Home/Services/CERT-In Auditor Services/NPCI Compliance

CERT-In Auditor Services

NPCI Compliance

Security audits and assessments for entities operating on NPCI payment platforms and rails.

Overview

Secure your place on India’s payment rails.

Entities participating in NPCI-operated payment systems must meet the associated security and compliance expectations to protect the wider ecosystem.

We assess your systems against the relevant NPCI and allied requirements, validate them through testing, and document compliance for your sponsor bank or NPCI as needed.

What’s covered

The scope of this engagement.

Platform security

Controls for NPCI-connected systems.

VAPT

Technical validation of in-scope systems.

Data protection

Handling of payment and customer data.

Operational controls

Process and monitoring requirements.

Compliance evidence

For sponsor banks / NPCI.

Who needs this

Is this engagement for you?

The profiles that typically call on this service.

UPI / IMPS participantsNPCI ecosystem security.

PSPs & TPAPsPayment app providers.

Sponsor-bank partnersOnboarding requirements.

Merchant aggregatorsPayment flows.

Fintechs on NPCI railsPlatform compliance.

Any NPCI-connected entityA security-audit obligation.

Regulatory drivers

Why this is required

Participants in NPCI-operated payment systems must comply with NPCI's circulars and security requirements for the platforms they use; compliance is a condition of continued participation.

NPCI circulars & procedural guidelines

Set security, operational and audit requirements for UPI, IMPS, RuPay and other platforms.

PCI DSS

Applies where cardholder data is processed within the payment flow.

RBI oversight

NPCI requirements sit within the RBI's broader supervision of payment systems.

How we work

A proven, methodical approach.

A staged approach built to deliver a defensible outcome.

Scoping & platform mapping

Identifying the NPCI platforms in use (UPI, IMPS and others).

Requirement mapping

Mapping the applicable NPCI circulars and security requirements.

Control & security assessment

Assessing controls against the NPCI mandates.

VAPT & technical validation

Running the required vulnerability and penetration testing.

Gap & remediation

Identifying gaps and supporting remediation.

Compliance report

A report evidencing your NPCI compliance posture.

What you receive

Documentation built for every audience.

NPCI compliance reportFindings against the applicable NPCI mandates.
Circular-to-control mappingRequirements mapped to your controls.
VAPT findings & evidence packTechnical testing results with evidence.
Remediation trackerGaps tracked to closure.
Compliance attestationEvidence of your NPCI compliance posture.

Standards & frameworks

The work is mapped to the standards and rules that apply to you.

NPCI requirementsRBIPCI DSSCERT-In

Checklist

Are you ready? A quick checklist

What to have in place before we begin.

NPCI platform(s) in scope

Sponsor-bank requirements gathered

System / data inventory

Security controls evidence

VAPT scope defined

Data-protection measures

Incident-response readiness

Reporting recipient identified

FAQ

Common questions

Which NPCI platforms do you cover?

We cover the NPCI platforms relevant to your role in the ecosystem — such as UPI, IMPS, NACH, RuPay and the bill-payment and account-aggregator systems — and the specific circulars and security requirements that apply to each. We confirm the exact platforms in scope during scoping so the assessment maps precisely to your participation.

Does PCI DSS apply too?

Often, yes. Where your flows involve payment-card data, PCI DSS can come into scope alongside NPCI’s own requirements, and the two need to be satisfied together. We assess both in a single engagement so you aren’t left with gaps between the card-security and NPCI obligations.

Who receives the report?

The report typically goes to your sponsor bank or to NPCI, depending on your role and the platform involved. We produce documentation in the format and level of detail that audience expects, so it can be submitted without rework.