, device-binding design, SMS-validation logs, registration/set-PIN flow walkthroughs.
  • APIs and crypto: API specification conformance, TLS scan reports, message-signing evidence, crypto standard, HSM/KMS inventory, key-management and rotation logs, certificate register.
  • Infrastructure and cloud: network diagrams, firewall rulebase, hardening baselines and scan reports, WAF/DDoS config, cloud responsibility matrix and CSPM reports, data-residency evidence.
  • IAM: RBAC matrix, MFA config, PAM policy and session logs, JML records, access-review sign-offs.
  • Data and privacy: data classification and inventory, retention schedule, DPDP consent and grievance-officer records, masking/tokenisation evidence.
  • Fraud and monitoring: fraud-rule catalogue, alert samples, mule/limit configuration, CPFIR/fraud-reporting records, SIEM architecture and log-source inventory, SOC use-cases.
  • Resilience: BCP/DR plans, DR-drill reports, capacity and availability/SLA reports.
  • Third party: vendor due-diligence records, contracts with right-to-audit clauses, sub-processor register, vendor assurance reports (SOC 2 etc.).
  • Change and incident: change policy and sample tickets, environment inventory, IR plan and playbooks, prior incident/breach notifications and acknowledgements, PIR/RCA reports.
  • Customer protection: grievance SOP and published TAT, dispute/ODR handling evidence, complaint MIS, nodal/grievance-officer disclosures.

Roles and responsibilities

RoleResponsibility in the TPAP audit
Board / risk committeeApprove security policy and risk appetite; oversee UPI compliance and audit outcomes
CISO / security headOwn the control environment, remediation and audit engagement; primary auditor contact
TPAP compliance officerManage NPCI/RBI obligations, filings and PSP submissions; maintain compliance calendar
Engineering / app ownersImplement secure app, credential, device-binding and API controls; provide technical evidence
Infrastructure / cloud teamMaintain hardening, segmentation, crypto/KMS, backups and localisation
SOC / monitoring teamOperate SIEM, detection use-cases, alerting and incident triage
Fraud risk teamOperate transaction monitoring, limits and fraud reporting to NPCI/RBI
Sponsor PSP bankProvide CL/SDK, own switch-side controls, certify the TPAP onward to NPCI
Independent auditor (CERT-In empanelled)Conduct VA/PT and control assessment; issue report and certificate
Third-party / TSP providersProvide assurance, honour right-to-audit and flow-down compliance obligations

KPIs to track

  • Percentage of mandatory controls implemented across the 17 domains (target 100% before certification).
  • Number and ageing of open audit/VA/PT findings by severity, and mean time to remediate.
  • VA/PT cadence adherence: annual and post-major-change tests completed on schedule.
  • Patch compliance rate and mean time to patch critical vulnerabilities.
  • Fraud detection rate, false-positive rate, and fraud-reporting timeliness to NPCI/RBI.
  • UPI service availability / uptime against target and successful DR-drill completion.
  • Percentage of privileged access under PAM and access-review completion rate.
  • SIEM log-source coverage and mean time to detect / respond to security alerts.
  • Grievance turnaround-time compliance and dispute-resolution rate.
  • Third-party assurance coverage: percentage of material providers with current assurance reports.

Readiness checklist

  • Sponsor PSP relationship confirmed and PSP-TPAP responsibility matrix documented
  • Board-approved UPI/information-security policy in place and current
  • Complete scope statement, asset inventory and data-flow diagrams prepared
  • UPI PIN captured only via the PSP Common Library; app never sees or stores the PIN
  • Root/jailbreak detection, anti-tamper, obfuscation and certificate pinning implemented
  • Device hard-binding and SMS validation operational with new-user limits
  • TLS 1.2+, message signing, replay protection and rate limiting on all APIs
  • HSM/KMS-backed key management with documented lifecycle and certificate monitoring
  • Network segmentation, hardening baselines, WAF/DDoS and cloud posture management in place
  • RBAC, MFA for admins, PAM and periodic access reviews operating
  • Data localisation, DPDP consent/grievance and masking controls implemented
  • Real-time fraud monitoring, velocity limits and NPCI/RBI fraud reporting configured
  • Centralised SIEM, 24x7 monitoring, log retention and NTP sync established
  • Annual VA/PT completed with findings tracked to closure and retested
  • IR plan, CERT-In/NPCI/RBI reporting SOP and tabletop drills in place
  • BCP/DR with tested RTO/RPO and DR-drill evidence
  • Outsourcing due diligence, right-to-audit clauses and sub-processor register complete
  • Grievance mechanism, published TAT and ODR/dispute integration live
  • Independent CERT-In empanelled auditor engaged and evidence pack assembled

Common gaps

  • Treating the PSP as owning all security and failing to document or evidence the TPAP's own share of responsibilities.
  • Custom PIN-entry fields or logging that inadvertently touch UPI credentials instead of relying solely on the Common Library.
  • Missing or bypassable root/jailbreak detection, anti-tamper and certificate pinning, exposed by MITM tests.
  • Weak or absent device hard-binding and SMS validation, enabling account takeover across devices.
  • Collect-request and QR-code flows without adequate anti-social-engineering controls and consent screens.
  • Inadequate transaction-monitoring rules and slow or missing fraud reporting to NPCI/RBI (e.g., CPFIR).
  • Sensitive data stored outside India or logs/non-production environments containing unmasked PII, breaching localisation and DPDP norms.
  • Key material handled outside an HSM/KMS, with no documented rotation or certificate-expiry monitoring.
  • VA/PT performed but findings left open, or testing not repeated after major releases and feature launches.
  • Third-party/TSP arrangements without right-to-audit clauses, sub-processor visibility or current assurance reports.
  • Incident-response and BCP/DR plans that exist on paper but are never drilled, so reporting timelines are missed under pressure.
  • Running deprecated CL/UPI SDK versions or app builds no longer compatible with NPCI requirements.

NPCI TPAP Audit mapped to other frameworks

TPAPs rarely operate under NPCI requirements alone. Mapping the TPAP control domains to adjacent frameworks lets an organisation reuse evidence and run a single integrated assurance programme.

TPAP domainRBI Digital Payment Security ControlsPCI DSS v4.0ISO/IEC 27001:2022DPDP Act 2023
Governance & risk (D1)Governance & IT risk managementReq 12 — Policy & programmeClause 5-6; A.5 org controlsSec. 8 obligations of data fiduciary
Application security (D2)Application security lifecycleReq 6 — Secure developmentA.8.25-8.28 secure developmentN/A
Credential & PIN handling (D3)Authentication controlsReq 3 — Protect stored dataA.5.16-5.18 identity/authN/A
API & integration (D5)Secure APIs & connectivityReq 4 — Encrypt transmissionA.8.20-8.24 network/cryptoN/A
Cryptography & keys (D6)Cryptographic controlsReq 3/4 — Crypto & key mgmtA.8.24 use of cryptographySec. 8 security safeguards
Network & cloud (D7)Infrastructure & network securityReq 1 — Network security controlsA.8.20-8.23N/A
IAM (D8)Access managementReq 7-8 — Access & authA.5.15-5.18; A.8.2-8.5N/A
Data protection & privacy (D9)Data security & localisationReq 3 — Data protectionA.5.34 privacy; A.8.10-8.12Consent, purpose, rights
Fraud & monitoring (D10)Fraud risk managementReq 10 — Logging & monitoringA.5.7 threat intel; A.8.16N/A
Logging & SOC (D11)Monitoring & incident detectionReq 10 — Log & monitorA.8.15-8.16N/A
Vulnerability mgmt (D12)Vulnerability & patch managementReq 6/11 — Vuln & testingA.8.8 technical vulnsN/A
Incident response (D13)Incident reporting to RBI/CERT-InReq 12.10 — Incident responseA.5.24-5.28 incident mgmtSec. 8(6) breach notification
Resilience / BCP (D14)Business continuityReq 12 — supporting resilienceA.5.29-5.30 continuityN/A
Outsourcing / TPRM (D15)Outsourcing risk managementReq 12.8 — third-party mgmtA.5.19-5.23 supplierSec. 8 processor obligations
Customer protection (D17)Customer awareness & protectionN/AA.5.34Data-principal rights & grievance

How CyberSigma helps

Partner with CyberSigma for your NPCI TPAP audit
CyberSigma brings CERT-In empanelled auditors, PCI QSA expertise and deep UPI-ecosystem experience to every stage of the TPAP journey — from first-time onboarding to annual re-certification. We run the gap assessment against all 17 control domains, help you build the PSP-TPAP responsibility matrix, execute app/API/infrastructure VA/PT (including credential-handling, device-binding and MITM testing), and remediate findings with your engineering teams. We then conduct the independent security audit, issue the report and compliance certificate, and support submission to your sponsor PSP and NPCI. Because our methodology maps TPAP controls to RBI DPSC, PCI DSS, ISO 27001 and the DPDP Act, you get a single integrated assurance programme rather than repeated, siloed audits. Talk to CyberSigma to make your next UPI/TPAP audit faster, defensible and audit-ready.
Free 1-minute check
PCI DSS Scope Checker
See if you’re in scope and your likely SAQ type or level — free, in under a minute.
Try it free →

Frequently asked questions

Who must perform the UPI TPAP audit?
NPCI requires the security audit to be performed by a CERT-In empanelled auditor. CyberSigma is CERT-In empanelled.
Do PSP banks also need auditing?
Yes — the sponsor PSP bank’s UPI systems and the TPAP both fall within NPCI’s security-assurance expectations.

Need help with NPCI TPAP Audit?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.