Intro: Electronic payment system in the country is poised to leapfrog into the future. The Unified Payments Interface developed by the National Payments Corporation of India is going to be a game changer:
Visualize this scenario: You had engaged a taxi and have just reached your destination. Instead of paying the fare in hard currency, you quote your Aadhaar number or your mobile number or just apayment address to the cab driver. He then keys in the required details into his mobile and the fare, which will instantaneously land on your mobile. You then make the approval for the payment. The fare gets transferred into the driver’s account.
Or this scenario: You want to buy a train ticket through IRCTC. You log in to irctc.co.in and enter the travel details. Once itinerary is finalized simply enter the payment address and authorize the payment. With couple of entries your ticketing will be completed. The process is instantaneous.
Or this one: You have an account with a wallet provider, say for example, myWallet, which is a PSP. You regularly book cabs via Meru. As part of your profile with Meru, booking application, you have provided your payment address at myWallet. You just use myWallet mobile application and authorize Meru payee address to auto charge you, say within Rs1500. Now, every time you travel using Meru cabs, you can simply walk out of the cab and Meru can charge you automatically within the set limit. You and Meru can be on two different PSP networks too.
These and several other similar scenarios are not just bits of imagination. These can very well happen in about six months’ time, when the National Payments Corporation of India (NPCI) formally launches its highly efficient Unified Payment Interface (UPI), the next generation peer-to-peer immediate payment system just by using personal phone and existing systems like Immediate Payment Service (IMPS) or Aadhaar-enabled Payment Systems (AEPS) and ensure settlement across accounts.
Says Dr N. Rajendran, Chief Technology Officer at NPCI, who is the chief mover behind the interface: “We at NPCI believe that UPI will simplify the disparate payment systems in the country even as it will revolutionize the e-commerce space. The remittances and payment inclusion leveraging the growing smart phone schemes will get a big boost with this simple and hassle free payments system.”
Leveraging On IMPS
UPI leverages on IMPS, which now allows a customer to transfer money in an instant, anytime. “In fact it is a kind of a unified layer that will allow interoperability,” says Dr Rajendran. “It will sit on the existing payments infrastructure of banks and allow money to be transferred from a bank to any other bank using a mobile phone. It will allow account holders across all banks to send and receive money from their smartphones using their Aadhaar number, mobile number and a virtual payment address. The user does not need to enter any bank account information. When biometrics becomes standard on smartphones in the near future, the customers can initiate a transaction using his fingerprints, which will be cross-checked with the biometric database with the UIDAI and once verified, the transaction will be executed in an instant.”
Even though it is mobile based, UPI is as secure as EFT. In every transaction between individuals, the system will authenticate the profile using the Aadhaar card or mobile number of the sender and receiver. In addition, none of the information such as PIN, passwords, biometrics, etc, is allowed to be stored by the PSBs and all information are securely captured, encrypted and transmitted to issuer.
“Authentication is typically done at the account provider domain,” says Dr Rajendran.”Authentication schemes are separately evolved as new payment channels evolved. While numeric or alpha-numeric PIN/password is the dominant authentication factor, different PINs were issued for different channels (internet PIN, ATM PIN, mobile PIN, etc.). In addition, OTP based authentication is used heavily these days to offer 2-FA authentication schemes. One authentication is required to be performed by the Payment Service Provider while the other is performed within the domain of the account provider.”
Trusted Authentication
He says traditionally, payment account providers themselves provided the authentication scheme. Account management (KYC, opening account, managing transactions, etc) were tightly coupled with internal authentication schemes. The account management including KYC etc may be loosely coupled with authentication. Aadhaar authentication is one such trusted external authentication scheme used today within the payment systems. Micro-ATMs (hand-held with biometric sensors) used by BCs take advantage of Aadhaar authentication via NPCI which, in turn, is trusted by banks to conduct payment transactions. Digital signatures, especially proposed Aadhaar enabled DSCs, can also play an important role to identify the authenticity of the request and bring out new ways of issuing e-mandates and other payment instruments.
“In this unified architecture, the objective is to enable multiple authentication schemes (account provider as well as trusted 3rd party like UIDAI’s Aadhaar authentication) without tightly coupling with account provisioning and management. This allows one or multi-factor authentication schemes to be plugged into the architecture as long as account providers allow such trusted external authentications,” says he.
There are advantages. Today, authentication and authorization are part of the same transaction flow and inline. But, in newer systems like AEPS, use of third party authentication is followed where authorization is still done within the banking system. Adopting 3rd party authentication and using token less payment scheme allows banks to reduce the overall issuance (card, PIN, etc) cost while still keeping authorization and account management within its control.
Unified Layer
You are talking about a unified layer. Can you explain the system in terms of convenience, in terms of universal application?
“UPI allows integration of USSD, smartphone, internet banking and other channels onto a common layer at NPCI. This common layer uses existing systems such as IMPS or AEPS to initiate transactions and ensure settlement across accounts. Usages of existing systems ensure reliability of payment transaction across various channels and also take full advantage of all the investments so far. This unified layer offers next generation peer-to-peer immediate payment just by using a personal phone,” says Dr Rajendran.
He cites an example: “The third party API integration (merchant sites, etc) can ‘collect’ payment from ‘an address’ avoiding the need to share account details or credentials on third party applications or websites. Within this solution, payment authentication and authorization are always done using personal phone. Since this layer offers a unified interface, any-to-any (Aadhaar number, mobile, account, virtual addresses) payments can be done using standard set of APIs.”
“I can list at least 10 unique features of UPI:
- ability to use personal mobile as the primary device for all payments including person to person, person to entity, and entity to person
- ability to use personal mobile to ‘pay’ someone (push) as well as ‘collect’ from someone (pull)
- ability to use Aadhaar number, mobile number, card number, and account number in a unified way. In addition, ability to pay and collect using ‘virtual payment addresses that are aliases to accounts that may be payee/amount/time limited providing further security features
- ability to make payments only by providing an address with others without having ever provide account details or credentials on 3rd party applications or websites
- ability for sending collect requests to others (person to person or entity to person) with ‘pay by’ date to allow payment requests to be ‘snoozed’ and paid later before expiry date without having to block the money in the account until customer is ready to pay
- ability to pre-authorize multiple recurring payments similar to ECS with a one-time secure authentication and rule based access
- ability for all payment system players to use a standard set of APIs for any-to-any push and pull payments
- ability to have PSP provided mobile applications that allow paying from any account using any number of virtual addresses using credentials such as passwords, PINs, or biometrics (on phone)
- ability to use a fully interoperable system across all payment system players without having silos and closed systems
- ability to make payments using 1-click 2-factor authentication all using just a personal phone without having any acquiring devices or having any physical tokens”
Simple
The whole concept, says he, is so simple that any transaction can be easily executed through the UPI. Users can send and receive money with just an identifier without having any other bank/account details. Identifiers are Aadhaar number, mobile number and virtual payment address. Paying and receiving payments are as easy as making a call on mobile. Taxi booking, online shopping, paying school fees, transfer of money are all at your fingertips. “It is virtually an ability to use a fully interoperable system across all payment system players without having silos and closed systems,” he adds.
Will the system finally facilitate in creating cashless transactions in the country?
“UPI will help in bringing down cash transactions,” says Dr Rajendran. “In a country like ours, it is difficult to have a purely cashless society. There are several factors including prevalence of cards, POS machines, etc, which contribute to cashless transactions. RBI’s aim is to cut down the number of cash transactions and not completely eliminate these. “
Technology
What is the technology behind the system – the platform, the software, hardware, etc? How will this change the payments system horizon in the country?
“In short, UPI can be described as a standardized, secure and cost effective middleware that interfaces the backend payment systems like USSD, IMPS, AEPS, RuPay and NFS with disparate frontend payment system players (PSPs) like PPI/MM/wallet providers, banks and payment banks , services provided through *99# for USSD, mobile applications and internet.“
UPI recognizes smart phones as an integral part of the people’s identity. It is with this that payments are initiated. The Aadhaar number constitutes a form of online verifiable identity, which can be authenticated by a third party.
“When you ask me about the advantages of the technology platform, in one word I say it is a ‘unified’ platform. It virtually eliminates the complexity of handling disparate systems – some of them internal to NPCI and some of them resident at the PSPs. It allows customers to enter credentials on their own device. It functions in a real-time environment, allowing banks to provide real-time experience for interactive transactions. Much more than all these, it is secure, allows traceability through the entire transaction chain and facilitates monitoring of the system centrally by NPCI.”What about the development aspects of the system? How long did it take for NPCI to conceptualize and design the system?
Says Dr Rajendran: “It took us around three months to conceptualize and develop UPI. It is an in-house development. There are certain refinements that are required to be done before we are able to deploy it and this will take some six months. In developing the system, what NPCI has emphasized is that it should be built on open standards so that its adoption is seamless and easy across platforms. Another unique feature is that APIs are integral to the whole system. So we have ensured that all APIs are asynchronous in nature meaning once the request is sent, response is sent back separately via corresponding response API. This allows same APIs to be used for instant payment as well as delayed payments. This also allows APIs to scale without having to wait in a blocking mode. Callers are expected to call the API with a unique transaction ID for which response is sent via a response API exposed by the caller. All APIs are expected to work in asynchronous mode. This allows the response to API call to return to the caller immediately after queuing the request. All request-response correlation must be done via the transaction ID set by the originating point. Exactly same set of APIs are exposed by NPCI and PSPs. All APIs must be exposed via HTTPS using XML input and output. When calling APIs via a synchronous protocol like HTTP, listening server should push the message into a queue and send an acknowledgement response.”
Dr Rajendran says NPCI has just developed the front-end of the system and a pilot has successfully been conducted. Several banks, which participated in the pilot, are happy with the results and they would certainly participate in the program. “I am sure as we implement UPI say six months from now, after RBI approves the system, almost all the banks would be on board.”
