CERT-In Empanelled Since 2008 — One of India's earliest empanelled cybersecurity auditors with 18+ years of continuous empanelment

SBI VSCC Audit: Get Your Vendor Site Compliance Certificate for SBI Payment Gateway Integration

Security Brigade is a CERT-In empanelled auditor authorized to issue the SBI Vendor Site Compliance Certificate (VSCC). We assess your application, network, and payment integration controls and deliver the signed Form C certificate required for SBI ePay and payment gateway merchant onboarding.

Request a Scoping Call Our Methodology

VSCC

Vendor Audit

SBI-Aligned

Methodology

6,700+

Assessments

Since 2008

CERT-In Empanelled

Trusted by India's leading enterprises

STEP 01

Assess

We perform the full SBI VSCC technical assessment covering your website, payment integration, network security, encryption controls, and compliance posture against the SBI VSCC checklist.

STEP 02

Remediate

Any gaps identified during the assessment are documented with clear remediation guidance. Our team supports your developers in closing findings quickly using our Lemon platform for real-time tracking.

STEP 03

Certify

Once all findings are closed and validated, we issue the signed and sealed VSCC certificate (Form C) ready for submission to SBI as part of your merchant onboarding package.

What Is the SBI VSCC (Vendor Site Compliance Certificate)?

The SBI VSCC is a procurement and merchant-onboarding security certificate required by State Bank of India before a vendor or merchant can integrate with SBI ePay or the SBI payment gateway. The certificate must be issued by a CERT-In empanelled auditor after a technical assessment of the merchant's website, application security, network infrastructure, and data handling controls.

Who Needs an SBI VSCC Certificate?

Any vendor, merchant, or service provider seeking to integrate with SBI's payment ecosystem must obtain a VSCC before onboarding.

SSL Certificate and Encryption Controls

Valid SSL/TLS implementation, encryption standards for data in transit and at rest, and certificate chain validation.

Web Application Security Testing (WAPT)

Security assessment of the merchant website and payment-facing application for OWASP Top 10 and business logic vulnerabilities.

Network Vulnerability Assessment

Identification of vulnerabilities across network infrastructure, servers, and services exposed to the internet.

Network Penetration Testing

Active testing to validate exploitability of identified network vulnerabilities and assess real-world attack impact.

Firewall Configuration and Review

Assessment of firewall rules, access control lists, and network segmentation protecting payment infrastructure.

Data Storage and Localization

Verification that payment and customer data is stored in compliance with SBI and RBI data localization requirements.

Audit Trail and Logging Controls

Review of logging mechanisms, audit trail integrity, log retention policies, and monitoring capabilities.

Data Sharing and Privacy Controls

Assessment of data sharing practices, privacy controls, consent mechanisms, and third-party data handling.

Methodology

5 steps. Zero guesswork.

Every engagement follows this process through Lemon, our proprietary audit management platform.

Discovery

Scoping and Checklist Mapping

We review your SBI integration scope, identify all in-scope applications, infrastructure, and payment flows, and map them against the full SBI VSCC checklist. This ensures complete coverage from day one with no surprises mid-assessment.

Technical Assessment

Our CERT-In empanelled auditors perform the core technical assessment: web application security testing, network vulnerability assessment, network penetration testing, SSL and encryption validation, firewall review, and data handling controls. B-52, our AI-powered audit engine, ensures consistent coverage across all checklist requirements.

Testing

Findings Review and Remediation Support

All findings are documented with clear severity ratings, proof-of-concept evidence, and technology-specific remediation guidance. Findings are published to the Lemon client portal in real time. Our team provides hands-on remediation support to help your developers close gaps quickly.

Delivery

Revalidation and Closure

Once your team marks findings as fixed in Lemon, our auditors retest each finding to confirm the fix is effective. Only confirmed fixes are marked as closed. This verified remediation evidence is critical for certificate issuance.

Certificate Issuance (Form C)

After all findings are closed and validated, we issue the signed and sealed VSCC certificate (Form C) along with the complete technical assessment report. The certificate package is formatted for direct submission to SBI as part of your merchant onboarding documentation.

Download methodology whitepaper →

"Security Brigade's structured approach through Lemon gave us complete visibility into the testing process. The three-layer review caught issues that our previous vendor missed entirely. Their reports were the first our developers could actually act on without a follow-up call."

CISO, Leading Indian BFSI Enterprise

Top 5 Private Sector Bank · Engaged since 2019

Powered by Lemon

Most firms rely on individual tester skill. We built a platform that makes quality structural — informed by 6,700+ previous assessments.

lemon.securitybrigade.com/project/PRJ-2847

LEMON

DashboardD

CoverageC

FindingsF

ReportsR

TimelineT

PROJECT PRJ-2847

Coverage Validation — acmecorp.com

94% covered

Endpoints

247 / 263

Parameters

1,847

Auth Flows

12 / 12

JS Routes

38 / 41

AI flagged 3 undiscovered endpoints

/api/v2/admin/export, /api/v2/billing/webhook, /internal/healthcheck

L1 Complete

L2 In Review

L3 Pending

Real-Time Finding Visibility

Findings appear in your Lemon portal the moment they are verified. No waiting for a final report to learn about critical gaps.

Structured Remediation Workflow

Your developers mark findings as fixed in the portal, triggering automatic retest by our auditors. Confirmed fixes are tracked separately from open items.

Verified Fix Evidence

Every closure is validated by retest, not self-attestation. This creates auditable evidence that your fixes actually work — critical for SBI acceptance.

Compliance-Ready

Audit-ready reporting for every framework

As a CERT-In empanelled firm, our reports are accepted by all major Indian and global regulators.

SSL/Encryption Controls

Covered by our network and application s

Web Application Security (WAPT)

Covered by our web application penetrati

Network Vulnerability Assessment

Covered by our network VA service. Compr

Network Penetration Testing

Covered by our network penetration testi

Firewall Review

Covered by our configuration and hardeni

Data Localization and Storage

Covered by our compliance assessment. Ve

Logging and Audit Trail

Covered by our infrastructure security r

PCI DSS Alignment

Where applicable, we assess PCI DSS rele

Industries

700+ clients across verticals

Every type of application architecture and business logic pattern — tested.

BFSIICICI Bank, HDFC, Yes Bank, UTI MF, Edelweiss

Fintech & PaymentsPhonePe, Amazon Pay, Groww, BillDesk

ManufacturingMahindra, Asian Paints, L&T, Hindalco

Retail & ConsumerSwiggy, Sephora, Pernod Ricard, Jubilant

Aviation & LogisticsEtihad Airways, DHL Express, Shadowfax

HealthcareCloudNine, Pharmeasy, Wave Health

Deliverables

What you get

Reports for two audiences — executives who need the risk picture, and developers who need to fix the issues. With code-level guidance, not vague advice.

Request sample report →Read case studies →

Signed VSCC Certificate (Form C)

The primary deliverable: a signed and certified Form C from a CERT-In empanelled auditor, formatted for direct SBI procurement submission.

Technical Assessment Report

Detailed report covering SSL/encryption, application security, network VA/PT, firewall review, logging, data localization, and privacy controls with proof-of-concept evidence for every finding.

Gap Report and Remediation Tracker

If findings require closure before certificate issuance, a prioritized gap report with technology-specific remediation guidance and status tracking via the Lemon portal.

Revalidation Report

After your team closes findings, a revalidation report confirming each fix has been retested and verified by our auditors. This is the evidence that your fixes actually work.

Final Compliance Evidence Pack

A consolidated package containing the certificate, technical report, remediation evidence, and revalidation results — everything SBI needs in one submission-ready bundle.

Continuous Compliance with ShadowMap

The audit gives you a snapshot. ShadowMap gives you the always-on view.

An annual audit proves your posture at a single point in time. Between audits, attack surfaces drift, credentials leak, sub-domains get added, vendors get breached. ShadowMap watches the boundary continuously so the next audit isn't a surprise.

Vendor Risk Management + TPRM

Continuous external scanning, questionnaire workflow, dark-web monitoring, scoring, and remediation tracking — in one platform.

Bridges what vendors say (TPRM) with what ShadowMap observes (VRM).

Explore on ShadowMap

See the full ShadowMap platform 30-day POC available · Platform Only · Service Only · Hybrid

FAQ

Common questions

Can't find what you're looking for? Talk to our team.

What is the SBI VSCC certificate?+

The SBI VSCC (Vendor Site Compliance Certificate) is a security certificate required by State Bank of India for merchant onboarding to SBI ePay and SBI payment gateway services. It must be issued by a CERT-In empanelled auditor after a technical assessment of the merchant's website, application security, network infrastructure, and data handling controls. The signed Form C certificate is submitted to SBI as part of the merchant onboarding documentation.

Who needs an SBI VSCC certificate?+

Any vendor, merchant, or service provider seeking to integrate with SBI ePay or SBI's payment gateway needs a VSCC certificate. This includes e-commerce platforms, fintech companies, SaaS providers, service aggregators, and any business processing payments through SBI's digital payment infrastructure. SBI will not process your merchant onboarding application without a valid VSCC.

Can any security firm issue the SBI VSCC?+

No. SBI requires the VSCC to be issued by a CERT-In empanelled auditor. Only security firms that hold active CERT-In empanelment are authorized to perform the assessment and sign the Form C certificate. Security Brigade has been CERT-In empanelled since 2008, making us one of the longest-empanelled cybersecurity auditors in India.

How long does the SBI VSCC audit take?+

A typical SBI VSCC audit takes 5 to 10 business days from scoping to certificate issuance, depending on the complexity of your application and infrastructure and the number of findings that require remediation. Security Brigade's Lemon platform accelerates the remediation cycle with real-time finding visibility and structured retest workflows, helping reduce overall turnaround time.

What does the SBI VSCC checklist cover?+

The SBI VSCC checklist covers SSL certificate and encryption controls, web application security testing, network vulnerability assessment, network penetration testing, firewall configuration review, data storage and localization, audit trail and logging controls, PCI DSS alignment where applicable, and data sharing and privacy controls. Security Brigade assesses every checklist item and documents findings with proof-of-concept evidence.

What is the VSCC Form C?+

Form C is the standard certificate format prescribed by SBI for the Vendor Site Compliance Certificate. It is the document that the CERT-In empanelled auditor fills, signs, and certifies after completing the technical assessment and confirming that all findings have been addressed. The signed Form C is the primary artifact submitted to SBI during merchant onboarding.

What happens if my VSCC application is rejected by SBI?+

A rejected VSCC typically means the certificate was incomplete, findings were not adequately closed, or the auditor was not properly CERT-In empanelled. Rejection requires a fresh assessment cycle, adding weeks to your onboarding timeline and doubling your audit costs. Security Brigade's L1/L2/L3 review process and verified remediation workflow are specifically designed to ensure first-submission acceptance.

Is the SBI VSCC the same as a PCI DSS certification?+

No. The SBI VSCC is a procurement-specific security certificate required by SBI for payment gateway integration. While PCI DSS may be referenced within the VSCC checklist where cardholder data is handled, the VSCC is a separate assessment with its own checklist covering application security, network security, encryption, data localization, and logging controls. Organizations may need both depending on their payment processing scope.

Does Security Brigade help with remediation or only the certificate?+

Security Brigade provides full remediation support, not just the final certificate. When our assessment identifies findings, we deliver technology-specific remediation guidance that your development team can implement immediately. Our Lemon platform tracks remediation progress, and our auditors retest every fix to confirm it is effective before the certificate is issued. This verified remediation approach ensures you pass on the first attempt.

How much does an SBI VSCC audit cost?+

VSCC audit costs depend on the scope of your application and infrastructure, the number of in-scope assets, and the complexity of your SBI payment integration. Security Brigade provides a fixed-fee quote after a brief scoping discussion. Contact us for a no-obligation scope assessment and cost estimate specific to your environment.

Ready to Get Your SBI VSCC Certificate?

Talk to a CERT-In empanelled auditor today. We will scope your assessment, provide a fixed-fee quote, and get you on the fastest path to your VSCC certificate.

Request a Scoping Call

Typically responds within 1 business day · No commitment required

Request a Scoping Call