UPI stands for Unified Payments Interface. It’s a system created by NPCI (National Payments Corporation of India) to enable various forms of payments like peer to peer (p2p), merchant payments (p2m) using bank accounts through mobile phone. With increasing adoption of mobile phone there was a need to enable a mobile native payments method that offers superiors user experience and interoperability between banks. While other interchanges were still trying to find a work-around through their traditional card protocols, NPCI decided to go back to basic and conceptualized UPI, which was a system built for mobile users using some inherent capabilities offered by smartphones, like using the mobile device as one factor of authentication (by doing device binding).
They also built it with the thought process of democratizing the innovation by offering open APIs to build up on. The idea behind offering these open APIs was to enable innovators to build their applications/payment experiences suitable for their environment and target customer base the way they deem fit. This thought process gave birth to start-ups like PhonePe, BharatPe and later even larger technology players like Google, Amazon, Truecaller, Whatsapp (they did a pilot but their progress was halted because they were not storing their data locally in India, as per my information they are still working on the same). Recently India’s biggest corporate Reliance also announced their entry in this space by enabling UPI through myJio family of applications. In this series I will try to explain the UPI transactions in detail starting with common terminology followed by transaction flow and various variations of payments built on top of UPI rail and then conclude it with some thoughts on common fraud trends and how to protect oneself from same. Let’s start with common terminology.
PSP (Payment Service Provider): A PSP is an entity authorized by NPCI to process UPI based payment transaction. PSPs take care of following functions in a UPI life cycle:
- Front-end the transaction flow for the customer
- Issue and manage the access credential to the customer to access the mobile app
- Register customer on the UPI platform and issue them VPA (Virtual Payment Address)
- Maintain the mapping of VPA and Mobile device at their end
VPA (Virtual Payment Address): A VPA is issued by your PSP, that is used to uniquely identify the payer and payee in any transaction. Usually your VPA is username@psp for example abc@okhdfcbank in case of Google Pay, username is abc, selected by user, okhdfcbank is the PSP id issued by NPCI to HDFC Bank, which HDFC Bank has extended to Google Pay as third party processor.
Third Party App: These are typically apps launched by non-bank technology companies like Google, Amazon, Uber etc in partnership with one or more banks as PSP. A list of these apps and their PSP and handle name can be found by visiting this link on NPCI website.
BHIM: BHIM, short for Bharat Interface for Money is an app created by NPCI that lets a user make payments using UPI.
BHIM QR: BHIM QR is a branding used by UPI merchant acquiring PSPs to demonstrate that the particular QR code can be scanned by any app supporting UPI payments i.e. is inter-operable among all PSPs.
BHIM QR Code is nothing but a way to store the VPA of the merchant that is read by your UPI app at the time of scanning. One can use other form factors like NFC or sound wave etc to communicate the merchant VPA to customer’s UPI app to offer differentiated experience, if it is more appropriate for that environment for example maybe a NFC based interaction will be more appropriate for transit use cases like bus, metro etc.
UPI PIN: UPI PIN is the PIN that you input on your UPI app to authenticate yourself with your issuing bank, i.e. the bank that holds your account. You set it up at the time of registration when you link your account with your VPA by verifying the combination of your mobile number and OTP or M-PIN with your issuing bank. This PIN is different that the PIN you use to access your UPI app.
Push Payment: When you scan the QR code of the merchant or use someone’s VPA to send money through your UPI app by debiting your account, such transactions are commonly referred as Push transaction.
Pull Payment: UPI also supports pull payment i.e. you can use someone’s VPA to request money from their account. In this case a request is sent to the concerned person’s UPI app through his PSP and once authorized their account is debited and your account is credited.