For example, the government audit in March 2019 found, according to Reuters report, NPCI
stored 16-digit card numbers and other personal information such as customer names, account numbers and national identity numbers in 'plain text' in some databases.
Subsequently, those observations were resolved by NPCI, according to National Cyber Security Coordinator (NCSC), Rajesh Pant, whose office co-ordinated the audit, the story said.
NPCI, in its statement, also quoted Rajesh Pant saying, “NPCI
has provided higher levels of access to NCSC that are not normally made available to any stakeholders during regular course of business, as an effort to strengthen its cyber defense. I wish to compliment the top leadership of NPCI and their chief information security officer (CISO) for inculcating a culture of strong cyber security governance with a robust infrastructure which meets global security standards.”
NPCI processes about 2.5 billion transactions on a monthly basis using its indigenously developed platforms like RuPay, UPI, IMPS, AePS, NETC, Bharat Bill Pay etc.
NPCI said in its statement that in order to thwart cyber-attacks, it has implemented technologies such as perimeter security controls, including various kinds of firewalls, micro-segmentation of network, routing controls, secured switch configurations, proxy servers and other latest technologies.
The information gathered is protected through data leakage protection, digital rights management, tokenisation and encryption of sensitive data elements and active monitoring of both structured and unstructured data. The communication channels are encrypted, while the agency also employs various detective controls including deceptive technologies (decoys) as early indicators to identify cyber-attacks.
“With the sophisticated security threats that our environment faces in the current times, NPCI’s objective is to continuously fortify our security layers. In addition to steps that we take, we welcome and invite experts, including relevant authorities, for regular reviews and audits to keep our controls sharp and best in class,” NPCI statement read.
The statement said NPCI faces many inspections in line with regulatory and government compliances, while audits and inspections of various nature are conducted periodically to enhance and strengthen corporate governance.
It reviews its codes and application security assessments, conducts regular internal audit across information communication technology (ICT) infrastructure, and undergoes through external audits as well as regulatory inspections or audits from both, regulator and government nodal agencies, periodically. The agency said it also encourages surprise cybersecurity
drills by third party experts, and all findings are elaborately reviewed and remediated to the satisfaction of the auditors.
NCSC had found 40 security breach in NPCI in March 2019
NPCI says data security lapses found in audit remediated
Data processed is secure and not accessible to anyone unauthorized
NPCI says it employs state of the art technology to protect data
NCSC gives clean chit to NPCI on data security