Skip to main content

NPCI Guidelines

The NPCI UPI Framework places strong emphasis on mobile application security, as UPI transactions are predominantly executed through mobile devices and involve real-time financial movement. Mobile applications act as the primary interface between users and the UPI ecosystem, making them a critical attack surface for threats such as application tampering, credential compromise, malware, and transaction manipulation.

All UPI participant entities are required to comply with the NPCI UPI security framework to ensure the confidentiality, integrity, and authenticity of transactions and customer data. The framework mandates the implementation of robust security controls, including secure application design, runtime protection, continuous monitoring, and fraud prevention mechanisms. Adherence to these requirements is mandatory to maintain trust in the UPI ecosystem, reduce fraud risk, and ensure uninterrupted payment services. Any deviation may result in compliance observations, operational restrictions, or regulatory action by NPCI.

Serial No.NPCI GuidelinesChecks present with Bugsmirror MASST
1Not Allowing Rooted/Jailbroken DevicesYes
2Disallow Developer mode (debugging option) enabled devicesYes
3Ensure App Integrity checks over a trust validation by implementing:
a) Anti reverse engineering
b) Anti-debugging controls

Runtime Checks with Nonce validation Checks should be updated with every release
Yes
4Ensure OS (operating system) integrity checks – eg. Play Integrity API (Google integrity check for Android)Yes, but specifically play integrity is not used(by using play integrity or a similar level of check certain devices do not satisfy like CTS,app attestation and older versions of Android: 10,11,12)
5Not Allowing Android EmulatorsYes
6Ensure comprehensive security testing process before release of new versions of the AppYes, by CodeLock, RunLock, APILock(Automated) &
ThreatLock(Manual testing)
7Enable APK locking mechanism to prevent unauthorized re-distribution and tampering of UPI appYes
8Implement SSL pinning to prevent Man in the Middle (MITM) attackYes, protection through other checks
9Do not allow any application over UPI application to prevent screen overlayYes
NPCI/2020-21/IS/001 Date of Issue- 28th April 2020
Run-time Application Self Protection
1Application code and data integrity protection at runtimeYes
2Debugging prevention which is used to discover critical flaws and vulnerabilities that hackers can exploitYes
3Root detection and root cloaking detectionYes
4Code obfuscation and encrypting cryptographic keys required for communicationYes
5Responding to runtime attacks with customizable actions like replacing tampered code with original app code, slowing or degrading app performance, or terminating the mobile app.Yes, by terminating the app and/or showing the dialog
6Protections against OWASP Top 10 vulnerabilitiesYes, covers/insures OWASP- MASVS guidelines