Skip to main content
CERT-In Empanelled — Since 2008 — one of the earliest cybersecurity firms in India

NPCI and UPI Security and Compliance Audit

End-to-end compliance audit for PSPs, TPAPs, sponsor banks, BBPS/BBPOU, and RuPay participants. CERT-In empanelled auditors delivering regulator-ready reports with no open findings before your December 31 deadline.

Request a Scoping Call Our Methodology
6,700+
Assessments
700+
Clients
150+
Specialists
20 yrs
In Cybersecurity

Trusted by India's leading enterprises

ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
STEP 01

Assess

We map your UPI infrastructure, payment data flows, and integrations against NPCI requirements. Role-specific scope is defined based on whether you are a PSP, TPAP, sponsor bank, BBPOU, or RuPay participant. Every application, API, backend system, and data storage location is catalogued.

STEP 02

Remediate

Findings are risk-ranked with practical remediation guidance tailored to your engineering and operations teams. Our consultants work directly with your CTO, DevOps, and security teams to close gaps. Lemon tracks every finding from identification through evidence-backed closure.

STEP 03

Certify

Once all findings are closed, we issue the final compliance report with no open findings, ready for submission to NPCI. The report includes executive summaries for your CISO and compliance leadership, technical annexures, and the closure validation pack that NPCI expects.

What is an NPCI/UPI Security and Compliance Audit?

An NPCI/UPI Security and Compliance Audit is a mandatory annual assessment of payment infrastructure, applications, APIs, and data handling practices for entities participating in the NPCI ecosystem including UPI, BBPS, and RuPay.

Who Needs an NPCI/UPI Security Audit?

The audit applies to every entity in the NPCI payment ecosystem, with role-specific scope requirements

PSP Banks (Payment Service Providers)

Bank-side UPI infrastructure, NPCI connectivity, UPI switch integration, transaction processing, fraud monitoring, uptime, reconciliation, dispute handling, and TPAP oversight.

TPAPs (Third-Party Application Providers)

Mobile app, backend, APIs, SDK integration, device binding, VPA/account linking, customer data handling, authentication, encryption, and India-only data storage.

Sponsor Banks

Governance over TPAP or fintech partners, contract controls, compliance oversight, data flows, audit rights, operational resilience, and incident escalation.

BBPS / BBPOU Participants

Biller and agent onboarding, BBPCU/BBPOU integration, payment and settlement flows, refunds and disputes, biller APIs, reconciliation, and customer complaint handling.

RuPay Participants

Card issuance and acquiring flows, cardholder data environment, POS/e-commerce/ATM transaction flows, EMV and contactless security, fraud monitoring, and chargeback/dispute handling.

UPI Feature-Specific Entities

Entities offering UPI 2.0 signed intent, UPI AutoPay/e-mandate, Credit on UPI, International UPI, or merchant QR flows require feature-specific add-on scope beyond the core audit.

Methodology

6 steps. Zero guesswork.

Every engagement follows this process through Lemon, our proprietary audit management platform.

Discovery
01

Scoping and Role Mapping

Define your NPCI ecosystem role (PSP, TPAP, sponsor bank, BBPOU, RuPay). Map applicable UPI features (AutoPay, Credit on UPI, International UPI, merchant QR). Identify all in-scope applications, APIs, infrastructure, databases, cloud regions, and third-party integrations.

02

Architecture and Data Flow Review

Review application architecture, UPI integration design, PSP-bank connectivity, device binding mechanisms, and VPA/account linking flows. Map complete UPI transaction data flows from frontend through backend, APIs, databases, logs, backups, and third-party processors. Validate India-only data storage at every layer.

Testing
03

Security Testing and Technical Validation

Application and API security testing using B-52. Mobile app testing for UPI apps including SDK integration, device binding, session controls, and authentication. Backend and infrastructure assessment. Network segmentation verification. Encryption validation in transit and at rest. Cloud configuration review for data localization evidence.

04

NPCI Control Mapping and Gap Assessment

Map every finding and observation against the NPCI/UPI checklist and role-specific requirements. Produce a gap assessment with risk-ranked findings, evidence gaps, and recommended remediation. Cover fraud monitoring, reconciliation, dispute handling, incident response, and SDLC controls.

Delivery
05

Remediation Support and Closure Validation

Work directly with your CTO, DevOps, security engineering, and compliance teams to close findings. Lemon tracks every finding with owner, severity, target closure date, and validation evidence. Revalidation testing confirms each fix is effective. No finding is marked closed without evidence.

06

Final Compliance Report Submission

Issue the final NPCI/UPI Security Audit Report with no open findings. Includes role-specific checklist mapping, technical annexures, data localization evidence, executive summary for CISO and compliance leadership, and the closure validation pack. Report is structured for direct submission to NPCI.

Download methodology whitepaper →
"Security Brigade's structured approach through Lemon gave us complete visibility into the testing process. The three-layer review caught issues that our previous vendor missed entirely. Their reports were the first our developers could actually act on without a follow-up call."
CISO, Leading Indian BFSI Enterprise
Top 5 Private Sector Bank · Engaged since 2019

Read more client stories →

The Platform

Powered by Lemon

Most firms rely on individual tester skill. We built a platform that makes quality structural — informed by 6,700+ previous assessments.

lemon.securitybrigade.com/project/PRJ-2847
D
C
F
R
T
PROJECT PRJ-2847
Coverage Validation — acmecorp.com
94% covered
Endpoints
247 / 263
Parameters
1,847
Auth Flows
12 / 12
JS Routes
38 / 41
AI flagged 3 undiscovered endpoints
/api/v2/admin/export, /api/v2/billing/webhook, /internal/healthcheck
L1 Complete
L2 In Review
L3 Pending

Lemon: Audit Lifecycle Management

Centralized evidence management, finding lifecycle tracking, remediation workflows with owners and deadlines, daily progress monitoring, and complete traceability for every audit artifact.

B-52: UPI App and API Testing

AI-powered testing of UPI mobile apps, payment APIs, backend services, and business logic flows. Validates authentication, device binding, VPA linking, transaction integrity, and encryption with working proof of concepts.

No-Open-Findings Closure Tracking

Every finding is tracked from identification through remediation, revalidation, and evidence-backed closure. The final compliance report is generated only when Lemon confirms zero open findings.

Compliance-Ready

Audit-ready reporting for every framework

As a CERT-In empanelled firm, our reports are accepted by all major Indian and global regulators.

Universal Core Controls
UPI app security, backend/API testing, d
PSP-Specific Controls
UPI switch integration, NPCI connectivit
TPAP-Specific Controls
Mobile app security, SDK integration, cu
Sponsor Bank Controls
Governance over TPAP/fintech partners, c
BBPS/BBPOU Controls
Biller and agent onboarding, BBPCU integ
RuPay Controls
Card issuance/acquiring flows, cardholde
UPI 2.0 / Signed Intent / Collect Flows
Intent validation, transaction context,
UPI AutoPay / e-Mandate
Mandate creation, modification, revocati
Credit on UPI / RuPay Credit on UPI
Credit instrument mapping, MCC controls,
International UPI Flows
Cross-border processing, foreign/domesti
Merchant UPI / QR Flows
Static/dynamic QR tampering, merchant on
Data Localization Validation
India-only storage verification for prod

Industries

700+ clients across verticals

Every type of application architecture and business logic pattern — tested.

BFSIICICI Bank, HDFC, Yes Bank, UTI MF, Edelweiss
Fintech & PaymentsPhonePe, Amazon Pay, Groww, BillDesk
ManufacturingMahindra, Asian Paints, L&T, Hindalco
Retail & ConsumerSwiggy, Sephora, Pernod Ricard, Jubilant
Aviation & LogisticsEtihad Airways, DHL Express, Shadowfax
HealthcareCloudNine, Pharmeasy, Wave Health

Deliverables

What you get

Reports for two audiences — executives who need the risk picture, and developers who need to fix the issues. With code-level guidance, not vague advice.

Request sample report →Read case studies →

NPCI/UPI Security Audit Report

The primary regulator-submission document covering scope, systems reviewed, audit period, methodology, observations, compliance status, and conclusion.

Role-Specific Checklist Mapping

Every NPCI requirement mapped to evidence, compliance status, and auditor observations for your specific role (PSP, TPAP, sponsor bank, BBPOU, or RuPay participant).

Application and API Security Testing Report

Detailed findings from B-52-assisted testing of UPI mobile apps, payment APIs, backend services, and business logic flows with working proof of concepts.

UPI Transaction and Data Flow Diagrams

Visual documentation of payment data flows across applications, APIs, databases, logs, backups, cloud regions, and third-party integrations with data localization evidence.

Data Localization Evidence Review

Verification that all UPI payment data is stored only in India, covering production data, replicas, logs, backups, DR sites, analytics stores, and third-party processors.

Gap Assessment and Remediation Tracker

Risk-ranked findings with owner, severity, target closure date, remediation guidance, closure status, and validation evidence tracked in Lemon.

Final Closure and Compliance Report

The no-open-findings version of the audit report, issued after all remediation is validated, ready for December 31 submission to NPCI.

Executive Summary

Board and leadership-ready summary for CISO, compliance head, CTO, product, and payment operations covering compliance status, key risks, and strategic recommendations.

Continuous Compliance with ShadowMap

The audit gives you a snapshot. ShadowMap gives you the always-on view.

An annual audit proves your posture at a single point in time. Between audits, attack surfaces drift, credentials leak, sub-domains get added, vendors get breached. ShadowMap watches the boundary continuously so the next audit isn't a surprise.

Threat Intelligence

468+ threat actor profiles, CVE tracking against your stack, IOC monitoring, and geographic threat analysis.

Know which threats are coming for you specifically.

Explore on ShadowMap

Dark Web Intelligence

9.7B+ breach records indexed; monitors Telegram, paste sites, criminal forums, and ransomware leak sites for credentials, leaked data, and threat actor mentions.

Find leaked data before regulators do.

Explore on ShadowMap
See the full ShadowMap platform 30-day POC available · Platform Only · Service Only · Hybrid

FAQ

Common questions

Can't find what you're looking for? Talk to our team.

Contact us
What is the deadline for submitting the NPCI/UPI compliance report?+
NPCI expects annual compliance reports by December 31 each year. Entities must close all open findings and submit a final compliance report with no open findings. Planning your audit engagement at least 10-12 weeks before the deadline ensures adequate time for testing, remediation, revalidation, and final report issuance.
Is the NPCI/UPI audit the same for PSPs and TPAPs?+
No, the audit scope differs significantly by role. PSP audits focus on bank-side UPI infrastructure, NPCI connectivity, switch integration, and TPAP oversight. TPAP audits focus on mobile app security, SDK integration, device binding, customer data handling, and India-only data storage. Security Brigade maps the correct variant based on your ecosystem role.
Does NPCI require a CERT-In empanelled auditor for UPI audits?+
While NPCI does not explicitly mandate CERT-In empanelment for all UPI audits, RBI-regulated entities (banks, NBFCs, payment aggregators) are required to use CERT-In empanelled auditors for their security and system audits. Using a CERT-In empanelled auditor like Security Brigade ensures the audit report carries regulatory credibility across both NPCI and RBI requirements.
What does India-only data storage mean for UPI TPAPs?+
TPAPs must store UPI payment data only in India. RBI further clarifies that payment data includes customer data, payment-sensitive data, payment credentials, and transaction data. Any data processed abroad for transaction purposes must be deleted from foreign systems and retained only in India. Security Brigade validates data localization across production databases, replicas, logs, backups, DR sites, analytics stores, and third-party processors.
What happens if our NPCI audit report has open findings?+
NPCI's 2025 framework guidance requires entities to close open findings before submitting the compliance report. Reports with open findings may block new onboarding, delay feature launches, or trigger escalation. Security Brigade includes remediation support and closure validation as part of every engagement to ensure the final report submitted to NPCI contains no open findings.
How long does an NPCI/UPI compliance audit take?+
A typical engagement takes 8 to 12 weeks from scoping through final report issuance, depending on the number of applications, APIs, and integrations in scope and the time required for remediation. Security Brigade recommends starting the engagement by September to comfortably meet the December 31 deadline. Complex PSP or multi-TPAP environments may require earlier planning.
Does the NPCI audit cover UPI AutoPay, Credit on UPI, and International UPI?+
Yes, but these are feature-specific add-ons beyond the universal core audit scope. UPI AutoPay adds mandate lifecycle controls. Credit on UPI adds credit instrument mapping and chargeback flows. International UPI adds cross-border processing and data localization for foreign components. Security Brigade scopes these add-ons based on which UPI features your entity actually supports.
Is the BBPS/BBPOU audit different from the UPI audit?+
Yes. BBPS/BBPOU audits focus on bill payment ecosystem controls including biller and agent onboarding, BBPCU/BBPOU integration, ON-US/OFF-US transaction flows, settlement, refunds, disputes, and compliance with BBPS procedural and technical standards. While both fall under the NPCI ecosystem, the audit scope, checklist, and control requirements are distinct. Security Brigade delivers both as part of a unified NPCI compliance engagement.
What is the relationship between the NPCI audit and the RBI SAR?+
The RBI System Audit Report (SAR) is a separate regulator-mandated audit covering broader system and security controls for RBI-regulated entities. For entities that participate in both the NPCI ecosystem and hold RBI licenses (such as PSP banks or payment aggregators), both audits may be required. Security Brigade coordinates both engagements to avoid scope duplication, leverage shared evidence, and reduce audit fatigue for your teams.
Can Security Brigade handle audits for entities supporting multiple NPCI products (UPI plus BBPS plus RuPay)?+
Yes. Security Brigade maps audit scope across all NPCI products your entity participates in, combining the universal core with role-specific and product-specific requirements. A single coordinated engagement covers UPI, BBPS, and RuPay audit requirements, producing a unified compliance report. This reduces effort, cost, and timeline compared to running separate audits for each product.

Start Your NPCI/UPI Compliance Audit Today

The December 31 deadline waits for no one. CERT-In empanelled auditors, platform-backed execution, and a no-open-findings commitment.

Request a Scoping Call

Typically responds within 1 business day · No commitment required

Request a Scoping Call