a step towards cashless economy - unified payments ... payments interface (upi) ... unified payments...

A step towards cashless economy -

Unified Payments Interface (UPI)

Indian Payments Industry-An Overview

Payment Instrument Mix for Countries (2015)

India has traditionally been Cash

Centric Economy

However the contribution of Cash Transactions has seen a decline at a rapid rate and Proportion of Non-Cash transactions will overtake Cash Transactions by 2023

Value of Consumer Payments-% Cash vs Non-Cash (Paper ,Card and Digital)

India is becoming a Digital Country

Massive Growth in Digital Transactions

75% of Merchants believe that using Digital payments would accelerate future sales

Universe of Payment Industry in India

Significant Payment Activity in the last 3-4 years

Why Digital Payments….

Where Digital Payments is used now…..

How the Digital Payments is going to be used….

USD 500 Billion will Flow Through Digital Payments in India by 2020

USD 500 billion will flow through Digital payments in India by 2020

Merchant Payments will constitute 40% of Digital Payments

Unified Payments Interface

Agenda

1. What is UPI?

2. Why UPI?

3. Basic Structure of UPI

4. Existing Infrastructure

5. New Infrastructure after UPI

6. Key Characteristics

7. Value Proposition of UPI

8. Benefits of UPI to Banks / Members

9. Benefits of UPI to end Customers

10.Customer Registration – 1st & 2nd Transaction flow

11. MPIN Based transactions – “PUSH” & “PULL”

12. Broad risks perceived and mitigation

What is Unified Payment Interface ?

• The payments can be both sender (payer) and receiver (payee)initiated and are carried out in a secure, convenient, andintegrated fashion

Push & Pull Payments

• The unified payment system is expected to further propel easyinstant payments via mobile, web, and other applicationsEasy Instant Payments

• This next generation payment system provides an ecosystemdriven scalable architecture and a set of APIs taking fulladvantage of mass adoption of smartphone

Value Added Service

1 Click 2FA & Virtual address• Virtual payment addresses, single click 2 factor authentication,

Aadhaar integration, use of payer’s smartphone for securecredential capture, etc. are some of the core features

Scalable Architecture

Objective of a unified payments system is to offer an architecture and a set of APIs on top of existing systems to facilitate online instant payments and financial inclusion.

Why Unified Payment Interface ?

Mobile Payments have not scaled up in the country

Using Aadhaar number, mobile number, card number, virtual

address and account number in a unified way

Secure MPIN entry on NPCI libraries

Virtual Payment Address

Push /Pull

Remote/Proximity

Authentication by MPIN and Biometric

Mobile App

Merchant

Remittance including P2P

ECommerce

Single Click 2 Factor Authentication

Basic Structure of UPI

• IMPS – Phase I

NPCI Services covered currently

• HTTPS, PKI Infrastructure, (MPIN on mobile and OTP is encrypted using the Public Key and decrypted by the Issuer using the Private Key), Device fingerprinting

Security

• Aadhaar Number, Mobile Number, and Account Number & Virtual Address

Addresses allowed

• Global Addresses: Resolved by NPCI, Aadhaar Number & Mobile Number @NPCI handle

• Virtual Address: Resolved by PSPs, using Address Translation API, @psp handle

Virtual address

All address will be normalised as Handle - “account@provider” format

Participants

PAYMENT SERVICE PROVIDER (PSP)

• PSPs will be banks who will provide Apps

BANKS

• Merchant or customer’s bank (account relationship)

• NPCI provides UPI interface.

Benefits to Banks

Simple

(Single click 2FA)

Universal App for transactions

Leverages existing Infrastructure

SecurePayments basis Single/Unique

Identifier

Tap C2B segment &

E-Com / M-Com

Benefits to Merchants

Seamless fund collection from customers - single

identifiers

No risk of storing customer’s virtual

address like in Cards

Tap customers not having credit/debit

cards

Suitable for e-Com & m-Com/

Resolves the COD collection problem

Single click 2FA facility to the customer -

seamless PullIn-App Payments (IAP)

Benefits to End Users

Privacy

Share only Virtual Address and no other sensitive information

Multiple Utility

Cash on delivery/bill split sharing/ merchant payments /

remittances

One Click 2 FA

Authorise transaction by entering only the PIN

(Biometric to Follow)

Work across various interfaces

Payment request generated on Web interface; authorized on

Mobile interface (App)

Payment through Aadhaar Number

Pay using the Aadhaar number

Availability & Security

Available 24*&*365. Customer does the transaction on his

personal device

Transaction Types

Financial Transactions

• Pay Request

• Collect Request

Non-Financial Transactions

• Mobile Banking Registration*

• Generate One Time Password ( OTP)

• Set / Change PIN

• Check Transaction Status

• Log a complaint

* For mobile numbers already registered with the bank for SMS alerts

Benefits of UPISimplified Authentication:

Simplified Issuance Infrastructure: One can specify the beneficiary details in the form of A/C Number, Mobile Number, Aadhaar Number &also Virtual address depending on the privacy concerns of the customer. Mobile phone is used for authorization

Simplified Acquiring Infrastructure: India has nearly a billion phones and 150 million smartphones (expected to be at 500 million in next 4-5years), massive scale can be achieved if effective use of mobile is made compared to creating costly physical acquiring infrastructure

Innovation: Innovations such as reminders, using multiple accounts via single mobile applications, using special purpose virtual addresses,etc. allow users to enjoy superior UX

1-click 2-FA Transactions: Since mobile number is bound to the device, the mobile phone itself becomes the first factor of authenticationand M-Pin/Biometric is used for second factor authentication

Creating National Interoperability: Proactively creating this unified interoperable interface allows all players to innovate and providesuperior customer experience and still provide a secure, standard based, interoperable payment scheme

Authentication First Txn Authorised by Subsequent Txn Authorised by

1st Factor Mobile Number (OTP) Issuer Mobile Number/User ID PSP

2nd FactorMPIN* or Biometrics

matched against UIDAIIssuer

MPIN or Biometrics matched against UIDAI

Issuer

Simple enabling Steps

Step 1• Download PSP App

and create Profile

Step 2• Add Bank Account/s

Step 3• Register for Mobile

banking, if not already registered / Generate PIN for Transactions

Steps:1. Customer initiates a pay Request by entering the

Virtual Address of the Payee2. Payer PSP/Remitter Bank debits the customer’s

account & sends the ReqPay message to UPI3. UPI routes it to the respective Payee PSP and send

ReqAuthDetails message4. Payee PSP identifies the Address and responds

back with RespAuthDetails message.5. UPI sends a credit request to the Beneficiary Bank.6. Beneficiary Bank credits the customer’s account &

responds successful credit to UPI7. UPI sends a successful confirmation to the Payer

PSP8. Payer PSP sends the confirmation to the customer

Case 1: 2 Party P2P Push Transaction

Steps:

1. Customer sends a Collect Request by entering the Virtual Address of the Payer.

2. Payee PSP sends the ReqPay message to UPI3. UPI routes it to the respective Payer PSP basis

resolution of the handle4. Payer PSP/Remitter Bank sends a notification to

the Payer customer for authorization. Customer enters the PIN & confirms the payment. Payer PSP debits the Payer’s account and sends the RespAuthDetails message to UPI

5. UPI sends a Credit Request to Beneficiary Bank6. Beneficiary Bank credits the customer’s

account & responds successful credit to UPI7. UPI sends the RespPay message to Payee PSP8. Payee PSP sends the confirmation to the

customer

Case 2: 2 Party P2P Pull Transaction

Steps:

1. Customer initiates a Pay Request by entering the Virtual Address of the Payee customer and PIN.

2. Payer PSP sends the Request Pay along with customer’s credentials to UPI

3. UPI sends address resolution request (ReqAuthDetails) to payee PSP.

4. Payee PSP identifies the Address and sends the relevant account information to UPI

5. UPI sends the debit request to payer bank.6. Remitter bank sends the response after debiting the

customer account7. UPI sends a credit request to the Beneficiary Bank8. Beneficiary Bank credits the customer’s account and

responds successful credit to UPI9. UPI sends the same to Payer PSP10. Payer PSP sends a successful confirmation of the

transaction to the customer

Case 1: 3 Party P2P Push Transaction

Steps:

1. Customer sends a Collect Request by entering the Virtual Address of the Payer customer.

2. Payee PSP sends the same to UPI3. UPI sends it to the respective Payer PSP for address

resolution and authorization4. Payer PSP sends a notification to the Payer customer

for authorization. Customer enters the PIN & confirms the payment. Payer PSP sends the same to UPI

5. UPI sends the debit request to Payer bank.6. Remitter bank debits the Payer’s account and sends the

confirmation to UPI.7. UPI sends the credit request to the Beneficiary Bank8. Beneficiary Bank credits the customer’s account and

confirms the same to UPI9. UPI sends the successful confirmation to the Payee PSP10. Payee PSP sends the confirmation to the customer

Case 2: 3 Party P2P Pull Transaction

Payer PSP

Case 1: 4 Party P2P Collect Transaction

Payee PSP Payer PSP

1

2 3

4

7 8

9

10

5 6

Payer agrees to pay and enters the PIN

Payee Initiates the Transactions

Person requested funds by using UPI App

Beneficiary PSP Remitter PSP

Issuer Bank

UPI

Acquirer Bank

Payers virtual address flows to UPI for address resolution and authorization through payee PSP

31

Case 2: 4 Party P2P Pay Transaction

Payer PSP UPI Payee PSP

1

2 3

4

7 8

9

10

5 6

Person enters the PIN

Person Initiated payment by using UPI App

Issuer Bank

UPI

Acquirer Bank

Remitter PSP Beneficiary PSP

Beneficiary's virtual address flows to UPI for address resolution through payer PSP

32

Merchant Transaction Flows

33

• Banks that are offering the merchant PSP integrated App, should also have an intent call on the phone to callother PSP Apps.

• The bank can embed its SDK in the Merchant App for an intent call. This is to ensure that call is made to theircentral system by ‘their code’ and additional authentication.

Process:• In case of transactions initiated through merchant App, merchant will get ‘reference ID’ from their respective

PSPs before initiating the transaction. The following process will be followed to ensure that concernedmerchant is initiating the transaction.

On the merchant App, when the customer selects the “Pay by UPI” option, the merchant will initiate request toits Acquiring Bank seeking a “Reference ID”.

In response, the Acquiring Bank will provide “Reference ID” linked to transaction Amount to that merchant. The merchant App initiates an intent call with that “Reference ID” to the UPI enabled PSP App on the Mobile. The transaction comes from UPI enabled App to UPI system. UPI system forwards to the Acquiring PSP for translation of merchant Virtual ID to actual Bank account details. Acquiring PSP before doing translation, will validate the “Reference ID” and amount for the Merchant. If reference ID matches, only then the further process will continue, otherwise transaction will be declined. Onus and liability of validating the transaction is with acquirer PSP.

Merchant Initiated Intent

34

Case 2 : 3 Party Merchant Transaction - Customer & Merchant with Same PSP and PSP SDK embedded into Merchant App

1

2

56

7

8

34

PSP 1 App

PSP 2 App

Mobile

PSP SDK

PSP SDK = Merchant App embeds PSP SDK PSP 1/2 APP = Other PSP Apps installed on Customer Mobile Phone

Issuer Bank

Acquirer Bank

UPI

Merchant

Merchant/Customer PSP

Customer Registered for UPI

Ref

ere

nce

ID,

Am

t, M

erc

han

t ID

In this scenario when the merchant raises an intent, all the UPI PSP App on the customers phone are shown. Thecustomer however selects his PSP App which is the same as that of merchant.

Similar to the previous case, Now the Virtual addresses of both the merchant and customer are available with the PSP . The financial addresses underlying these virtual addresses flow to UPI.

36

Case 4: 4 Party Merchant Transaction – Collect call based on Virtual address

Merchant = Customer initiates Txn by using Virtual Address

Payee PSP UPI Payer PSP

1

2 3

4

78

9

10

56

Customer enters the PIN

Mobile App / Web Application

Customer Registered for UPI

Issuer Bank

UPI

Acquirer Bank

Merchant

Merchant PSP Customer PSP

Ref

ere

nce

ID, A

mt,

M

erc

han

t ID

Collect by UPI – through virtual address. Virtual address of customer flows to UPI through merchant PSP for resolution of address and payment authorisation.

38

Perceived Risks & Mitigation

Sr. Perceived Risks Risk Mitigation

1 Payment Service Provider as an entity

The Payment Service provider is proposed to be an entity which is authorized by the RBI. In this context the PSP in the UPI would be either a Bank or a Prepaid Payment Instrument Issuer (PPI) authorized by the RBI.

2 Customer registration on PSPP

The customer will be send an OTP by the PSP while registering the customer to ascertain the veracity of the customer

3 PSP Application security The PSP application shall be certified by NPCI and the NPCI Utility / Libraries embedded in the application for handlingsensitive data such as Debit Card No; Expiry date; MPIN etc.

4 Transaction Level Security 1. Transaction is secured with the Authorization which is split between the PSP & Issuing Bank. PSP does the devicefingerprinting of the mobile device where the hard bound Mobile number becomes the first factor.

2. Customer enters the MPIN or the Bio-metrics as the 2nd factor of authorization for the financial transaction

5 Security while handling the MPIN

The MPIN is always entered by the customer on the NPCI Utility (which is embedded into the Parent PSP APP whilecertification) which is invoked while entering the MPIN. The MPIN traverses through the secure channel from UPI to theIssuing bank basis the PKI encryption where the PIN is encrypted through the Public key at the UPI and the Issuing bankdecrypts at its end using its Private key

6 Settlement Risk The settlement of the UPI transactions shall be done under the respective products only and hence there is no incremental settlement related risk perceived in the process

7 Unsolicited Pull requests to the customer

The customer always enters the MPIN and authorizes the transactions before the debit is processed to the account and hence the end customer is in complete control of the transaction

46

Banks/ PSP

Merchants/Third Party

UNIFIED PAYMENT INTERFACE

Meeting all the payment needs with

Online In-App In-Store

Where Shall the payments likely come from?Real-time P2P – Already significant

Growth – Through Merchant segment

47

WEB - eCommerce

48

Modes of payments used in E-Commerce in India

Source: Deloitte research report, April 2016;The Hindu, March 2016

Includes only B2C etail excluding online travel and classifieds

Total Internet users(2015): 36 CrTotal e-Tail Shoppers(2015): 3.9 CrCOD Payers: 2.3 CrDebit Card Payers: 0.50 CrNet Banking Payers: 0.35 CrOthers: 0.75 CrTotal Active Wallet Users: 10 Cr

82% of total E-Commerce payments can be catered by UPI

E-Wallets can be loaded with UPI

Total e-Tail shoppers are 3.9 Cr. (11%

of 36Cr.)

22

.3 C

r b

uye

rs*

*Assumption for 36% of 62 Crore Internet users in 2020

Modes of Payments

Application

Stand alone Application

(Including existing bank App)

Augmented Service

(UBER-PayTm)

Complex Augmented Service

(Zomato-Uber-PayTm)

In-Store

Retail Chains

Service Stops

(Restaurants, Saloon, workshops)

Mom & Pop Stores

*Pre-Authorized Low Value Transactions

Web

E-Commerce

49

Online Payment(Collect initiated

on Web using VPA)

UPI on Delivery(Proximity Push/Pull)

* Signifies futuristic

How’s the Ecosystem looking like?Its looking pretty Good…..and growing

50

And How are we gonna be doing it?Use Cases / Use Cases / Use Cases & More Use Cases

We’re gonna be thinking with the Banks…..!

52

eCommerce/In-APP made FRICTIONLESS with UPI

53

Cart to Checkout in less than 5 Seconds

A Secure Payment Request on your Handset

A Seamless Way to PAY

UPI to simplify entire E-com and M-com space and provide users with more secure and seamless experience#Core Aspect of Our Growth Story

UPI-on-Delivery (Go cashless with COD)

54

Package received at Home

Scanning of QR will result in invoking of available UPI PSP apps on customer device

Customer verifies the transaction and authenticates

Delivery boy receives the confirmation of the payment

Core Driver for Exponential Growth of UPI

55

• Aggregators like Paytm, Mobikwik, Freecharge, Citrus, Oxigen, etc.are providing API’s/ Web plugins/ Mobile SDK to merchants forintegrating their portal or retail payment system to accept payments.

• These transactions form a major chunk in M-Commerce industry.• Industry has also witnessed strategic tie-ups like Uber-Paytm,

Zoomcar- Citrus, Bookmyshow- Mobikwik, etc. which enabledcustomers to pay seamlessly resulting in a significant rise in mobilebased payments.

• To cater this segment PSP banks will be required to share UPIbased Plugin, Mobile SDK and API’s to enable their merchantsperform UPI transactions.

• Banks can help their merchants in setting up UPI paymentmode in the merchant’s website and application.

Retail Chains – NFC/QR/BLE*/UHF** enabled

56

*Bluetooth Low Energy**Ultra High Frequency

In-Store Payment Modes – Service Stops

• For Enhanced customer experience, service providers likeRestaurants, Saloon, Spa, motor service centres are providingvarious options to customers on a hand held device withcustom interface.

• These merchants are tying up with aggregators like Paytm,PayPal for custom payment API’s.

• With UPI PSP bank API’s available to these merchants,customers will be directly paying into merchant’s account in realtime.

57upi://pay?pa=zeeshan@npci&pn=Zeeshan%Khan&mc=0000&tid=cxnkjcnkjdfdvjndkjfvn&tr=4894398cndhcd23&tn=Pay%to%rohit%stores&am=1010&cu=INR&refUrl=https://rohit.com/orderid=9298yw89e8973e87389e78923ue892

Offline Payment Modes – Service Stops

58

Starbucks In-AppMenu

Pay by UPI Payment by Scanning QR Code

Confirm Payment

MERCHANT’S DEVICE CUSTOMER’S HANDSET

Confirmation on Merchant’s Device

Mom & Pop Stores

59

Thought Process –Low income merchants who lack in acquiringinfrastructure can use UPI for receiving payments fromcustomers.

Key Requirement –This scenario will require Creation of separate MCC forsuch merchants or usage of a reserved MCC. Thesemerchants will be classified under a low gross incomegroup. Classification of merchants as such will be theresponsibility of Acquiring PSP.

Approach –Such transactions need to be subjected to a Lesser/differential pricing. Approval from Steering Committee willbe required.

UPI – Aiding Financial Inclusion

• The payments under UPI can be both sender (payer) and receiver (payee) initiated and is carried out in a secure, convenient, and integrated fashion, thereby enabling payments across the country including the small value payments.

• The small time merchants without the POS infrastructure will also be included through the UPI initiative for small value transaction payments.

• The Biometrics option for the 2nd factor is also conducive to the rural segment where the other factors may not immediately be in vogue

Financial Inclusion

Why UPI?• No deemed approval, either fail or success.

• Multiple ways to pay with Single Payment Identifier.

• Can initiate anytime (24 X 7).

• Choice of Mobile Application to the customer• (One App for one or multiple bank accounts).

• P2P Pull.

• Seamless merchant payment collection.

• Customer enters the PIN in his/her personal device.

• In-App Payments.

• Payments using QR code/Blue tooth/Voice Technology/NFC etc.

64

Why UPI?

65

Available on all android

phones(most popular mobile OS).

More secure way to transact on mobile

platform.

One App for all transaction needs.

More than 700 Million smartphones

users by 2020.

GLOBAL SECURITY CONVENIENCE NEXT GEN

*To be launched in IOS soon.

Why UPI – Self Sustained Model

66

Download Register

For App

For Mobile Banking

Transaction

P2P Merchant

PAY COLLECT PUSH PULL

PROXIMITY REMOTE REMOTE

1) In Store 2) In App3) QR Code 4) Web-Collect

Benchmark…..?No Parallel here, in the country !

67

USP of UPI

• Apple Pay is available only for IOS users, Local Authentication, token auththrough the Issuer, Cards only, NFC/In-App

• Samsung Pay is available only on selected devices across United States &Korea only, high end devices, token auth through issuer, Still dependent onPOS

• Android Pay is limited to android platform, NFC Capability / In-App,Download the Android pay from Google store

•UPI is universal to all platforms and devices.

69

UPI vs Cards vs Wallets

• Unlike Wallets wherein you have to pre load , For Debit and Credit card transaction, physical swiping or card details need to be fed in for online transactions, UPI will facilitate through simple email address.

• UPI will act as enabler to wallets and can be used to fund the wallet. UPI has still not got wallet as the same is designed for Banks now and also wallet offer facilities beyond money transfer

• Difference in KYC Norms for UPI and Wallet.

• UPI-Payout limit Rs 100,000 vs Wallet Payout limit Rs 10,000.

Security

• UPI has two factor authentication Mechanism. The mobile number provides 1st level authentication and Mobile Pin provides 2nd level authentication

• The UPI works on smart phones , hence no need of swiping card on external devices such as POS etc, thus reduces the security hassles.

• No need of sharing card details on any Website.

UPI Solution provides strong end-to-end security and data protection. The key Securityfeatures of the Unified Payments Interface are:

Device Fingerprinting during the registration process

Credential Capture through NPCI Common Library

Credentials encrypted by using RSA 2048 Asymmetric Encryption

The decryption/encryption at NPCI will be performed through HSM

Message communication between PSPs and UPI over HTTPS

All messages are digital signed using SHA2 with RSA.

Security features

Message Layer Data Integrity Message communication between PSPs and UPI will be in XML format over HTTPS

and all the messages will be digitally signed.

Private Data (Account / Card number) Handling Private data in the transaction message will be over HTTPS on network, Which will

be encrypted before storing in DB.

Database Tamper Proofing Concatenated all columns of the row to create a single string and generate MD5

checksum

In case of mismatch in the checksum , the process gets failed & an high level alertmust be generated.

IP Whitelisting IPs for PSPs and other systems will be whitelisted at the firewall level in order to

block messages from all non-authenticated sources.

Security features

NPCI common library will be distributed to PSP’s for all the three major mobile operatingsystems viz. Android, iOS & Windows.

Common library has the following security features: Capture the credentials securely Embedding Device and Transaction related data as salt into the Credential block for each

Transaction to Prevent the Acquiring PSP to replay the Credential block Ensure actual device finger print is sent to NPCI for every transaction Ensure NPCI Common Library is used to Secure Credential capture

To encrypt the sensitive data (credentials like OTP, MPIN, and biometric data) using RSA 2048public key encryption.

Digital Signature verification of xml payload of public keys before performing the credentialcapture.

NPCI Common Library

•Frequently Asked Questions

FAQ

• How is UPI different from IMPS?

• UPI is providing additional benefits to IMPS in the following ways:• Provides for a P2P Pull functionality• Simplifies Merchant Payments• Single APP for money transfer• Single click two factor authentication.

• Does a customer need to register before remitting funds using UPI?

• Yes, a customer needs to register with his/her PSP before remitting funds using UPI and link his accounts

• Does the customer need to register a beneficiary before transferring funds through UPI? What details of beneficiary will be required?

• No, registration of Beneficiary is not required for transferring funds through UPI as the fund would be transferred on the basis of Virtual ID/ Account+IFSC.

• Does customer need to have a bank account or this can be linked to a card or wallet?

• No, customer cannot link a wallet to UPI, only bank accounts can be added.

• Can I use more than one UPI application on the same mobile if they are linked to different bank accounts?

• Yes, one can use more than one UPI application on the same mobile and link both same as well as different accounts.

• Does the beneficiary also have to register for UPI for receiving funds?

• In case of Virtual ID transaction, the beneficiary needs to have a Virtual ID and in turn be registered with UPI but in case of Account No+IFSC, the beneficiary need not be registered for UPI.

FAQ

• What is the limit of fund transfer using UPI?

• At present, the upper limit per UPI transaction is Rs. 1 Lakh.

• If I change my UPI app will I be required to register again or I can carry the same virtual address?

• In case of change in UPI App, a person needs to re-register and it depends on the PSP whether same virtual ID can be used with necessary checks they can establish.

• What happens if I forget my pin?

• In case someone forgets the MPIN, he needs to re-generate new PIN.

• Will I be able to use UPI across all Mobile platforms?

• As of now, UPI is only available for Android.

• What is the timeline to approve a collect request by a payer?

• the timeline to approve a collect request needs to be defined by the requestor.

• In case my mobile is used by another person, will there be any security breach?

• In any transaction through UPI, MPIN would be required which needs to be fed through the mobile at the time of any transaction making it safe and secured.

a step towards cashless economy - unified payments ... payments interface (upi) ... unified payments...

Documents