Unified Payment InterfaceNational Payment Corporation of India

- Akash Chandra

What is NPCI ?

NPCINPCI (National Payment Corporation of India) is the umbrella organization for all the retails payments in India, which is set up by RBI and IBA in April 2009.

NPCI launched the IMPS.NPCI launched the RuPay card.NPCI`s current initiative is the launch the UPI.

UPIUnified Payment Interface is a system that provides an architecture and standard set of APIs to facilitate the online immediate payments. Core features of UPI :

Open Source Mobile First Interoperable Instantaneous Secure Cheap

Simple Innovative Easily Adaptable

How UPI Functions with NPCI ?

First Understanding AEPB and DBT with NPCI

AEPB : Adhaar Enabled Payment BridgeDBT : Direct Benefit Transfer

Understanding AEPB and DBT with NPCI

Government Institution

Sponsor Bank Destination Bank

Beneficiary

NPCI Centrally Mapped Repository

NPCI Central Repository

NPCI’s maintains an association between customer’s Adhaar number, Mobile number and Bank accounts. This central repository can be used to route payment instructions based on Adhaar number or mobile number.

UPI with NPCI

Point of Sale(Payer)

NPCI Centrally Mapped Repository

UPI

The Payer/Payee information is sent, via PSP, to NPCI.

To identify the details of the second party involved, it either uses its repository or it contacts the second party PSP.

PSP to resolveVirtual Address

UPI with NPCI

Payer`s Bank Payee`s Bank

Point of Sale(Payee)

Once both PSPs` information is available to NPCI proceeds with the debit and credit processes.

On successful completion the payer and payee PSPs are notified, which then notify their customers.

Point of Sale(Payer)

Technical Architecture of UPI Gateway

The Payment cab also be processed using USSD code via NUUP (National Unified USSD Platform)

Core Elements in Payment

Other metadata attributes such as location, product code, mobile number, device details, etc. as required.

Payer and Payee account and institution details for routing transaction. Authentication credentials (password, PIN, biometrics, CVV, etc. as required

for debit, can be bank provided or 3rd party provided such as UIDAI). Transaction amount. Transaction reference. Timestamp.

Virtual Payment Address

Virtual Payment Address features

Unique mapping to Identifier (Person / Entity ). Global Identifier ( Adhaar number and Mobile Number ). PSPs can offer multiple virtual address to customers.

Pay and Collect Money. Pre authorization of multiple payments using ECS one time secure authentication and rule based access.

Standard set of APIs. 1-click 2- factor authentication.

Virtual Address Archietecture

Normalized Architecture for payment address “account @ provider“The address must include : ‘ a – z ‘ , ‘ A – Z ‘ , ‘ 0 – 9 ‘ , ‘ . (dot) ‘ , ‘ – (hyphen)’ .

The Payment Address can be issues by :Bank : shyam.444@iciciPSP : abdul2014.irctc@mypspPPI : 000012346789@myppi

NPCI (using global identifiers ) - IFSC code and account number as account-no@ifsc-code.ifsc.npci e.g. 12345@HDFC0000001.ifsc.npci- Adhaar number as aadhaar-no@aadhaar.npci e.g. 234567890123@aadhaar.npci- Mobile Number as mobile-no@mobile.npci e.g. 9800011111@mobile.npci

Virtual Address Archietecture

- RuPay card number as card-no@rupay.npci e.g. 1234123412341234@rupay.npci- A one time or time/amount limited tokens issued by a PSP, resolved directly by that PSP, is represented as token@psp-code e.g. ot123456@mypsp

Virtual Address Archietecture

If the virtual ID is not created using identifiers that NPCI understands(Adhaar number, mobile number, IFCS code, Rupay card number etc.) then NPCI requests PSP to decrypt address using Translate APIs.

Payments Structure

Types of Payment Request

Direct Pay - Sender/Payer Initiated - System Initiated Collect Pay - Remote Collect - Local Collect

Direct Pay

Sender Initiated Sender provides his credentials and receiver`s virtual address using his payment application.

E.g. Sending money to a friend.

System initiated Digitally signed request with receiver virtual address. E.g. System generated daily payment to agents.

Direct Pay

Sender Initiated Sender provides his credentials and receiver`s virtual address using his payment application.

E.g. Sending money to a friend.

System initiated Digitally signed request with receiver virtual address. E.g. System generated daily payment to agents.

Direct Pay Transaction Flow

Collect Pay

Remote Collect Payee send the request to the payer (through USSD or Smartphone) on his phone. So the payee doesn`t have to enter any credential.# Local exchange of encrypted credential is not currently supported in UPI.The sender`s phone on the arrival of request become point of entry of secure credentials.

Local CollectHere the payer`s address is captured to send the payment request.

Collect PayCollect Pay Transaction Flow

API Handling

Important features of API

APIs behind the existing systems at NPCI are done over ISO 8583 Messages (0200/0210).

Asynchronous : The request and response sent via separate API. Allowing the APIs to work in a non-blocked mode. Unique Transaction ID for every response. APIs exposed via HTTPS using XML input and output.

Important features of API API input data to set to URL in XML format with Content -Type

“application/xml” or “text/xml” URL : https://<host>/upi/<api>/<ver>/urn:txnid:<txnId>

host : API server addressupi : Static value to denote UPI transaction.api : Name of the API URL endpointver : Version of the APIs being used.txnID : Transaction id which will be used for load balancing purpose at UPI end

Acknowledgement API

All APIs have same ack response as given below:<upi:Ack xmlns:upi="" api="" reqMsgId="" err="" ts=""/>

Ack : root element name of the acknowledgement message.api : name of the API for which acknowledgement is given out.reqMsgId : message ID of the input for which the acknowledgement is given out.err : this denotes any error in receiving the original request message.ts : the timestamp at which the receiver sends the acknowledgement.

19 APIs provided by UPI

API : ReqPay

Single API will be used for both Direct Pay and Collect Pay.

In Direct Pay, Sender will provide his/her complete credentials and only the virtual address of the Receiver.

In Collect Pay, the Receiver will provider his complete credentials and only the virtual address of the Sender.

API : RespPay

To send back the response of the ReqPay API after the transaction.

API : ReqAuthDetails

Used to authorize payment and also translate the PSP`s virtual address to global identifiers like Mobile Number, Adhaar Number , Account + ID)

API : RespAuthDetails

This API is used by PSPs to authorize payment and send the required details to NPCI

API : List PSP

This API allows the PSPs to request for all the registered PSPs with NPCI. This data is used for validating the PSP during the process of transaction.

API : List Account Providers

This API allows the PSPs to request for all the registered PSPs with NPCI. This data is used for validating the PSP during the process of transaction.

API : List Keys

This API allows the PSPs to request for and cache the list of public keys of account providers and other entities in the UPI eco system

API : List Account

API allows PSPs to find the list of accounts linked to themobile by an account provider.

API : List Verified Address

Entries API allows PSPs to request a and cache the List of Verified Address

Entries to protect customers from attempts to spoof well known merchants such as LIC, Indian Railways, ecommerce players, telecom players, bill payment entities, etc.

API : Validate Address

This API will be used by the PSPs when their customer wantsto add a beneficiary within PSP application (for sending & collecting money).

API : Set Credentials

This API is required for providing a unified channel for setting and changing MPIN across various account providers.

API : Check Txn Status This API allows the PSPs to request for the status of the transaction.

The PSPs must request for status only after the specified timeout period.

API : OTP-Request

This API allows the PSPs to request for an OTP for a particular customer from an issuer.

API : Balance-Enquiry

This API Allows PSP to Request for Balance enquiry for auser.

API : HeartBeat Messages This API is a mechanism for UPI system monitoring.(monitoring

connection with PSPs and sending EOD to PSPs)

API : Request Pending Messages

This API allows PSP to request pending messages against a given mobile number or Adhaar number

API : Request Txn Confirmation This API provides transaction status confirmation from UPI to PSP. At

the end of every transaction, this API will be initiated to second PSP for status confirmation

Time Bound Request

<Rules><Rule name="EXPIREAFTER" value="1 miniute to max 64800 minitues"/><Rule name="MINAMOUNT" value=""/></Rules>

The part of code below shows the time bound aspect of the transactions.

Security Considerations

Class of Information

Non-Sensitive data - • Name, transaction history (amount, timestamp, response code, location, etc.)• Can be stored in unencrypted form.

Sensitive Data - • PIN, passwords, biometrics, etc. • Not to be stored and should only be transported in encrypted form.

Private Data -• Account number etc.. • May be stored by the PSP, but only in encrypted form.

Class of Information

PSP is mandated to use a secure protocol when transmitting sensitive data such as account details from the device to the PSP server.

With Collect Pay request PSP needs to show the KYC information central system (using the NPCI`s API).

PSPs is mandated to safeguard account information within PSP system as per regulatory and the payment card industry (PCI DSS )compliance standards.

Protecting Authentication Credentials

All APIs must be done over a secure channel (HTTPS).

Trusted common library for credentials (MPIN, PASSWORD, PIN BIOMETRIC ) is provided by NPCI.

Payment Service provider can`t store issuer specific authentication credentials outside common library.

Credentials encoded with Base64 encoding and are provided only during the transaction by UPI.

PSP can`t store the encrypted credentials in any permanent storage. Every messages within the unified system must be digitally signed. Every message has unique transaction ID (that spans across the

organizations for same transaction) and unique message ID for every request-response pair.

Thanks!

Thank You !!