All thanks to UPI, one-time passwords are a thing of the past, but have you ever wondered how UPI processes payments in a matter of seconds?
Well, in this article, we will look at UPI and how it is changing the way digital payments are made.
Also read: How to delete Google Pay account?
Understanding digital payments
Before getting into UPI, it’s essential to understand how digital payments are processed in the first place.
To make things easier to grasp, we will take the example of you making a payment to Swiggy using your card.
So, it all begins with the tiresome job of selecting the food you want.
Once you have selected what you want, you are redirected to a page where you have to choose the payment mechanism.
Here you enter your credit/debit card details. After that, you are taken to the payment gateway(Paypal, Payu or Razorpay) and asked to enter the one-time password.
This password is used for two-factor authentication, providing an added layer of security for all your transactions. Due to this two-factor authentication, a person with your card details cannot complete the transaction as they don’t have the OTP.
Once the OTP is verified, transaction details like your card number CVV and transaction account are sent to a card processing network(Visa/Mastercard).
The card processing network helps facilitate the communication between two different banks enabling them to validate the transaction at hand.
So if you have an account in HDFC bank and want to send money to a restaurant which has a bank with ICICI bank, the card processing network will help the two banks communicate.
Going back to the transaction in process, once your details are given to the card processing network, it will check if your account with HDFC bank has the required balance. If your account has the balance, the card network will approve the transaction and send the approval details to the payment gateway.
The payment gateway will then send the approval details to the restaurant’s bank (ICICI bank).
The transaction amount will be credited to the restaurant on getting the approval, giving you the ETA for your order.
If you look at the process given above, you will understand that the most critical part of any transaction is the approval process. In the case of credit/debit cards, this processing is done by card processing networks like Visa and Mastercard.
In other inter-bank transfers where cheques and internet banking are used, technologies like IMPS, NEFT and RTGS come into the picture. These technologies are also mechanisms for verifying payments and perform a similar task of helping different banks communicate with one another.
Also read: Google Pay referral code: Everything you need to know
Understanding the need and mechanics behind UPI
UPI, also known as the Unified Payments Interface, is the brainchild of NPCI and builds on the IMPS electronic funds transfer mechanism.
Although several changes have been implemented with UPI, the following three features have helped it reach a milestone of processing over 5 billion transactions in 2022.
- Use of a Virtual Payment Address, also known as UPI ID.
- Allowing third parties to create apps that can interact with the Indian banking ecosystem.
- Offering two-factor authentication without the use of one-time passwords.
Why did we need a new payment architecture?
If you had transferred money to someone before UPI came out in 2016, you had to use net banking and to use the same, a lot of details about the payee were required.
These included things like bank account number, IFSC code, branch name, and that wasn’t all. Once you had entered these details, you had to wait for the bank to approve the details. Only after the approval could you transfer money to the payee.
As you can see from the process above, sending money on the Internet was not accessible before UPI came out.
To solve this problem, UPI came up with the concept of a VPA. Also known as UPI ID, this identification number was capable of uniquely identifying any user on the UPI platform enabling users to send money without remembering complicated banking details.
Also read: How to change and reset the UPI PIN in Google Pay?
How does UPI work?
Now that we understand how digital payments are processed and the need for a new payment architecture, we can look at how UPI works?
Creating a Virtual Payment Address
As mentioned earlier, VPA is a unique identifier in the UPI ecosystem. This identifier is created by a Payment Service Provider(PSP). In most cases, this PSP is a bank which is a member of the Unified Payments Interface, and some members of the same are SBI bank, Axis bank and Yes bank.
In addition to creating UPI IDs, the PSP is responsible for onboarding new customers to the UPI ecosystem and facilitating payments in the same.
The PSP can also create applications to enable users to make payments and applications like iMobile(ICICI bank) are an example of the same.
That said, if a PSP does not have their application, they can tie up with Third-Party Application Providers(TPAP). These TPAPs are technology companies like Google, Amazon and Phonepe that are responsible for providing an application layer for interacting with the UPI ecosystem.
To create this application layer, the TPAPs have to use the software development kit provided by the NPCI, and due to the use of the development kit, the PSP, NPCI, and TPAP can securely communicate with each other.
To create the UPI ID, the PSP, NPCI, TPAP and the bank holding your bank account work together and a brief overview of the process is given below.
Device fingerprinting: The first step for creating a UPI ID is the device fingerprinting step. Here the PSP creates a unique identifier for your device. To do the same, an SMS is sent to the PSP using the application that the TPAP creates. Once the PSP gets the SMS, it creates a unique fingerprint for your device using your device ID, IMEI number and application ID. This device fingerprint is saved by the PSP and is used as the first authentication factor. This means that your mobile device and your SIM card will be used to establish that you made the payment.
The SMS to the PSP should be sent using the mobile number which is registered with bank for inter-banking services
Bank account selection: Users can have accounts in different banks but may have only one mobile number. Therefore once the device is fingerprinted, the PSP asks the user through the TPAP to select a particular bank account.
Connecting to NPCI: The mobile number using which the device fingerprint is created along with the bank account selection details are sent to NPCI. These details are then sent to your bank to get your account information.
Retrieval of bank account numbers: Once your bank gets the mobile number from the NPCI, it sends the bank account details registered with that number back to NPCI.
Sending bank details to PSP: On receiving details from the bank, the NPCI forwards details like bank account number and IFSC code to the PSP.
Linking bank details with device fingerprint: The PSP shows the list of accounts linked to that particular mobile number and handled by that specific bank. Once the user selects a particular bank account, the PSP stores and links the bank details with the device fingerprint created in the first step.
Setting up a UPI pin for two-factor authentication
Until now, the bank account details have been linked to the user’s mobile number and device ID, but we need another verification method for two-factor authentication.
For the same, the UPI pin is created. To create a UPI pin, the following process is followed.
The UPI pin is only stored by the user’s bank and the PSP/TPAP has no information about the same.
Sending an OTP generation request: The PSP sends a request to the user’s bank account to generate an OTP. As the bank has the mobile number details of the user, it sends an OTP to the user’s mobile directly.
Entering card and OTP details: Once the user gets the OTP from the bank, the user is asked to enter the card details like the last six digits of the card, the expiry date, OTP and UPI pin in the TPAP application. This data entered into the application is encrypted by the NPCI SDK using the NPCI public encryption key. After encryption, the information is sent to the NPCI through the PSP. After getting the data, the NPCI decrypts the data using the NPCI private key.
NPCI encrypts the data: The NPCI encrypts the data using your bank’s public key and sends it to the same.
Verification of OTP and card details: The encrypted data received from NPCI is decrypted by the bank’s private key. After that, the bank checks if the OTP and card details received from the NPCI are the same as the customer details the bank has on the customer. After that, the bank stores the UPI pin set by the user.
Verification and VPA creation: Once the data is validated, the UPI ID for the user is created, and the same can be used for sending and receiving money.
Also read: How does public-key encryption work? Does it make the Internet safer?
Understanding transactions in the UPI ecosystem?
Now that we understand how payment service providers and the NPCI create UPI IDs, we can try to understand how a transaction happens in the UPI ecosystem.
Although debit and credit requests are made by the NPCI, money is not transferred in real-time. In reality, the transaction is settled in four cycles using the RTGS infrastructure.
We will try to look at the same example of making a payment on Swiggy but this time using UPI.
Selection of TPAP: Once you have selected what you want to eat, you are redirected to the payment page. Here you have to choose the third-party application provider you wish to use to make the payment. This TPAP can be Google pay, PhonePe or any other application provider.
Entering UPI pin: The user enters their UPI pin in the TPAP application, and the same is sent securely to the PSP. Once the PSP gets these details, the PSP sends the payer’s bank account information and payee’s UPI information to NPCI.
Getting bank account details for the payee: NPCI sends the UPI ID of the payee PSP to its PSP provider and gets the account details for the payee.
Verification of OTP: The payer bank account verifies the OTP sent by NCPI.
Debit and credit requests to payer and payee accounts: The NPCI makes a debit request to the payer account. If the payer account has the appropriate balance, the NPCI makes the credit request to the payee account.
Transaction approval: Once the transaction is complete; the NPCI sends an approval to the payer PSP giving the user the ETA for their order.
Also read: How to request money on PhonePe?
Is UPI free?
If you make payments using debit/credit cards, you would be under the impression that the payee gets the exact amount you paid. Well, in reality, that is not the case.
You see, when you pay someone using credit/debit cards, the card network, payment gateway and the banks performing the transaction take a processing fee.
Due to this fee, the payee does not get the exact amount paid by the payer. It is due to this reason that a lot of small shopkeepers don’t use card machines as a part of their earnings are taken by banks and processing agencies.
There are different types of charges that various agencies levy in a transaction. A brief overview of the same is given below:
Merchant Discount Rate(MDR): The MDR fee is a transition processing charge levied by the card network and payee bank account to the payer bank account. The MDR change can range anywhere from 1-3 per cent for credit cards and is capped at 0.9 per cent for debit cards. The MDR fee is further broken into two parts:
- Interchange fees: The amount paid by the payee bank to the payer bank for transferring the money.
- Switching fees: The amount paid by the payee bank to the card network for helping in making the transaction.
Gateway fees: Payment gateways like Razorpay, Payu and Paypal also levy a charge of 0.5 per cent to process the payment.
Therefore, if you look at it, the merchant only gets 96.5 per cent of the amount paid by the payer, but in the case of UPI, this is not the case.
You see, when UPI makes transactions, no transaction fees are charged by either the banks or the NPCI. Therefore transactions made with UPI are free.
That said, this is not entirely true, as banks and payment gateways need this fee to establish the payment verifying architecture. Therefore the Indian government had set aside 13,000 crores from the financial budget in 2021 to pay MDR to payment gateway and banks.
Also read: What is OWASP? OWASP Top 10 Vulnerabilities
Is UPI going to change the way payments are made across the globe?
UPI as an ecosystem is changing the way payments are made in India, but due to its open banking architecture, it is gaining a lot of popularity all across the globe.
In fact, Mr Mark Isakowitz, vice president, Government Affairs and Public Policy, U.S. and Canada(Google), wrote a letter to Ann Misback, secretary, board of governors of the Federal Reserve System, stating the success of UPI and the need for a similar architecture in the U.S.A.
First, UPI is an interbank transfer system [there are now over over 140 member banks, after initially launching with 9 participating banks]. Second, it is a real-time system. Third, it is ‘open’ — meaning technology companies can build applications that help users directly manage transfers into and out of their accounts held at banks,” Mr. Isakowitz wrote to Ann Misback, secretary, board of governors of the Federal Reserve System.
Not only this, countries like Singapore, France, UAE, Bhutan and Nepal accept UPI payments, and the UPI payments architecture could revolutionise the way digital payments are made across the globe.
Also read: Windows 11 Pro vs Home: 6 Key Differences