The Indian Wire » Banking » 2019 Audit Reveal NCPI Vulnerabilities
Banking Business

2019 Audit Reveal NCPI Vulnerabilities


Forty security vulnerabilities found in India’s payment processors last year found an audit conducted in 2019 in NCPI. According to an internal government document seen and then reported by Reuters, the government audit that unearthed the vulnerabilities marked them as “high” and “critical”.

What is NCPI?

NCPI or National Payments Corporation of India is a non-profit organization that was set up in 2008. It is an organization that takes care of all retail payments of India. It was set up with the guidance and support of the Reserve Bank of India (RBI) and the Indian Banks Association (IBA). As of March 2019, it had 56 banks as its shareholder, including Bank of India, Citibank, HSBC.

Unfolding the government report:

The audit that went on for a period of four months to February 2019, brought into the spotlight that the personal data produced by the National Payments Corporation of India (NCPI), the backbone of our country’s digital payment system that issues and operates RuPay cards were not kept encrypted.

The government document reported that the 16-digit card numbers and other personal information such as name, account numbers, personal identity numbers were stored in plain text without any encryption in some databases. The data was unprotected in case of any breach that took place. This is the first time was on the audit got out.

In a statement to Reuters, the NCPI also commented that regular audit took place for security to protect citizens and all findings are then “remediated to the satisfaction of the auditors”. According to Reuters these also include their findings.

Rajesh Pant, India’s National Cyber Security Coordinator, commented, “all observations raised in last year’s report have been confirmed as resolved by the NPCI”. His office coordinated the audit that found the vulnerability. He also said that audits are the best way to reduce cyber attacks. He added that audits are done regularly in all enterprises.

The initiative of regular auditing was taken up to keep Modi’s National Security Council updated with security threats and cyber-attacks. The findings, however, lessen the value of threat that it possesses. Billions of dollars are transacted daily under NCPI, like interbank transfers, ATM transactions, and digital payments.

The financial institutions of India are under immense pressure to protect the citizen from attacks and frauds. The risk of malicious cyber attacks grows as technology becomes more sophisticated.

Our Prime Minister Narendra Modi has endorsed RuPay. According to NCPI and Central Bank data, RuPay has made credit and debit cards for nearly two-thirds of the total 900 million debit and credit cards that are issued as of October 2019.


RBI inspected the audit. The Internal Auditing practices were not done regularly, an inspection report on NCPI in July 2017 found. They also uncovered operational risks and improper whistleblower policies.

Reuters also reported in a document that they received after a Right to Information, said there was a “lack of awareness of risks and risk culture in the institution”. The government document from 2019 also noted the need for proper governance, according to Reuters.

A 33-page report, according to Reuters, on another inspection done by RBI in November and December 2019 includes an assessment of NPCI’s governance and operational and credit risks.

Issues Cited:

The government document from March 2019 said that a variety of card numbers were unencrypted in the NCPI database. The database contained data of almost 250,000 ATMs. The company’s server logs also produced unencrypted data.

RuPay and NCPI applications also have the problem of buffer overflow as put forth by government audits. The buffer overflow is a memory safety issue that helps hackers to take advantage of coding errors.

It also informed that the operating systems used by NPCI are not up to date and the organization’s mail service had inadequate anti-malware systems.

Forthcoming of this news says, as of now, “Digital India” has the potential to be risky and the inadequate safety measures put millions of people’s lives on the line. “Cashless India” still remains a far fetched dream in the country.


Reach out to The Indian Wire!

Want to work with us? Looking to share some feedback or suggestion? Have a business opportunity to discuss?

You can reach out to us at [email protected] and we will get back in minutes.

Like us on Facebook!