Cyber Security | NPCI - National Payments Corporation of India

Information Security

On account of the constantly changing cyber threat landscape in the financial sector, it has become imperative to implement stringent controls to secure NPCI from the cyberspace. NPCI strongly believes that Cyber Security is of utmost importance and aims to safeguard its assets and network against all kinds of prevalent cyber-attacks. Over the past years NPCI has deployed various technologies to upgrade its security posture leveraging a multi-layered defense approach to combat evolving cyber threats.

NPCI is compliant under PCI DSS v3.2.1., ISO 27001:2013 and ISO 22301:2012. Security framework with Protect, Detect, Respond, Predict and Recover methodology is incorporated at NPCI. Comprehensive set of policies adopting the above frameworks and the CSITE framework of RBI have been framed including Information Security Management System (ISMS), Business Continuity Management System (BCMS), Cyber Security and Data Security Policies. NPCI has embraced implementation of these policies, processes and guidelines to manage risks to its information assets, thus ensuring acceptable levels of risk. NPCI has engaged with reputed firms to perform regular assessments and audits for its applications to ensure compliance.

Below are the few technologies and controls that are deployed at NPCI which have evidently mitigated some of the real time Cyber-attacks targeting NPCI.

Perimeter security controls including firewall, web application firewall, micro-segmentation of network, routing controls, secured switch configurations, proxy server, Anti-Distributed Denial of Service Solution, Anti – Advanced Persistent Threat etc.
Various Detective controls including SOC to monitor and restrict the attacks from external world to NPCI
Privileged identity & access management solutions which further segregates the logical access and restricts user to access critical systems supported by two factor authentication
Security assessment tools that are used to carry out vulnerability assessment, penetration testing and other application security assessment on periodic basis ensuring that the vulnerabilities are periodically identified and fixed as part of our Secure Software Development Lifecycle.

The organisation has a dedicated team of individuals working for the Security Operations Centre (SOC) which monitors and responds to any security incident 24x7x365. Primary objective of SOC is to monitor systems from operational standpoint, availability and security.

Cyber threats are managed and mitigated at NPCI by the Information Security team by leveraging technologies appropriately deployed which are used by constantly trained professionals using well developed procedures adopted from various industry best practices and guidelines.

NPCI has incorporated data security policy which is in line to most of the global accepted standards around data privacy and security. The policy has been put to effect since September 2018 and majority of our applications are assessed and mitigated to adhere to data security policy of NPCI. There are appropriate remedial actions that are being worked to ensure customer data remains safe and secure at NPCI.