NPCI Denies Security Flaws, Says Customer Data Completely Secured

The National Payments Corporation of India (NPCI) on Friday said it employs state of the art technologies to safeguard the IT infrastructure, information generated by them, and the digital identities that access such information.

“Maintaining privacy of details is of utmost priority at NPCI and we assure all our customers that data processed at our end is completely secured and not accessible by any unauthorised person,” the payments service provider said in a detailed statement.

The statement comes a day after news agency Reuters reported that a government audit found more than 40 security flaws in NPCI’s systems, several of them falling under 'critical' and 'high risk' categories.

For example, the government audit in March 2019 found, according to Reuters report, NPCI stored 16-digit card numbers and other personal information such as customer names, account numbers and national identity numbers in 'plain text' in some databases.

Subsequently, those observations were resolved by NPCI, according to National Cyber Security Coordinator (NCSC), Rajesh Pant, whose office co-ordinated the audit, the story said.

NPCI, in its statement, also quoted Rajesh Pant saying, “NPCI has provided higher levels of access to NCSC that are not normally made available to any stakeholders during regular course of business, as an effort to strengthen its cyber defense. I wish to compliment the top leadership of NPCI and their chief information security officer (CISO) for inculcating a culture of strong cyber security governance with a robust infrastructure which meets global security standards.”

NPCI processes about 2.5 billion transactions on a monthly basis using its indigenously developed platforms like RuPay, UPI, IMPS, AePS, NETC, Bharat Bill Pay etc.

NPCI said in its statement that in order to thwart cyber-attacks, it has implemented technologies such as perimeter security controls, including various kinds of firewalls, micro-segmentation of network, routing controls, secured switch configurations, proxy servers and other latest technologies.

The information gathered is protected through data leakage protection, digital rights management, tokenisation and encryption of sensitive data elements and active monitoring of both structured and unstructured data.

The communication channels are encrypted, while the agency also employs various detective controls including deceptive technologies (decoys) as early indicators to identify cyber-attacks.

“With the sophisticated security threats that our environment faces in the current times, NPCI’s objective is to continuously fortify our security layers. In addition to steps that we take, we welcome and invite experts, including relevant authorities, for regular reviews and audits to keep our controls sharp and best in class,” NPCI statement read.

The statement said NPCI faces many inspections in line with regulatory and government compliances, while audits and inspections of various nature are conducted periodically to enhance and strengthen corporate governance.

It reviews its codes and application security assessments, conducts regular internal audit across information communication technology (ICT) infrastructure, and undergoes through external audits as well as regulatory inspections or audits from both, regulator and government nodal agencies, periodically. The agency said it also encourages surprise cybersecurity drills by third party experts, and all findings are elaborately reviewed and remediated to the satisfaction of the auditors.

Highlights

• NCSC had found 40 security breach in NPCI in March 2019
• NPCI says data security lapses found in audit remediated
• Data processed is secure and not accessible to anyone unauthorized
• NPCI says it employs state of the art technology to protect data
• NCSC gives clean chit to NPCI on data security