UNIFIED PAYMENT INTERFACE (UPI)

Report of Work done at IDRBT during Summer Internship 2018

by K. Spandana, B-Tech, 4th year, CSE VR Siddhartha Engineering College, Vijayawada

Under the guidance of Dr. N.V. Narendra Kumar CONTENTS ACKNOWLEDGEMENT ABSTRACT 1. INTRODUCTION……………………………………………5 1.1. Objectives 1.2. Structure of the Report

2. UPI ARCHITECTURE……………………………………….7 2.1. Architecture 2.2. Concepts 2.3. Existing Systems 2.4. Supporting Infrastructure 2.5. Benefits 2.6. Security Considerations 2.7. Perceived Risks and Mitigation 2.8. Applications

3. NPCI…………………………………………………………20 3.1. Role of NPCI

4. UPI TRANSACTIONS………………………………………24 4.1. Ecosystem 4.2. Pay Request 4.3. API Specifications

5. CONCLUSIONS……………………………………………...43 REFERENCES

ACKNOWLEDGEMENT

Behind every achievement lies an unfathomable sea of gratitude to those who activated it, without whom it would ever have come into existence. To them I lay the words of gratitude imprinted with me. I would like to thank IDRBT for giving an opportunity and the necessary facilities and also the staff of admin and library for their support. I would like to thank my guide Dr. N.V.Narendra kumar, for his timely valuable guidance and suggestions for this report. I would like to thank all who have been inspiring guides and committed caretakers and who have given me the moral support in every situation of my internship career. This encouragement and support by them, especially in carrying out this report motivated me to complete this study. My sincere thanks to, V. R. Siddhartha Engineering College and also my friends who encouraged me to pursue this internship

ABSTRACT This report studies Unified Payment Interface (UPI), a new age payment system introduced in by National Payment Corporation of India. Unified Payment Interface is a mobile based, real time interbank payment system which has the potential to universalize digital payments in India. The report traces the evolution of payments systems in India and examines in detail the technology behind Unified Payment Interface focusing on its architecture and security systems. Its modular API based architecture will enable development of innovative solutions for consumers and businesses. UPI is currently in its infancy stage and development of merchant based UPI solutions will greatly increase the user adoption. Keywords: unified payment interface, IMPS, NPCI, fund transfer.

1.INTRODUCTION

Unified Payments Interface (UPI) is an instant real-time payment system that powers multiple bank accounts into a single mobile application (of any participating bank), merging several banking features, seamless fund routing & merchant payments into one hood. It also provide the “Peer to Peer” collect request which can be scheduled and paid as per requirement and convenience. UPI is developed by national payments corporation of India. The interface is regulated by the Reserve and works by instantly transferring funds between two bank accounts on a mobile platform. It is built over a Immediate payment service for fund transfer. With the above context in mind, NPCI conducted a pilot launch with 21 member banks. The pilot launch was held on 11th April 2016 by Dr. Raghuram G Rajan, Governor, RBI at Mumbai. Banks have started to upload their UPI enabled Apps on Play store from 25th August, 2016 onwards. 1.1. Objective The main objective of a unified system is to offer an architecture and a set of standard to facilitate the next generation online immediate payments leveraging trends such as increasing adoption, Indian language interfaces, and universal access to and data. The following are the some of the key aspects of the unified payments interface. 1. The unified payment interface is expected to perform easy instant payments via mobile, web and other applications. 2. The payments can be initiated by both payer and payee and are carried out in a secure, convenient and integrated fashion. 3. This design provide an ecosystem driven scalable architecture and a set of APIs taking full advantage of mass adoption of smartphone. 4. Capabilities include virtual payment addresses, 1-click 2- factor authentication, integration, and use of payer’s smartphone for secure credential capture. 5. It allows banks and other players to innovate and offer a superior customer experience to make electronic payments convenient and secure. 6. Supports the growth of e-commerce, while simultaneously meeting the target of financial inclusion. 1.2. Structure of the Report This particular report studies the following concepts 1. In section 2 we study about the UPI architecture, existing systems, benefits and applications of the UPI. 2. In section 3 we study about the role of NPCI and its involvement in the UPI. 3. In section 4 we study about the different transaction types, transacting parties, transaction flow and the API’s involved in the transaction. 4. Section 5 concludes the report. 2.UPI ARCHITECTURE 2.1. Architecture The following diagram is the architecture of UPI allowing USSD, smartphone, Internet banking and other channel integration onto a common layer at NPCI. This common layer organise the transactions and ensure settlement across accounts using systems such as IMPS, AEPS, NFS, E-com etc. Usage of existing systems ensure reliability of payment transactions across various channels and also takes full advantage of all the investments so far.

Fig: 2.1 UPI ARCHITECTURE[1]

Here, the merchant sites collect the payment through the virtual address avoiding the need to provide the account details or the sensitive information on websites or third party applications. Within this solution the payment authentication and authorization are always done using the personal mobile. 2.2. Concepts

Every payment has the following core elements 1. The account details of payer and the payee for routing and authentication purpose. 2. Authentication credentials. 3. Transaction amount. 4. Time stamp.

2.2.1. Payment Address

The payment address is unique for every user. It is very flexible and can be changed. This address is linked with our mobile number and the account number. Since it is not our actual payment address but act as the bank account details, it is called as virtual payment address (VPA). Provider is expected to map the payment address to actual account details at appropriate time. Providers who provide virtual addresses should expose the address translation API for converting their virtual addresses to an address that can be used by NPCI.

2.2.2. Authentication

Authentication is the process of recognizing something or someone’s identity. In the terms of transaction, the communication takes place between the two parties such that both the parties have to share the required details among themselves so that the identity of each party is known to the other.

In UPI a special benefit of single click 2 factor authentication is allowed. It mainly has two levels of security. 1. Device fingerprinting acts as the first factor of the security. Here one’s bank account is linked to his/her own UPI app. As a result the NPCI servers acquire all the device details of the user. Therefore, the combination of the user’s mobile number and device ID is linked to the unique account number. This combination acts as the first factor authentication. 2. The second level of the security is the M-PIN. Here when one linked his bank account with the UPI app he is asked to generate a MPIN which is only known to him. As a result during every transaction the user is asked to enter his MPIN.

2.2.3.Authorization

Authorization is the process of allowing the user to access the resources. For example, if an user logs into a computer, the system checks what resources that particular user is allowed to access based on the permissions provided to him. These permissions are set by the system administrator. Logically, the authorization is preceded by the authentication.

2.3. Existing Systems

Before the development of unified payment interface NPCI developed many other payment infrastructures. The existing systems are as follows

1. NFS: The National financial switch (NFS) set the common standard and enabled digital interoperability between all banks in the country. NFS is now the backbone which powers the largest domestic ATM network in the country. 2. RTGS: The Real time gross settlement system is the continuous process of settling payments on an individual order basis without netting debits with credits across the books of a (e.g. bundling transactions). Once completed, real time gross settlement payments are irrevocable. 3. NEFT: National Electronic Funds Transfer (NEFT) is a nation-wide payment system. Under this Scheme, individuals can electronically transfer funds from any bank branch to any individual having an account with any other bank branch in the country participating in the Scheme. NEFT transactions are settled in batches.

2.3.1. Limitations

1. RTGS and NEFT are unsuitable for small ticket digital retail payments. 2. High transaction limits. 3. Delayed settlements in batches 4. Fixed operating time hours

Thus NPCI introduced IMPS (immediate payment service), a real time retail payment service with round the clock availability. IMPS is channel independent and can be accessed through mobile phone, internet, ATM and Unstructured Supplementary Service Data (USSD) on feature phones. IMPS provided a mobile based interoperable fund transfer service involving various stakeholders such as banks, merchants, and telecom service providers. IMPS works on immediate settlement where settlement takes place on at a granular transaction level with instant transaction confirmation to both the remitter and the beneficiary. IMPS transactions were enabled through mobile phones and can be considered the precursor to Unified Payment Interface (UPI), since UPI transactions are settled through IMPS.

2.4. Supporting Infrastructure

The built facilities that support the unified payment interface is as follows 1. Aadhaar system 2. NPCI mapper

2.4.1. Aadhaar System

Aadhaar is a unique identity for each user and it has become an accepted identity throughout the country for government and non-government agencies. Aadhaar authentication is done by providing the user’s Aadhaar number along with his details and biometrics through online to Unique Identification Authority of India (UIDAI) system. Later they are verified on the basis of the information or documents available with it. The payments based on the Aadhaar credentials are done through the Aadhaar enabled payment systems (AEPS).The credentials that are required for this particular transaction are 1. Bank identification of the customer (IIN) 2. Finger print of the customer 3. Aadhaar number The following are the some of the services offered by the AEPS 1. Finger Detection 2. Cash withdrawal 3. Cash deposit 4. Fund transfer (Aadhaar to Aadhaar) 5. Mini statement 6. Balance enquiry

2.4.2. NPCI Central Mapper

NPCI mapper keeps the track of the Aadhaar numbers which is maintained by the Aadhaar payment bridge system (APBS). These numbers are further used for the purpose of routing the APB transactions to the destination banks. NPCI mapper also contains the IIN of the bank to with the Aadhaar number is linked with.

When the mobile number is linked with one or more accounts the NPCI central mapper allows any user to send or receive money from the mobile number without knowing the details of the destination account.

2.5. Benefits

Benefits for the Banks

1. Single click two factor authentication, as it provide 2 level security the bank account is secured. 2. Payments can be done by using the unique identifier. 3. The transaction is safe and secure. 4. Availability of online application process called universal application for the transaction. 5. Merchant transactions can be done without the involvement of the third party.

Benefits for the End-users

1. The transaction can be done round the clock by the customers regardless of the Sundays and the public holidays. 2. As the virtual payment address is used during transaction, there is no need to share the sensitive information. 3. The complaints can be given directly through the mobile app. 4. Different bank accounts can be managed through the single mobile application. 5. Single click authentication

Benefits for the Merchants

1. Cash on delivery problem can be solved. 2. No risk of storing the customer’s virtual address like in the cards. 3. Best suitable for e-commerce and m-commerce transaction. 4. In-app payments can be done.

2.6. Security Considerations

For the security of the data, the following terms are defined 1. Sensitive Data- The data that is to be protected from unauthorized access for one’s own privacy is called the sensitive data. It includes personal information like PIN, passwords, biometrics etc. This information should be passed only in the encrypted form. 2. Private Data- This type of data include one’s account details. This data is stored in encrypted form in one’s PSP. 3. Non-sensitive Data- This type of data need not be encrypted. This type of data usually includes name, amount, timestamp, location, response code etc.

2.6.1. Protecting Account Details

During the transmission of the sensitive data like account details from device to the PSP server it is mandatory for the PSP to use the secure protocol. PSP is mandated to safeguard the account information within the PSP system

2.6.2. Protecting Authentication Details

A trusted common library is provided by the NPCI which stores the sensitive credentials like MPIN, passwords, biometrics etc. Authentication details are captured and encrypted inside the common library. The PSP should not store the encrypted credentials within any permanent storage. The PSP should not capture the authentication credentials of the issuer outside the common library.

2.7. Perceived Risks and Mitigation

1. Secured Customer Registration: The customer will be sent an SMS by the while registering the customer to ascertain the veracity of the customer. The PSP also does the device fingerprinting through an automated outward encrypted SMS (Mobile number to PSP system) which hard binds the Mobile number with the device. This ensures that the transactions originating from the Hard bound device are secured at the first step itself. This outward SMS being sent should be encrypted and should not have any customer intervention. 2. Application Security: The PSP application shall be certified by NPCI and the NPCI Utility / Libraries embedded in the application for entering sensitive data such as Biometric credentials, PIN and One Time Password (OTP). 3. Transaction Level Security: Transaction is secured with the Authorization which is split between the Payment Service Provider & the Issuing Bank. The device fingerprinting of the mobile device serves as the first factor. Customer enters the PIN or the Bio-metrics as the 2nd factor 4. Security while handling the PIN: The PIN is always entered by the customer on the NPCI Library (which is embedded into the Parent PSP App while certification) which is invoked while entering the PIN for an interoperable transaction. The PIN traverses over the secure channel from UPI to the Issuing bank basis the PKI encryption where PIN is encrypted using the Public key at the UPI and the Issuing bank decrypts at its end using its Private key. 5. Settlement Risk: The settlement of the UPI transactions shall be done under the respective products only already complying with the Settlement Guarantee Mechanism framework and hence there is no incremental settlement risk. 6. Unsolicited Pull Requests to the Customer: The end customer is in complete control of transaction and has to enter authentication details to initiate a debit to his bank account.

2.8. Applications

UPI apps have changed the way of making payments. Though slowly but they are replacing all other payment options including cash. store is flooded with a lot of UPI apps. we can use any of the UPI apps available in the play store. For example, if we have a bank account in ICICI, we add this account to SBI Pay, or any other UPI app. UPI apps are bank independent so it supports us even if we have an account with multiple banks.

The following are some of the prominent UPI apps used by the customers for the payments

2.8.1. Axis Pay

Axis Bank’s Axis Pay is a great UPI app. It has the cleanest interface. Developers have placed only two options on its home screen. One for sending money and another for requesting money. All other options are placed in the side panel which can be accessed by swiping from the left. Axis Pay app is secured by an app 6 digits app password. The user experience is good as the app is fast enough to provide us seamless transaction experience.

However, the app has more steps than most of the other UPI apps while sending money. We must add an account as a contact within the app before sending money.

2.8.2. SBI Pay

SBI Pay is the standalone UPI app of . The app is secure and easy to use. The of the app is one of the simplest. User experience is also great as transactions can be completed with 3-4 steps only. The icons for almost all main services are placed on its home screen. And other options can be accessed with a single swipe from the left. It has all major UPI services comprising send and request money, balance inquiry and set/change MPIN.

Here we can add more than one bank accounts in SBI Pay. We can select the preferred account from added accounts where we need not choose bank account every time.

2.8.3. PhonePe App

The PhonePe app is another UPI app. This app also acts as the mobile wallet. It is the second fastest grown UPI app after BHIM app. The app has all the UPI features as well as mobile wallet features. Regarding its interface, it is one of the nicest looking UPI apps. Developers have chosen a nice colour to design the app and it also contains important features.

All other UPI apps are meant to send money only. But PhonePe is capable of recharging and paying bills using UPI. The app works well on slow network connections also. It is available in 8 languages. we can send and request money, generate and scan QR code, set/change MPIN with the app. we can also check our bank balance.

2.8.4. Google Tez App

The google Tez is a late entrant. However, the main draw of its rapid progress is the Reward program of the Tez. But, the interface of the Tez is also very simple. This app is even simpler than the BHIM app.

The Google has powered this app with four big banks. Thus, we can use any of the bank for the back-end transaction. Tez has a unique feature of cash mode. In this mode we can transfer money very easily to person who is nearby. we don’t need to input any detail for such transfer. It is just like the Shareit transfer, where we can see the recipients of a limited area. This technology works on sound-waves.

If we are not paying in Cash mode, there are more steps for the fund transfer.

2.8.5. BHIM UPI app

The BHIM UPI app is one of the best app. This app is developed and released by NPCI. It is the simplest and fastest UPI app available in the play store. The interface of the app is minimal with blue icons and white background.

We can access each of its services with just a single click. Also, we can complete a transaction or change our bank account with three to five clicks only.

BHIM UPI app has all the UPI features. These include sending and receiving money, changing or setting MPIN, checking balance and generating QR codes etc. we can send money using virtual payment address, mobile number or QR code of the beneficiary. NPCI has also included IFSC and account number method with the last update.

2.8.6. Bonus app-PNB UPI

PNB UPI is another one of the UPI apps available. This app is developed and released by . The interface of the app is pretty good. It allow us to send and request money to our account to another. We can send money using virtual payment address or IFSC code and account number.

The speed of the app is also decent. The app sometimes lags due to slow network connection. But if we have good internet connection then there is no problem.

PNB UPI also allows us to pay by scanning a QR code. However, it does not have the option to generate a QR code.

All other services are present in the app such as set/change MPIN, balance inquiry, adding more than one account and viewing past transactions etc.

If we do not consider the looks or QR codes more, then this app is one of the best apps. But if we prefer an app which should be clean and simple then it is best to choose another app.

3. NPCI

National payments corporation of India (NPCI) is an organization set up for all retail payments in India. NPCI is set up by the support and guidance of the (RBA) and Indian Banks Association (IBA)

3.1. Role of NPCI

NPCI is the owner, network operator, service provider and the coordinator of the UPI network. NPCI has the right to operate and maintain the network on its own. Also it can provide required services through the third party service providers.

3.1.1. Settlement

Immediate Payment Service (IMPS) is used for settlement of all UPI transactions. NPCI will process all approved UPI transactions in IMPS. IMPS Daily Settlement Report will contain three types of transactions as defined below

1. U2U (PUSH): UPI to UPI transaction (Basis Virtual Address, Account Number + IFSC, Aadhaar Number, Mobile Number + MMID). In this case, both the sending and the receiving bank are live on UPI.

2. U2U (PULL): Means UPI to UPI transaction (Basis Virtual Address). In this case, both the sending and the receiving bank are live on UPI.

3. U2I (PUSH): Means UPI to IMPS transaction. In this case, the sending bank is live on UPI but the receiving bank is live only on IMPS and not on UPI.

3.1.2. NPCI Libraries

NPCI Libraries area set of utilities which are embedded in the PSP App. These libraries are available for all major mobile operating systems.

These libraries allow secure capture of credentials like OTP, PIN, Biometrics etc. The secured credentials are always captured by the NPCI libraries which use PKI Encryption.

NPCI will be using Public Key Infrastructure (PKI) to encrypt the PIN using NPCI Public Key which will be stored locally in the libraries. This encrypted block will be sent to NPCI where NPCI will decrypt using NPCI Private Key. Then NPCI will encrypt it using the Issuer’s Public Key and send it to the issuing bank which will decrypt and validate with its Private Key. The Issuer Bank has to mandatorily decrypt the PIN using Hardware Security Module (HSM) only.

In our project we are considering remitter bank and the payer PSP as different entities, so the payer PSP has to mandatorily use the NPCI libraries to capture the PIN. In this case, NPCI will process both the Debit Request and the Credit Request.

3.1.3. PSP App implementation Guidelines

UPI App Considerations:

There can be two approaches defined to distribute UPI compliant apps: 1. Independent Mode: Bank developing a separate UPI app, and/or converting their existing Mobile Banking application to be extended to facilitate UPI services.

2. Embedded Mode: The UPI compliant app is embedded in other (merchant) apps by bank giving the binary/SDK to the merchant to integrate into their apps. Here the merchants may choose to include more than one UPI compliant apps from different banks.

Boundary Conditions:

1. While bank may engage third party development for the PSP mobile app, the PSP central application must be managed and secured as per RBI guidelines on banking systems.

2. PSP Central Application must reside in Bank’s own Data Centre and in under no condition, the PSP customer data to be shared with Merchant App.

3. Under no condition the libraries given by NPCI to bank should be handed over as it is to merchant. The libraries must be integrated into Bank’s app and then handed over to merchant (if option 2 i.e. Embedded mode is chosen)

4. The customer data regarding the payment (account mappings and credentials) details required as per the UPI architecture and specification should be visible to, and residing only in the bank’s UPI systems.

5. The merchant app should not have visibility of the sensitive account/credential data captured by UPI app.

6. The responsibility of the functionality mentioned for the PSP app in the guidelines shall remain with bank. The bank must have the mechanism to certify the PSP app with aligned merchant app and with proper invocation by any other app on the phone for payments.

7. The choice of which bank UPI app to be downloaded and used for payments (during transaction flow) would reside with customer. With above options the customer may decide to download his choice bank’s PSP app and make all payments through his mobile purchase using this app.

8. The customer can also have multiple PSP apps. Under no circumstances, one UPI app (embedded or independent) must interfere with another UPI app when installing, running, etc. Once the customer selects “Pay by UPI”, all the UPI apps on the phone should pop up allowing him/her to select a preferred UPI app.

9. PSP needs to build App for the at least two platforms i.e. Android and iOS, while for Windows, it will be optional.

3.1.4. UPI Availability

UPI would be operational and available to all members round- the-clock with 99.9% uptime, excluding periodic maintenance with prior notice.

Periodic maintenance of the UPI System would be notified to all members 48 hours in advance unless an emergency or unscheduled maintenance activity.

4.UPI TRANSACTIONS

4.1. Ecosystem

4.1.1. Transacting Parties

The transaction in the UPI concerns the following participants

1. Remitter (payer) 2. Beneficiary (payee) 3. Remitter’s PSP 4. Beneficiary’s PSP 5. NPCI 6. Remitter’s bank 7. Beneficiary’s bank

4.1.1.1. Payment Service Providers

Payment Service Providers are the entities which are allowed to acquire customers and provide payment (credit/debit) services to individuals or entities. Payment Service Providers are the entities that provide a App for the customer. PSP will provide an App to the customers which will use the UPI libraries facilitating payments. The PSP App can be used by own bank’s customers or other bank’s customers. The customer can use any PSP app he desires and can start doing transactions securely. In UPI, it is mandatory for the PSP to come on-board as Issuer at the time of on-boarding. It should have the functionality of initiating both Push & Pull transactions and have the NPCI Libraries embedded into its App. It cannot come directly as an Acquirer without being an Issuer.

Roles and Responsibilities of PSP

1. The PSP shall ensure that its systems/ infrastructure remain operational at all times to carry out the said transactions. The PSP shall upgrade systems and message formats in a prompt manner, based on regulatory requirements or changes mandated by NPCI. The PSP shall adopt the data message standards as per standards of XML & ISO 8583 or such other standards as may be specified by NPCI from time to time 2. PSPs/Banks should benchmark their infrastructure (hardware & software) at their end for UPI to ensure to meet the UPI Benchmark criteria of processing 150 transaction per second (TPS), 5,00,000 transactions per day and 99.9% of uptime of services. Banks would be required to confirm in writing about this processing capacity before being declared Go Live.

3. The Bank/PSP should have the Disaster Recovery / Business Continuity management plan within 6 months of operationalization of the service.

4. The PSP shall not share the data / information with any other third party, unless mandated by applicable law or required to be produced before a statutory authority. In such exceptional cases where data / information is required to be shared under applicable law, the PSP shall provide a prior written intimation to NPCI and Bank of such disclosure.

5. The PSP shall integrate NPCI libraries in its PSP Application where the app in no way shall be able to capture sensitive customer data like Card Details, PIN, Expiry Date, OTP etc. All these details shall be captured only by NPCI Libraries and the PSP app shall only facilitate it.

6. The PSP shall undertake Device Hard Binding along with Mobile number verification.

7. The PSP shall not disclose, reveal, publish and/or advertise any material information relating to operations, membership, software, hardware, intellectual property etc. of NPCI without its prior written consent except and to the extent as may be required in the normal course of its business.

8. The PSP shall ensure that the communication between the PSP switch and the UPI/IMPS shall be encrypted using suitable mechanism and that PIN shall not be disclosed or retained by it or its employees, service providers under any circumstances.

9. PSPs should maintain round-the-clock connectivity of their network for the UPI services with an uptime of 99.9%

10. PSPs undertake to update the global address in the NPCI Centralized Mapper regularly

11. The PSP will be liable for all compliance by its outsourced Technology Service Providers/sub-members for all the guidelines issued by NPCI, RBI, Government of India, and all other relevant regulatory authorities. The PSP should inform NPCI in case of cessation of the membership arrangement between the PSP and its outsourced Technology Service Providers/sub-members with a prior notice of at least three months through necessary communication channels that are deemed appropriate as per the compliance mandate

Roles and Responsibilities of Sub-members

1. All sub-member banks participating in the UPI/IMPS network must sign a non-disclosure agreement with NPCI. 2. All sub-member banks must sign a tri-partite agreement with NPCI and main member to abide by and comply with UPI rules and regulations 3. Each member should treat UPI related documents as strictly confidential and should not disclose them to outsiders without prior written permission from NPCI 4. Sub-member bank has to submit NPCI Compliance Form on a periodic basis to NPCI. A copy of this form should be submitted to the sponsor bank during the phase of joining the UPI/IMPS network and subsequently, as per periodicity defined by NPCI 5. All sub-member banks participating in the UPI network to comply with data integrity laws as applicable in India 6. NPCI would be entitled to conduct an audit of the sub- member bank’s UPI platform and IT facility either on its own or by an independent agency periodically 7. Sub-member should submit periodic reports, statements, certificates, and other such documents as may be required by the NPCI and should comply with such audit requirement as may be framed for the purposes of their audit 8. Sub-member should indemnify NPCI and keep it indemnified against any loss/damages suffered by it, whether legal or otherwise, arising due to its non- compliance with the UPI Procedural Guidelines. 9. All sub-member banks should comply with statutory and RBI regulations. NPCI reserves the right to obtain assurance from sub-member banks through a certification process on such compliance 10. Transaction between sponsor bank and sub-member will be considered as “Off–Us” and should be routed through NPCI UPI System 11. As UPI is a round-the-clock, real time fund transfer service, it is mandatory for a sub-member bank to credit the customer account in real time. Further, this service should be available for round-the-clock all through the year. Sub-member should reconcile and submit the adjustments action to sponsor bank within two hrs after settlement is performed by NPCI Roles and Responsibilities of TSP

1. TSP should ensure that all transactions routed to UPI/IMPS should comply with the message specifications, as specified by UPI/IMPS, based on XML/ISO 8583 message formats 2. Each TSP will be provided with a report on the state of operations, including a description of the systems of internal control and any deficiencies. 3. Each TSP should also proactively conduct annual internal audits of itself and its processing agents, if any, on a regular basis to comply with the UPI Procedural Guidelines 4. Each TSP participating in the UPI Network through its Sponsor PSP is expected to maintain round-the-clock connectivity of their switch for the UPI services with an uptime of 99.9% 5. All TSPs participating in the UPI network through their Sponsor PSPs must comply with data integrity laws as applicable in India. They must be compliant with the applicable security regulations as defined for UPI and/or guidelines as issued by RBI & NPCI from time to time. In addition to it, any other regulations for data storage of payment details will also be adhered to. 6. Each PSP should submit periodic reports, statements, certificates, and other such documents as may be required by the NPCI from time to time. Furthermore, the PSP should comply with such audit requirements as may be framed by NPCI for the purposes of their audit.

4.1.1.2. Customer Registration Process

All banks willing to avail UPI services are required to ensure safe and secure registration process for their customers. The registration process should be complied with the guidelines issued by the RBI from time to time. UPI service should be provided to customers registered for mobile banking service if it is initiated from Mobile App. The PSP registration process should allow the customer to generate/obtain his virtual address with the PSP through the registration process. It is however, also possible for a Bank joining UPI only as an Issuer, to provide Virtual addresses to its customer base by default. The customer shall be providing banking details to be mapped against this virtual address through the defined process. These fields available shall form the local mapper at the PSP end for which it may have the customer agree to specific ‘Terms & Conditions’.

Customer Registration Process on PSP App:

1. The Customer discovers the PSP App on the platform specific App Store. The PSP is responsible for customer education. 2. Customer downloads the PSP application. Application has NPCI libraries embedded into it. Customer starts the configuration process 3. Customer specifies his choice of SIM which he wants to register on a dual sim device (in a single sim device, PSP app automatically fetches the mobile number and proceeds). An outward encrypted SMS from Customer’s SIM should go to PSP server to fetch the Mobile Number of the customer. This SMS should be automated without the intervention of the customer. Through this process, the PSP shall not only do the device hard binding, but also strongly bind the Mobile Number with the device. This process has to be mandatorily followed. 4. The PSP app will request customers to enter further details. Then user is provided with the option of creating his Virtual Address in the specified format. 5. The PSP may provide any additional features like App login credentials etc.

4.1.1.3. Customer Complaints

In case of any customer complaints regarding non refund for failed transactions and/or non-credit for successful transactions shall be dealt by the PSP/Bank. Any complaint about credit not being given to a beneficiary should be dealt with conclusively and bilaterally by the remitting and beneficiary banks as per the guidelines circulated by NPCI from time to time. In case of any complaints related to UPI transactions, the first point of contact for customer will be the customer’s PSP. Customer’s PSP has to mandatorily provide option in their App to raise dispute/complaint by providing transaction reference/Id number. However, if customer decides to approach his/her remitter/beneficiary bank instead, the respective banks shall entertain all such requests and help to resolve the complaint to the customer’s satisfaction. The PSP must provide to customers, the option of checking the current status of a transaction in the PSP App.

4.1.2. Permitted Transaction Types

The transaction through the unified payments interface can be done through two ways.

4.1.2.1.Financial Transactions:

UPI supports the following financial transactions

Pay Request: A Pay Request is a transaction where the initiating customer is pushing funds to the beneficiary using Account Number/IFS Code, Mobile No/MMID, Aadhaar Number, Virtual Address etc. Collect Request: A Collect Request is a transaction where the customer is pulling funds from the remitter by using Virtual Address. In case of Pull transactions, customer will have option to define the expiry time of collect request (up to 45 days). In case customer has not defined the expiry time, the default time should be taken as 30 minutes. The PSP has to provide an option to customer to define minimum validity of 1 minute, in case customer is selecting expiry time.

4.1.2.2.Non-financial Transaction:

UPI supports the following non-financial transactions

1. Mobile Banking Registration 2. One Time Password (OTP) 3. Set/Change PIN 4. Check Transaction Status

Process flow of Non-financial Transactions

Mobile Banking Registration Transaction

In case of a customer who has not been registered for mobile banking and has to generate PIN:

1. Customer initiates Mobile Banking registration process with PSP app. 2. Customer selects the bank account which he has registered in PSP App. 3. An OTP request is triggered by the PSP to NPCI along with the Account details, Mobile Number (captured during Profile creation) & Bank name. NPCI routes the request to the issuing bank. 4. Issuer Bank sends the OTP after proper validations at their end. 5. Customer enters the OTP (received in Step-4) into the PSP app along with last 6 digits of his debit card number & expiry date which is base 64 encoded prior to sending. The customer also enters the new PIN of his choice. 6. PSP sends this transaction to NPCI & NPCI sends this to the Issuer Bank for verification. 7. Issuer Bank validates all the details and confirms to NPCI with the relevant response. 8. NPCI informs the same to the Payer PSP. 9. Payer PSP confirms to the customer that the Mobile Banking Registration was successful

In our project we considered the pay Request financial Transaction case

4.1.3. Originating Channels Allowed

Banks may decide their own way of authorization of transactions and channel when the transaction is a pre-approved transaction for UPI. Pre-approved transactions are those transactions where the Payer PSP & Remitter Bank are one entity and the transaction is received to NPCI only after debiting the Remitter’s account. However, for all Collect Requests, authorisation has to be done on the Mobile App (Mobile Channel). Use of NPCI libraries in such cases will depend on the PSPs. For Pay Requests where the transaction is not a pre-approved transaction, the initiation channel will be Mobile App (Mobile Channel) and the authorisation parameters shall be secured credentials (PIN) or Biometrics (IRIS, Fingerprint). The Mobile App needs to use NPCI libraries for capturing these secured credentials. Collect Requests carrying details like Virtual Address can be initiated from a non-mobile channel depending on the requirements of the bank, but authorisation of such transactions by the Payer customer has to be on PSP App (Mobile channel), where the customer gets notification of the Collect Request.

Transaction Limit: UPI transaction limit will be pegged with IMPS transaction limit which will change from time to time following the approval from the IMPS/UPI Steering Committee. As per extant approval from the steering committee, the upper cap per UPI transaction will be Rs. 1 Lac. Accordingly, it is mandatory for the banks to set a default limit of Rs. 1 lac per transaction for UPI to begin with. Banks cannot set a different upper limit for their customers and have to mandatorily have the default limit to be set to Rs. 1 lac.

4.2. Pay Request

Direct pay can be done by the following ways 1. Person to person (P2P) 2. Person to Account (P2A) 3. Account to Person (A2P) In our project we are dealing with the person to person transaction.

4.2.1. Person Initiated

Here the transaction is done between the remitter (sender) and the beneficiary (receiver). Remitter initiates the transaction by providing his credentials and beneficiary’s address.

4.2.2. System Initiated

Here the transaction is initiated by the sender system using a digitally signed request. However, in our project we are only dealing with the person initiated transaction.

4.2.3. Flow Diagram

The transaction between the remitter and the beneficiary can be explained with the following flow diagram

Fig.4.1. TRANSACTION FLOW [3]

1. Payer initiates transaction through his PSP application at his Device. 2. Payer provides authentication credentials at his Device. 3. The Payer Device initiates the Pay request to Payer PSP system. 4. Payer PSP validates the Payer details and validates the first factor authentication. 5. Payer PSP sends the pay request to NPCI. 6. NPCI resolves the Payee Address in the following two ways  If the Address has global identifiers (Mobile #, Aadhaar # or Account #) then the Payee Address is resolved by NPCI central Mapper.  If the Address has virtual address offered by Payee’s PSP, then NPCI will send the request to Payee’s PSP for address translation. 7. In case of 6b, the Payee PSP accepts or rejects the request based on the rules set at his end. 8. In case of 6b, on accepting the Pay request, Payee PSP populates the Payee details and responds to NPCI. 9. NPCI sends the debit request to the debit account provider. 10. Account provider authenticates the Payer based on the credential provided. 11. Account provider debits the Payer account. 12. Account provider sends Debit response to NPCI. 13. NPCI sends the Credit request to the credit account provider. 14. Account provider credits the account based on the Payee details. 15. Account provider sends Credit response to NPCI. 16. NPCI sends Pay response to Payee PSP. 17. NPCI sends pay response to Payer PSP. 18. Payer PSP notifies payer.

The following sequence diagram illustrates the above flow.

Fig.4.2. SEQUENCE DIAGRAM [1]

Notations

In this transaction flow the following are the notations we adopt

1. Remitter: R 2. Beneficiary: B 3. Remitter’s PSP: P1 4. Beneficiary’s PSP: P2 5. NPCI: N 6. Remitter’s bank: RB 7. Beneficiary’s bank: BB

Protocol

A protocol is a set of rules and guidelines for communicating the data.

The protocol for the above transaction is given as follows.

1. R P1 : {mobNoB, MMIDB, Amount, MPINR}

Remitter initiates the transaction through his PSP application (P1) by providing his own MPIN and also the mobile number and mobile money identifier(MMID) of the beneficiary.

2. P1 N : {mobNoB, MMIDB, Amount, MPINR}

All the four credentials are sent from the remitter’s PSP to NPCI as reqPay.

3. N P2 : {mobNoB, MMIDB, Amount}

NPCI requests for the authentication of the beneficiary through the beneficiary’s PSP with reqAuthDetails.

4. P2 N : {mobNoB, MMIDB, Amount}

The beneficiary’s PSP gives the response to the NPCI with respAuthDetails.

5. N RB : {Amount, MPINR}

Now the NPCI sends the remitter bank the amount to be credited and the MPIN of remitter as reqDebit Pay.

6. RB N : {Amount} Remitter bank verifies the credentials provided by the NPCI and deducts the required amount from the bank and sends the debited amount as the response to NPCI as respDebit Pay.

7. N BB : {mobNoB, MMIDB, Amount}

Based on the credentials the NPCI requests the beneficiary bank for the credit request as the mobile number and the MMID are linked to only unique account number.

8. BB N : {yes, credited}

BB B :{SMS}

The beneficiary bank verifies the mobile number and the MMID, credits the amount into the bank and send the SMS to the beneficiary.

9. N P1 : {mobNoB, MMIDB, Amount, date and time, mode of credit}

Now NPCI give the transaction response to the remitter’s PSP as respPay. The response include the beneficiary details and also the date and time and mode of credit.

10. N P2 : {mobNoB, MMIDB}

Now regarding the transaction the text confirmation is required so NPCI requests for the text confirmation to the beneficiary PSP

11. P2 N : {mobNoB, MMIDB, Amount, date and time, mode of credit,}

In response to the reqConfirmation Text from NPCI, the beneficiary PSP provide the above details as the response.

4.3. API specifications

In computer programming, an application programming interface (API) is a set of subroutine definitions, protocols, and tools for building application software. The below are the list of API’s defined in the UPI system. 1. reqPay 2. respPay 3. reqAuthDetails 4. respAuthDetails

4.3.1. reqPay

API will be used for both Direct Pay and Collect Pay transaction initiation by the PSP's and processing the transaction through one of the following channels IMPS, AEPS etc.

Message format

1. MPINR: mobile pin of the remitter, it is the secret code generated by the remitter and is asked to type for every transaction. 2. mobNoB: mobile number of the beneficiary. 3. MMIDB: mobile money identifier of beneficiary. It is issued by the bank when the beneficiary is registered into his app. It is a 7 digits code where the first four are provided by the NPCI and the last three numbers are generated by the customer. 4. Amount : the amount for the transaction.

4.3.2. respPay

API will be used for sending back the response of transaction initiated through ReqPay API to the PSP's

Message format

1. mobNoB 2. MMIDB 3. Amount 4. date and time 5. mode of credit

4.3.3. reqAuthDetails

API is used to authorize a payment and translate PSP specific payment addresses to the common global address Mobile number + MMID that NPCI can understand. API is called to translate PSP address and obtain appropriate authorization details

Message format

1. mobNoB 2. MMIDB 3. Amount

4.3.4. respAuthDetails

This particular API is the response call back interface to return back the details. After processing the API, PSP should send response to the authorization by calling the “RespAuthDetails” API at NPCI.

Message format

1. mobNoB 2. MMIDB 3. Amount

5.CONCLUSIONS

UPI is the fund transfer infrastructure where multiple banks can be handled with the single mobile application, as a result the immediate payments can be done by the future generations. The UPI platform offers several advantages over current systems especially when it comes to small value (less than USD 100) payments that customers generally need to make as they go about purchasing goods and services in their daily lives. It can also provide instantaneous settlements for the merchants.

REFERENCES 1. UPI - API and tech specifications, NPCI, February 2015 https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&sour ce=web&cd=1&cad=rja&uact=8&ved=0ahUKEwiNxNnD h9zbAhXBto8KHcPvCRsQFggoMAA&url=http%3A%2F %2Fwww.mpf.org.in%2Fdocs%2F09%2FNPCI%2520Unif ied%2520Payment%2520Interface.pdf&usg=AOvVaw3Zs mtEb9bwYhOXQyezDeWG 2. UPI procedural guidelines, NPCI, December, 2016 https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&sour ce=web&cd=1&cad=rja&uact=8&ved=0ahUKEwiD867bht zbAhUScCsKHfvRAcYQFggoMAA&url=https%3A%2F% 2Fwww.npci.org.in%2Fprocedural-guidelines%2Fupi- procedural- guidelines&usg=AOvVaw0Onkges3O1Yx5EiScM_Tyu 3. IMPS procedural guidelines, NPCI, October, 2017 https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&sour ce=web&cd=1&cad=rja&uact=8&ved=0ahUKEwiX9Zqih 9zbAhUhTY8KHZQHDxoQFggoMAA&url=https%3A%2 F%2Fwww.npci.org.in%2Fprocedural-guidelines%2Fimps- procedural-guidelines&usg=AOvVaw0eC3VMj6Jfpx3o6j- xOZkE