NPCI Incident Response for Payment Aggregators

Last updated: April 26, 2026

Payment Aggregators and Payment Gateways (PA-PG) operate under RBI Master Direction (March 2020 + Dec 2024 amendments) plus NPCI operating instructions. Cyber incidents at PAs trigger multi-regulator notification and operational obligations distinct from generic BFSI. This article covers the specifics.

The regulatory stack

• RBI authorised Payment Aggregator licence with cyber-security baseline obligations
• RBI Master Direction on Cyber Security Framework (applies)
• NPCI operational instructions for UPI / RuPay participants
• RBI Master Direction on Digital Payment Security Controls (Feb 2021)
• CERT-In April 2022 direction (applies universally)
• DPDP Act for personal data

The reporting matrix

Incident at PA
├── Cyber incident → CERT-In (6 hours) + RBI (2-6 hours)
├── If UPI-impacting → NPCI (immediate, < 1 hour ideally)
├── If RuPay card-impacting → NPCI + Visa/MC equivalents
├── If merchant data breach → affected merchants (per contract)
├── If end-customer data breach → DPB (72 hours when operational)
└── If trading-impacting (rare for PA) → SEBI

The PA-specific operational risks

1. Merchant settlement delay / fraud

Compromised PA backend can cause settlement delays, double-credits, or merchant-account fraud. Detection:

-- Settlement-amount anomaly per merchant
SELECT merchant_id, settlement_date,
       expected_amount, actual_amount,
       (actual_amount - expected_amount) AS delta
FROM settlements
WHERE settlement_date = CURRENT_DATE
  AND ABS(actual_amount - expected_amount) > expected_amount * 0.05;

2. Tokenisation system compromise

RBI tokenisation framework (in-force 2022): card data must be tokenised by the PA’s tokenisation provider. Compromise of tokenisation system = card-data exposure across many merchants.

3. KYC / merchant onboarding fraud

Fraudster onboards as merchant, processes fraudulent transactions, withdraws settlement before chargebacks accumulate. Detection: PA-side risk scoring on merchant velocity + chargeback patterns.

4. UPI handler / VPA spoofing

If PA acts as UPI participant, VPA spoofing or handler compromise has cross-bank impact.

Customer-impact considerations

RBI Master Direction on Limited Liability of Customers applies even when PA is the breach vector. Banks remain frontline for customer disputes; PA’s ability to recover transactions affects bank’s liability calculation.

For a PA, the operational consequence: cyber incidents have a financial-impact tail extending months as chargebacks process.

The pre-incident preparedness

• NPCI escalation contact in IR runbook
• Bank-network coordination protocol (your acquiring bank, settlement bank)
• Merchant-portal communication template (transparent breach disclosure to merchants)
• Card-network notification path (Visa/MC/RuPay/AMEX)
• Tokenisation provider coordination (mass token rotation if needed)

The takeaway

PA / PG cyber incidents have more notification paths than ordinary corporate cyber incidents. The runbook must include each. NPCI / RBI / card networks / merchants / customers / regulators each have a path and timeline. Build the matrix; rehearse it; review quarterly. The first major incident without a runbook costs business — license action is on the table for material non-compliance.