Report: India’s National Payments Corp Vulnerable To Security Breaches

National Payments Corp. of India (NPCI), the nation’s  payments processor, uncovered more than three dozen security risks last year, Reuters reported.

An internal government document seen by the news service revealed several instances it called “critical and high risk.”

The 2019 audit found the personal data held by the nation’s primary digital payments system operated by the RuPay card network was vulnerable.

Reuters reported the survey, obtained under the Right to Information Act (RTI), found NPCI stored names, card numbers and national identity numbers in plain text, potentially allowing cybercriminals access to critical personal information.

In response, NPCI said it routinely conducts audits and any vulnerabilities are fixed.

Rajesh Pant, India’s cyber security coordinator, whose office coordinated the audit, said in a statement that “all observations raised in last year’s report have been confirmed as resolved by the NPCI.”

In addition, Pant said audits are the best way to mitigate security breaches.

The audit was completed for Prime Minister Narendra Modi’s National Security Council to guarantee NPCI is protected against cyberattacks.

Modi and the Finance Ministry did not respond to a request for comment.

NPCI is a nonprofit that serves as an umbrella organization for retail payments and settlement systems in India, according to its website. It processes billions of dollars daily that include inter-bank fund transfers, ATM transactions and digital payments. RuPay accounts for nearly two-thirds of nearly 900 million debit and credit cards issued in India, according to NPCI and central bank data.

The Reserve Bank of India (RBI) issued an inspection report on the NPCI in 2017 that found lapses in its internal auditing practices, operational risks and improper whistleblower policies, Reuters reported.

A redacted version of the 37-page report provided to the news service detailed a “lack of awareness of risks and risk culture in the institution.”

The 2019 government document which followed said, “There is a strong need for proper governance.” It recommended personal identity information be encrypted.

In its statement, NPCI said it stores card data in keeping with standards set by the PCI Security Standards Council, and has been subject to audits authorized by the council.

“No non-conformities have been observed and we are fully compliant to these standards,” the statement said.

This month, PYMNTS’ Preventing Financial Crimes Playbook reported cybercrime is a major concern for financial institutions. More than 25 percent of malware attacks target the sector specifically. Compromised credit card fraud increased 212 percent year-over-year in 2019, while customer credential leaks increased 129 percent during the same period.

Many of these fraud and cybercrime attempts are the result of coordinated efforts by thieves to sell each other data or share techniques to break into bank systems and conduct their schemes.