The National Payments Corporation of India (NPCI) has moved to harden mobile-payment security across the UPI ecosystem by mandating Runtime Application Self-Protection (RASP) capabilities for all Payment Service Providers and third-party application providers; the shift responds to a steady rise in sophisticated runtime attacks and aims to embed protections — such as code-integrity checks, root/jailbreak detection, anti-debugging, tamper-resistance, and configurable in-app responses — directly into mobile apps rather than relying solely on perimeter controls. NPCI first signalled this direction in procurement paperwork and an expression of interest for a mobile-application security solution in October 2024 and followed with a broader UPI information-security compliance framework and a series of 2025 circulars tightening API and operational safeguards; regulators expect entities to adopt RASP, complete compliance audits and report remediation timelines as part of onboarding and annual compliance. Vendors that provide zero-code, in-app shielding and real-time analytics — including established app-protection platforms — are positioning their RASP offerings to help banks and fintechs meet NPCI’s requirements and accelerate deployment across millions of UPI-enabled endpoints