The National Payments Corporation of India (NPCI), is an organization for operating the retail payments and settlements system in India. It is a combined initiative of the Reserve Bank of India (RBI) and the Indian Banks’ Association (IBA) under the provisions of the Payment and Settlement Systems Act, 2007.
The focus point of the company is to bring innovations in the retail payment systems through the use of technology for achieving greater efficiency in operations and widening the reach of payment systems. Last year a Government audit on India’s flagship payments processor found that more than 40 security vulnerabilities including “critical” and “high” risk. This information is according to an internal government document seen by Reuters. The audit took place ranging around four months, which highlighted the lack of encryption of personal data at the National Payments Corporation of India (NPCI).
In March 2019, a government document cited that the storing of 16-digit card numbers and other relevant personal information such as customer names, account numbers, and national identity numbers in “plain text” in some databases, leaving the data unprotected if the system was breached. The NPCI replied to Reuters through a statement that, it is regularly audited in the interests of security and senior management reviews all the findings, which are then “remediated for the satisfaction of the auditors.
Mr. Rajesh Pant, coordinator of India’s National Cyber Security mentioned in the statement to the Reuters that all observations, which are raised in last year’s report have been confirmed as resolved by the NPCI and added that audits are the best practice for the mitigation of the cyberattacks and should conduct it periodically. Every financial institution is under immense pressure to protect the valuable information about their customers as the number of malicious cyberattacks grow and hackers become more sophisticated.
The main issue sited was in march 2019, the government document said that a variety of card numbers were unencrypted within the NPCI database for the country’s network of almost 250,000 ATMs, while unencrypted RuPay card numbers could also be seen in the organization’s server logs and others issues cited by the government audit include “buffer overflow” vulnerability, a memory safety issue that can allow hackers to take advantage of coding mistakes. The operating system used by them was not up to date, one of its mail servers had inadequate anti-malware functionality too.