NPCI continues to invest in people, process and technology that
are required to safeguard the IT Infrastructure, information generated by them
and the digital identities that access such information - remains safe and
secured by deploying state-of-the-art technologies for protecting and
monitoring them. Maintaining privacy of details are of utmost priority at NPCI
and we assure all our customers that data processed at our end is completely
secured and not accessible by anyone unauthorized.
With the vision of serving every Indian with one or other Digital
Payment solution, NPCI, passionately drives close to 2.5 Billion
transactions on a monthly basis using its indigenously developed platforms like
RuPay, UPI, IMPS, AePS, NETC, Bharat Bill Pay etc. These systems are built
indigenously with high resiliency & protection to cater our vision of being
the “Best Payments Network globally”.
Strong Corporate Governance at NPCI
NPCI faces many inspections as per the regulatory and Government
compliances. Audits & Inspections of various nature are conducted
periodically to enhance and strengthen Corporate Governance.
Some of the practices at NPCI include,
a) Secured software Coding
practices including Code review & application security assessments
b) Regular
internal audits across Information Communication Technology (ICT)
Infrastructure
c) Continuous Vulnerability Assessment and Penetration Testing
followed by periodic patching
d) External audits of Critical Applications
e) Regulatory inspection or audit from both regulator and
Government Nodal agencies on periodic basis
f) 3rd Party audits such as compliance to PCIDSS,
carried out by QSA’s (Qualified Security Assessor) qualified by PCI Council to
validate adherence to PCIDSS Standards & compliance to ISO 27001, carried
out by qualified ISO Lead Audit firms.
g) Surprise cyber security drills by third-party experts
NPCI
ensures all findings are elaborately reviewed and remediated to the
satisfaction of the auditors. Appropriate compensatory controls are deployed
wherever necessary.
Lt.
General Rajesh Pant, NCSC, “We conduct Special Cyber Audits as part of the
nation’s effort to protect and safe guard all critical enterprises such as
NPCI, UIDAI, NIC etc, thereby helping to ensure the overall National
Security. NPCI has provided higher levels of access to NCSC that are not
normally made available to any stakeholders during regular course of business,
as an effort to strengthen its cyber defense. I wish to compliment the top
leadership of NPCI and their CISO for inculcating a culture of strong Cyber
Security Governance with a robust infrastructure which meets global
security standards.”
Strong
Cyber Security Practice & Data Security
NPCI strongly believes that Cyber Security is of utmost importance and aims to safeguard its assets and network against all kinds of prevalent cyber-attacks. Over the past years NPCI has deployed various technologies to upgrade its security posture leveraging a multi-layered defence approach to combat evolving cyber threats.
NPCI has adopted its Security framework inline to the NIST Framework to include Protect, Detect, Respond, Predict and Recover methodology. NPCI has embraced implementation of these policies, processes and guidelines to manage risks to its information assets, thus ensuring acceptable levels of risk.
Some
of the state of the art technologies deployed at NPCI to thwart Cyber-attacks
includes,
· Perimeter security
controls including firewall, web application firewall, micro-segmentation of
network, routing controls, secured switch configurations, proxy server,
Anti-Distributed Denial of Service Solution, Anti – Advanced Persistent Threat
etc.
· Information
protection including Data Leakage Protection, Digital Rights Management,
tokenization & encryption of sensitive data elements and active monitoring
of both structured and unstructured data
· Safer
& Secure connects to ecosystem players including communication channel
encryption
· Various
Detective controls including Deceptive technologies (Decoys) are used as early
indicators to identify Cyber-attacks
· A
dedicated team of highly trained professionals who have participated in various
globally recognized & acclaimed Cyber Defense program manages the Security
Operation Centre 24x7x365
· Privileged identity & access management solutions which
further segregates the logical access and restricts user to access critical
systems supported by Multi factor authentication
NPCI engages with safer RED TEAM and BREACH readiness assessments as well periodically. With the sophisticated security threats that our environment faces in current times, NPCI’s objective is to continuously fortify our security layers. In addition to steps we take, we welcome and invite experts, including relevant authorities, for regular reviews and audits to keep our controls sharp and best in class.
NPCI
handles all sensitive information like card data in line with PCIDSS
requirements. PCIDSS norms also allows clear card information under certain circumstances
for permitted functions, with appropriate controls. We have been subject to
regular PCIDSS audits through externals QSA’s, qualified by PCI council. NPCI
is fully compliant to these standards. NPCI proactively has adopted global best
practices in handling personal identifiable information (PII) and is one of the
early practitioners in
At NPCI, we working together with all stakeholders to ensure safe, secure and convenient payment solutions for consumers. Our products are undergoing progressive developments on a continuous basis to ensure consumer gets the best of payments experience.”
In
response to the some of the recent media reports, we reiterate that NPCI
maintains high levels of security standards and an integrated approach to
protect its infrastructure, a strong governance through proactive independent
audits, and continue to provide a robust payments ecosystem.