1. Introduction

India is the seventh largest economy of the world with GDP of USD $ 2.3 trillion [1] , for an economy of this size India is predominantly cash driven economy. Total currency in circulation in India as on March 2016 was Rs. 16,415 billion [2] which constitutes about 12.04% of GDP [3] compared to Brazil (3.93%), Mexico (5.32%) and China (8.8%) [4] . High dependence on cash brings its own set of problems of production, storage and cash management cost of currency notes, use of fake currency and most importantly lack of trail of transactions which leads to tax evasion. These problems are bound to be amplified as the economy grows.

Reserve Bank of India (RBI) has taken systematic steps to promote digital payments in India and created National Payment Corporation of India (NPCI) as an umbrella organization to develop low cost retail digital payment systems. In August 2016, NPCI launched Unified Payment Interface (UPI), a next generation mobile based payment system which enables real time bank payments. UPI leverages high teledensity in India to make mobile phone as a primary payment device for both consumers and merchants and to universalize digital payments in the country.

The purpose of the paper is to study in detail the technology behind UPI and the value addition that UPI brings with respect to the existing digital payment systems. UPI has witnessed rapid growth that can be attributed to the expanding ecosystem promoted by banks and increasing adoption by the users but primary usage for these early adopters has been to make person-to-person remittances. For UPI to reach its full potential, it is critical to develop merchant centric UPI payments solutions. This paper helps to decode the technical architecture, transactional processes and security systems of UPI which can help to develop innovative business solutions. India currently has inadequate digital payment acceptance infrastructure for merchants and merchant centric UPI solutions have the potential to fill this gap in a cost effective manner. UPI can be case study for both developing and developed countries to enable universal, low cost digital payment system.

2. Background

Reserve Bank of India is the regulatory body with Payments and Settlements Systems Act (2007) [5] being the primary legislation governing payments systems in India. Making India “less cash” dependent and promoting digital payments has been a focus area for RBI since last decade. The five yearly RBI Vision Documents which sets the tone and vision for achieving key objectives in the payments ecosystem aptly sums up the priority for RBI to transform the payments landscape in India.

“To proactively encourage electronic payment systems for ushering in a less-cash society in India and to ensure payment and settlement systems in the country are safe, efficient, interoperable, authorised, accessible, inclusive and compliant with international standards.” [6]

The period 2016-17 has been the pivotal period for payments landscape in India, the country witnessed profound changes in payments ecosystem with radical policy decisions, introduction of new age payment systems and rapid changes in user behavior. Demonetization was introduced during this period whereby 86% [7] of the currency notes were rendered worthless overnight. During demonetization paper money became scarce and one could witness serpentine queues in banks and ATMs to withdraw meagre currency that was available. Business and trade almost came to a standstill and the GDP growth rate decreased in spite of rapid introduction of new currency notes and use of digital forms of payment.

The year preceding demonetization saw the emergence of mobile based digital wallets which witnessed rapid adoption by a large smartphone using population. Emergence of mobile based digital wallets was largely driven by new age private technology companies. During the same period with the clear mandate from Reserve Bank of India to drive next generation digital payments, National Payments Corporation of India (NPCI) set out to create a new payment system called Unified Payment Interface (UPI). Unified Payment Interface (UPI) was formally inaugurated by then RBI Governor on 11 April 2016 [8] and launched for public use on 25 August 2016 [9] .

Reserve Bank of India has been relentlessly working in the direction of enabling a digital payments ecosystem in the country. In this direction, RBI under its guidance and with support from Indian Banks Association (IBA) enabled the formation of National Payments Corporation of India (NPCI) as an umbrella organization for all retail payments system in India with all leading bank as stakeholders/shareholders [10] . NPCI was formed with the mandate to consolidate and integrate the disparate systems with varying service levels into nation-wide uniform and standard business process for all digital payment systems. The clear objective was to create a uniform and affordable payment system by leveraging technology and enable financial inclusiveness in the country. UPI was a culmination of a series of developments by NPCI over a period of 8 years since its inception in 2009.

The first step taken by NPCI in this direction was the standardization, simplification and implementation of National Finance Switch (NFS) [11] for all the banks of the country. NFS set the common standard and enabled digital interoperability between all banks in the country. NFS is now the backbone which powers the largest domestic ATM network in the country.

The next revolutionary step for NPCI was to enable Immediate Payment System (IMPS) [12] riding the interoperable layer of NFS. Prior to IMPS the modes for digital transactions in banks were Real time Gross Settlement System (RTGS) and National Electronics Funds Transfer System (NEFT). RTGS and NEFT are unsuitable for small ticket digital retail payments due inherent limitations of these systems like high transaction limits, delayed settlement in batches and fixed operating time hours.

Thus NPCI introduced IMPS, a real time retail payment service with round the clock availability. IMPS is channel independent and can be accessed through mobile phone, internet, ATM and Unstructured Supplementary Service Data (USSD) on feature phones. IMPS provided a mobile based interoperable fund transfer service involving various stakeholders such as banks, merchants, and telecom service providers. IMPS works on immediate settlement where settlement takes place on at a granular transaction level with instant transaction confirmation to both the remitter and the beneficiary.

IMPS transactions were enabled through mobile phones and can be considered the precursor to Unified Payment Interface (UPI), since UPI transactions are settled through IMPS. In India, mobile phone numbers are connected with bank accounts. Leveraging this connectivity Mobile Money Identifier (MMID) was provided to mobile users holding a bank account. MMID enabled the abstraction of the need to know the bank account details of the recipient to make a payment. With IMPS users could make Push payments using Phone Number and MMID or Account Number and IFSC code of the recipient or request a payment using Phone number and MMID of the recipient. IMPS transactions grew in value from Rs. 4.3 billion [13] in 2014 to Rs. 1622 billion in 2016 [14] . IMPS transactions were being mainly used to transfer money using internet banking but were not successful for retail small ticket transactions primarily for two reasons;

1) The need to know the bank details or the MMID and Phone number of the recipient.

2) There was no common interoperable platform to connect both the payers and the payees.

India has been cash driven economy, primarily due to lack of infrastructure to make digital payments. India has enough debit and credit card users which have been steadily increasing over the years from 304 million cards in 2012 to 910 million cards in 2017 [15] but digital payment acceptance infrastructure is grossly inadequate. The number of POS machines installed at merchant locations across India is only 2.7 million [15] (1.5 million prior to demonetization) for a merchant base of over 20 million compared to 12.7 million POS machines in the USA [16] . The low number of POS machines in India can be attributable to the high cost of POS machines which typically cost $120 - 150 per machine. This low penetration of acceptance infrastructure (POS machines) for digital payments has made ATM machines as the focal point for dispensing cash which is then used for transactions. An interesting data point in this regard is that value of transactions using a debit card at ATM Machines is about Rs. 26,000 billion per annum versus Rs. 4,140 billion at POS machines [15] i.e. consumers withdraw 6.2 times more money at ATMs and then pay cash to the merchants to transact. This is primarily due to lack of POS machines with Merchants.

Thus, UPI was conceptualized to enable a universal, low cost digital payment system both for consumer to make digital payments with ease and merchants and businesses to collect digital payments in a cost effective manner without the need for any POS machines.

3. Fundamentals of Unified Payment Interface (UPI)

NPCI developed Unified Payment Interface (UPI) as a common interface or a platform for all digital payment systems in India. NPCI is the owner, network operator, service provider, and coordinator of the UPI Network. The Unified Payment Interface enables architecture and a set of standard Application Programming Interface (API) specifications to facilitate digital payments using a mobile phone [17] . UPI leverages high penetration of mobile phones and growing adoption of smartphones, data and internet to enable mobile based instant payment system in India. UPI allows users to send or request money instantly from their bank accounts using a mobile phone, making mobile phone a primary payment device for the masses. UPI uses IMPS as the switching mechanism to enable instant payments and settlement between different financial institutions. With UPI everyone with a bank account in India can create their Virtual Payment Address (VPA or UPI ID) and start transacting using a mobile phone. This Virtual Payment Address for e.g. abc@xyzbank becomes a person’s unique payment identity and abstracts the need to share bank details while transacting. UPI considerably simplifies digital payments, instead of issuing cards to a large population which is costly and time consuming UPI enables mobile phone a primary device for authorizing and making payments. Also a mobile phone combined with a unique payment ID makes it a low cost payment acceptance device thus making digital payments universal, easy and low cost.

3.1. Key Features of UPI

1) UPI enables personal mobile to be used as a primary device for all payments including person to person, person to entity, and entity to person. Using UPI, users can seamlessly make or request payments with ease and security to/from friends, merchants or pay their bills etc. without the need to share banking credentials. User can consolidate multiple banking relationships using a single UPI App which makes for good user experience for users.

2) The payments can be initiated both by sender (payer) and receiver (payee). This enables a personal mobile to be used to “pay” someone (push) as well as “collect” from someone (pull).

3) UPI allows users to create their unique Virtual Payment Address thus enabling users to make payments only by providing a payment address without the need to provide sensitive details like bank account numbers or credentials on third party applications or websites. The payments can be done using multiple identifiers like Virtual Payment Address, Aadhaar Number or Account Number & Indian Financial System code (IFSC).

4) UPI provides a standard set of APIs to enable transactions on UPI platform, thus enabling a fully interoperable system across all banks, financial institutions and payment systems without having silos and closed systems. These minimalistic and fully functional APIs allows innovations by payment service providers to build customized payment solutions for businesses and functionality rich mobile apps for consumers without having to change the core API structure.

5) UPI uses One-click 2-factor authentication for safe and secure payments using a personal mobile phone without the need for any separate acquiring devices or physical tokens.

Figure 1 shows the Interface of a UPI Payment App. Figure 1(a) shows the functionalities of Send Money, Request Money, Scan and Pay using QR Code. Figure 1(b) shows the functionality to Send Money using Mobile Number, UPI ID, Account Number and IFSC Code and Aadhaar Number of Beneficiary. Figure 1(c) shows functionality to add bank accounts of multiple banks and create or reset UPI ID.

3.2. Improvements in UPI over Existing Payment Systems

1) Pull Based Mobile transactions: Current digital payment systems including cards and online payments are push based transactions i.e. transactions are initiated by the customer. There is no mechanism for the merchant to initiate a payment request (pull) which the customer can approve and pay. UPI enables both real time push and pull transactions using a mobile phone.

2) Interoperable User Interfaces: UPI allows payments across interfaces i.e. payment can be requested on one interface and transaction can authorised on a different interface. For e.g. Merchant can request a payment from a website which user can authenticate and pay using a mobile phone.

3) Abstraction of Bank Details: There is no need to share any sensitive bank details like account number etc. to make a transaction. Users can create their unique virtual payment address which serves as their unique identity to make or receive payments. This makes for secure payments since user is not required to share any sensitive data on third party interfaces.

4) Safety with One Click-2 Factor Authentication: UPI enables transactions with single click―in which the customer just needs to enter MPIN on the mobile phone to make a transaction. This is unlike the existing payment systems where you have to enter card details, usernames, passwords, OTPs etc. on third party devices or websites to make a transaction. In UPI the user’s personal mobile phone acts as a single device to authorize and authenticate the payment.

5) Mobile first approach: UPI is designed to embrace the smartphone using population in India to enable low cost and universal digital payments. With UPI there is no need to create the consumer side hardware infrastructure (cards etc.) to enable digital payments. In India, almost every adult has a bank account and a mobile phone. UPI uses this ubiquitous relationship to enable universal digital payments in India.

6) Other mobile payment systems like e-wallets work in their own silos i.e. the payer and payee need to be on the same platform the transact. In UPI, only the payment address of the beneficiary is required and amount is credited into the bank account. Also, to transact in e-wallets, users need to pre-load the money into the wallet accounts which means their money remains stuck in the wallet account till it is again redeemed back into the back accounts. While in UPI there is no need to preload any wallet, money is directly debited from the bank account of the payer and credited into the bank account of the payee.

4. UPI Architecture

UPI works on a common layer or a unified interface developed and hosted by NPCI. This common layer orchestrates transactions and ensures settlement across bank accounts using IMPS and Aadhaar Enabled Payment System (AEPS). Banks, financial institutions and other entities that provide UPI services connect to the NPCI’s unified interface through standard APIs to enable transactions from Virtual Payment Address avoiding the need to share account details or credentials. In UPI solution, payment authentication and authorization are always done using personal phone. Since this layer offers a unified interface, any-to-any interoperable payments can be accomplished using standard set of APIs.17

All APIs are exposed as stateless service over HTTPS using XML input and output and all entities consuming UPI services must ensure idempotent behavior for all APIs. These APIs are asynchronous in nature meaning once the request is sent, response is sent back separately via corresponding response API. This allows the response to API call to return to the caller immediately after queuing the request. All request-response correlation must be done via the transaction ID set by the originating point. Callers are expected to call the API with a unique transaction ID for which response is sent via a response API exposed by the caller. This allows same APIs to be used for instant payment as well as delayed payments. This also allows APIs to scale without having to wait in a blocking mode.

There is a set of standard APIs exposed to various participants of the UPI ecosystem key. A set of Financial and Non-Financial transactions can be done using these APIs. Apart from transactional APIs there are a set of Meta APIs to ensure that the entire system can function in an automated fashion. These Meta APIs allow PSPs to validate accounts during customer on boarding, validate addresses for sending and collecting money, provide phishing protection using white listing APIs, etc. Figure 2 shows the high level architecture of UPI.

Some of the key APIs to enable UPI transactions are:

1) Payment API: This is the primary APIs used for routing the transaction and is used to initiate Pay Request (Push Payment) and Collect Request (Pull Payment). The API contains remitter and beneficiary details.

2) Authorization & Address Translation APIs are used to obtain appropriate authorization details and translate the specific Virtual Payment Address to the common global addresses (Bank Account Number and IFSC Code, Aadhaar number). This allows users to simply provide such virtual (tokenized) address to others (individuals, entities, etc.) without having to reveal actual account details.

3) Keys List APIs: These APIs enable secure capture and communication of credentials to authenticate transactions by various entities in the UPI ecosystem. These APIs are used to request for and cache the account providers and other entities list of public keys. Trusted and certified NPCI libraries and utilities are used for credential capture and PKI public key encryption at capture time.

5. The UPI Ecosystem

5.1. Payment Service Players

Customers can access UPI payment facilities through UPI Apps provided by Payment Service Players (PSP). These PSPs consist of Banks, Payments Banks and other third party software providers of banks which acquire customers and provide UPI payment services through their UPI PSP mobile apps. These PSP UPI apps use UPI libraries and utilities to facilitate customer registration, creation of Virtual Payment Address (UPI ID) and provide payment services to the customers. Customers are not bound to use the PSP UPI App of their own bank and can chose to use PSP UPI App of any bank. Moreover, the Payer and Payee PSP UPI app can be different. PSP UPI App enable following type of transactions for users;

1) Non-Financial Transactions include customer registration on UPI platform, Virtual Payment Address creation, Set and Change MPIN, OTP requests and bank balance check. Customers can also raise dispute or check status of a transaction from the PSP UPI App incase of any issue.

2) Financial Transactions include Push and Collect payments based on Virtual Payment Address, Push transactions based on Account Number and IFSC Code and Push transactions based on Aadhaar Number.

5.2. Virtual Payment Address

Every payment transaction requires source (remitter) account details to make the debit and destination (beneficiary) bank details to make the credit. UPI enables the users to create their Virtual Payment Address (UPI ID) for their bank accounts. This Virtual Payment Address is an abstract form to represent and uniquely identify the bank account details in a normalized notation. Thus for any transaction to take place it is vital to resolve the Virtual Payment Address into the actual bank accounts to make the debit and credit transactions. In current UPI architecture the Virtual Payment Address is denoted as “xyz@psp” form where xyz can be any unique name and psp is the name of the Payment Service Player whose application the user uses to create the VPA. The Virtual Payment Address is created by the PSP UPI App and is stored in the PSP database while the bank account number and IFSC Code (Global Address) is stored in the NPCI Mapper. PSPs expose their Address translation algorithms with NPCI to enable it to decode the VPA into valid bank account details. Thus, The Virtual Payment Address is resolved by the respective PSP UPI Apps while the Account Number and IFSC Code is resolved against the Virtual Payment Address by the NPCI Central Mapper. This is a unique feature in UPI since it removes the need to know the full bank details of parties making a transaction. Users can exchange their Payment Address which is sufficient to make the transaction.

5.3. NPCI Central Mapper

NPCI is the central repository and maintains a central mapper of association between customer’s Mobile Number, Bank Accounts, Aadhaar number and Virtual Payment Address. This central repository is used to route payment instructions based on mobile number. Thus, central mapper allows anyone to send/receive money from a mobile number without knowing the destination account details.

Apart from UPI, Aadhaar Payments, National USSD Platform (NUUP) and IMPS also use this central repository for routing payments. In fact, Aadhaar Payments Bridge System (APBS) uses this NPCI central mapper to transfer direct benefit transfers to individuals on the basis of their Aadhaar number. With linkage of Aadhaar number with Bank Account in the central mapper allows Aadhaar Number to become a payment address in itself.

6. Transactions in UPI

As mentioned above UPI allows a set of Non-Financial and Financial Transactions. Financial transactions include two types of transactions:

1) Pay Request (Push Payment): This transaction is initiated by the user in which money is pushed into the bank account of the beneficiary. This Push Payment can be done using the Account Number and IFSC Code, Aadhaar Number or the Virtual Payment Address of the beneficiary.

2) Collect Request (Pull Payment): A Collect Request transaction is initiated by the beneficiary to pull funds from the payer by using Virtual Address. The user can also define an expiry time limit of the Collect Request. The payer will receive the collect request on his PSP UPI App which is to be authenticated using 4 - 6 digit MPIN to complete the transaction.

6.1. Transacting Parties in UPI

There can be maximum up to four transacting parties in the UPI system. These four parties consist of two PSPs which provide the UPI interface through the PSP UPI mobile apps one each for remitter and beneficiary and two banks, one each of the remitter and the beneficiary respectively. The two PSPs facilitate the transaction and enable debit from the remitter’s bank account and credit into the beneficiary’s bank account.

6.2. Transaction Authorization

All digital transactions in India must adhere to two factor authentication. In case of UPI, transactions are authorized and authenticated on the personal mobile phone of the user without the need of any external device. The first factor is the hardbound mobile device fingerprint which is authenticated by the PSP UPI App. The second factor to authenticate the transaction is a four to six digit MPIN which is created by the user and captured on the NPCI libraries embedded in the PSP UPI App. These libraries are available for all major mobile operating systems viz. Android, iOS & Windows. These libraries allow secure capture of credentials like OTP and MPIN. The secured credentials are captured by the NPCI libraries which use PKI Encryption. These secured credentials (MPIN) are sent to the issuer bank for authentication and upon successful authentication a transaction is complete.

6.3. Transaction Flow of UPI Payments

1) Customer Registration

a) Users can download any PSP UPI application from app discovery platforms like Google Play or Apple App Store on mobile phone with mobile number registered with their bank.

b) The PSP UPI application will send an encrypted outward SMS from the user’s mobile phone automatically to check the authenticity of the mobile number registered with user’s bank and to enable hard binding of the mobile device with the mobile number. This hard binding of the device acts a device fingerprint.

c) User can now create unique Virtual Payment Address (for e.g. abc@xyzbank) which will be unique payment ID for the users.

2) Bank Account Registration

a) Users can register their bank accounts on the PSP UPI App. The Issuing Bank authenticates the mobile number registered with the bank and, it provides list of all bank accounts registered against the mobile number which is displayed to the user on PSP UPI App.

b) The PSP stores the account details received by the Issuer Bank in its database. At this stage, the PSP Database contains the information such as Registered Mobile Number, Virtual Payment Address, Name of User on PSP UPI App and Bank Name, Account number and IFSC code.

c) User now needs to create a Mobile Personal Identification Number (MPIN) to authenticate the transactions. An OTP Request is generated by the PSP UPI App to NPCI for the newly added account. NPCI requests an OTP from the Issuer Bank and the Issuer banks sends the OTP over SMS on the registered mobile number of the user.

d) To establish the personal bona fide of the user, the user is asked to enter the last 6 digits of Debit card number, expiry date, OTP received on the registered mobile number. In order to create the MPIM, user enters the desired MPIN on NPCI library embedded in the PSP UPI app.

e) The Card details and OTP is authenticated by the Issuer Bank and UPI PSP application sends this MPIN to NPCI which in turn send it to Issuer bank by encrypting it with the public key using PKI. The Issuer bank decrypts the encrypted MPIN with its Private Key and confirms the setting of the MPIN.

3) Transaction Flow

a) To make a Push Payment (Pay Request) the user needs to enter either the Virtual Payment Address or the Account number and IFSC Code or Aadhaar Number of the beneficiary.

b) User enters the MPIN on NPCI Libraries embedded in the PSP UPI App. MPIN is encrypted using NPCI public key and sent to UPI which is decrypted using NPCI private key. NPCI again encrypts the MPIN using Issuer Bank’s Public key and sends it to the Issuer Bank which then decrypts the MPIN using its own Private Key. Issuer Bank then authenticates the MPIN and debits the Remitter’s bank account and credits the Beneficiary’s bank account.

c) Similarly in case of Pull Payment (Collect Request) user makes a Collect Request by entering the Virtual Address of the Payer. Beneficiary’s PSP UPI App sends the request to NPCI which in turn sends the request to Remitter’s PSP for resolution and authorization.

d) Payer needs to enter MPIN on Payer PSP UPI App to authenticate the payment. On successful MPIN authentication by the Issuer Bank, the amount is debited from the bank account of the Payer and instantly credited into the bank account of the Beneficiary.

7. Security in UPI

In India it is mandatory to enable two factor authentication to make any digital transaction. Two factor authentication means one component is required to establish the bona fide identity of a person and second component is password/ credentials known only to the user. UPI uniquely employs one-click-two-factor authentication system whereby in a single click user is able to authenticate both the factors of authentication. The mobile device fingerprint is used as the first factor of authentication and to establish the bona fide identity of the user. The most critical aspect of security is to bind the mobile number with the device at the time of profile creation of user on PSP UPI App. This is done by sending an encrypted outward message from the bank registered mobile number of the user. This message creates a device fingerprint of the mobile phone by binding the mobile number with the Device ID, IMEI ID, SIM Number and PSP App ID. In case there are any changes in the mobile fingerprint i.e. Mobile Number, Device ID, IMEI ID, SIM Number and PSP App ID are changed, the user is required to re-authenticate the mobile device. The second factor of authentication is 4 - 6 digits MPIN that the user creates and uses to authenticate the transaction.

For data security, data has been classified into different classes of information:

1) Sensitive data: Such data is not to be stored and can only be transported in encrypted format. Sensitive data includes passwords, PIN and biometrics etc.

2) Private Data: Data such as bank account number. Private data can be stored by the PSP but only in encrypted format.

3) Non-sensitive data: Data such as Name, transaction history i.e. amount, timestamp, response code, location, etc. can be stored in unencrypted form.

In the current UPI architecture security is handled in following ways:

1) Identity and Account Validation: Veracity of personal identity and bank account is validated as a first step during User Registration which is done by sending an outward SMS by the PSP UPI App automatically without any customer intervention. This outward SMS is sent in encrypted form from Mobile number is then authenticated by the issuer bank to ensure that it is the registered mobile number of the user holding a valid bank account with the bank. The PSP UPI App enables device fingerprinting through this automated outward encrypted SMS which hard binds the Mobile number with the device. This ensures that the transactions originating from the hardbound device are secured at the first step itself.

2) Application security: Each PSP UPI app is certified by PCI-DSS and RBI-Certin. NPCI Utilities and Libraries are embedded in the PSP UPI app and sensitive data such as MPIN and One Time Password (OTP) can only be input on these NPCI Utilities and Libraries. The encrypted credentials are base 64 encoded by the common library and given back to PSP application for subsequent transports through UPI.

3) Transaction Level Security: Transaction authorization and authentication is spilt between the PSP UPI App and the Issuing Bank. The PSP UPI app validates the device fingerprint which is the first factor of authentication. To authenticate each transaction user has to input 4 - 6 digit MPIN which is authenticated by the Issuing Bank. Any transaction can only go through if the device fingerprint and the MPIN are validated. User is fully in control to prevent any unsolicited and malicious payment requests. The user needs to personally input the MPIN to authenticate the transaction and initiate any debit from his bank account.

4) MPIN Security: The MPIN can only be captured on the NPCI library i.e. on NPCI interface embedded in the PSP UPI App. This interface is invoked while entering the MPIN for an interoperable transaction. The MPIN is communicated by NPCI to the Issuer Bank over a secure channel. Using Public Key Infrastructure (PKI) encryption system UPI encrypts the MPIN using the Public key and the MPIN is decrypted by the Issuing Bank using its Private key.

To ensure message security, trust, non-repudiability it is mandatory that all APIs communicate over HTTPS layer, every message is digitally signed and has unique message id for each request response paid and unique transaction id. To prevent phising, Payer’s UPI PSP application should mandatorily show verified payee’s name to the payer in any payment request.

UPI is significantly safer than any Cards or e-Wallet transaction since any payment is tightly tied to your mobile hardware and checks all device fingerprints (for e.g. IMEI Number, SIM Number etc.) hence it is technically impossible to duplicate the payment environment. In case of Cards and e-Wallets the biggest security threat is lack of second factor of authentication (i.e. password) while making a transaction. This makes the cards and wallets vulnerable to system level breaches since transactions can be system generated by a hacker without the need of a password, thus technically a hacker can make thousands of fraudulent transactions simultaneously.

8. Impact of UPI on Payments Industry

UPI has witness rapid growth since its launch in August, 2016 in terms of number of users, volume and value of transactions. Currently 55 banks are live on UPI platform with more than 60 PSP UPI apps available on app discovery platforms [18] . Within 12 months of launch of UPI, more than 20 million users have downloaded various UPI PSP apps. Total value of transactions on UPI has grown 82% month on month since its launch with total transacted amount of Rs. 227 billion till August 2017 [19] (Figure 3). The monthly value of transactions on UPI has already overtaken monthly transactions of all e-wallets put together in India. The value of transactions on UPI is currently is less as compared to value of credit and debit cards transactions which constitute about Rs. 2700 billion per month [15] but UPI is growing at a much faster rate.

Currently person-to-person money transfers constitute majority of UPI transactions while person-to-merchant transactions are currently very less. This is due to lack of merchant acceptance infrastructure at merchant payment points to accept UPI payments. UPI usage for merchant payments is expected to increase with more businesses enabling UPI payments for their customers. Current POS machines accepting payments through debit and credit cards need to be reconfigured and updated to accept UPI payments. The updated POS machines should be able to display the UPI QR code of the merchant to enable the

customer to scan the QR code and make payment using UPI PSP Apps. Also, POS machines should be able to get the confirmation status of UPI transactions. As a payment mode, UPI has the potential to make debit cards redundant since with UPI there will be no need to carry your debit card as your mobile phone will work as your debit card. However, UPI in the current form does not support credit cards hence UPI as a product does not compete with the credit cards. For online payments UPI clearly offers better user experience vis-à-vis debit cards or net banking payments.

Impact on Payments in Physical World: Payments in the physical world include cash and debit or credit card transactions. UPI has the potential to transform payments in the offline world as it offers a cost effective alternative to both cash and cards transactions. With UPI merchants do not require expensive POS machines to collect digital payments through cards, a merchant will be able to display a unique UPI QR Code which the customer can scan with mobile phone and make the payment with the amount being credited instantly into merchant’s bank account. Merchant can receive payment confirmation over their mobile phones. Most cash transactions at merchant point happen due to lack of digital acceptance mechanisms with merchants. The customers can also directly pay the merchant at merchant’s UPI ID and merchant will receive payment confirmation on the mobile phone.

Impact on Online Payments: Currently majority of online transactions are enabled by payment gateways with Debit/Credit Cards and Netbanking being the primary modes of payments. Users are required to input all the sensitive details including Card Numbers, Card Verification Value, Netbanking usernames and passwords etc. This makes digital payments vulnerable to data leaks and frauds. Also, there are a number of network hops between card networks, issuer and acquiring bank to enable a transaction which leads to high failure rates of transactions. With UPI customers need not provide any information, a customer can simply scan a QR code displayed on the website using a mobile phone and payment can be completed in seconds with a few network hops. This can not only avoid data leaks of any sensitive data but also increases transaction success rates.

9. Impact of UPI on Businesses

Apart from being the most cost effective, fast and seamless payment method UPI enables digital payments for an entire spectrum of businesses both for brick and mortar and online merchants. For physical businesses, each employee can be enabled to collect digital payments since there is no need of any POS machine, each employee can be provided a unique UPI ID and QR Code which the employees can present to the customer to collect payments. Apart from proximate payments where the customers is physically present at the billing counters, UPI opens unique opportunities for businesses to collect payments where customers are not physically present for example. Insurance premium collection, school fee and electricity bill payments etc. where payment request can be sent to the customer and customer can pay remotely using mobile phones. Another important use case for businesses can be to enable payment at the time of delivery. In India there is a large prevalence of cash on delivery, almost 60% of ecommerce sales happen with cash payment being made at the time of delivery. Such payment at time of delivery can be converted into digital payment at the time of delivery using UPI whereby a customer can easily pay through UPI at the time of delivery.

10. The Way Forward―UPI 2.0

UPI has witnessed rapid growth that can be attributed to the expanding ecosystem promoted by banks and other payment service players and increasing adoption by the users. Security, ease of use and development of business solutions are paramount to make UPI as a payment system of choice both for users and businesses. In this direction NPCI is coming out with an upgraded version of UPI called UPI 2.0 with enhancements in security, ease of use for customers and which open new use cases for businesses and expand the UPI ecosystem. The salient features of UPI 2.0 are expected to include:

Transaction authentication using Biometrics: Currently users can authenticate their payments using 4 - 6 digits MPIN. This MPIN can be self-generated by the user on the PSP UPI App with the ability to change the MPIN as and when required. This MPIN is captured by secure NPCI libraries and authenticated by the Issuer Bank. However this use of MPIN has its own limitations with users forgetting the MPIN and entering wrong MPINs leading to failed transactions. Another perceived risk is fear of fraudulent transactions in case of loss or theft of mobile phone. To overcome these issues UPI 2.0 will include transaction authentication using biometrics of user like fingerprint or iris prints. User will have the option to authenticate the transactions using his/her biometrics. In order to enable biometric authentication UPI has been integrated with Unique Identification Authority of India (UIDAI) which provides online authentication services including biometrics and OTP authentication. UIDAI is the central repository of biometric data of more than 1.16 billion or about 87% Indians who have registered for national unique identity service through Aadhaar. Also, Aadhaar Number of the user is now mandatorily mapped to the bank account of the user. Mobile phone manufacturers are coming up with mobile phones which can read fingerprints and iris prints of users. Such devices will be required to be certified and registered with UIDAI to enable them to capture the biometrics of the user. Once the user decides to authenticate the transaction using biometrics, fingerprint or iris print in captured on the mobile phone and communicated to NPCI in encrypted form which then invokes the UIDAI authentication API on behalf of Issuer Bank to authenticate the biometrics.

UPI Payment Mandate: One of the biggest use cases for consumers and businesses is to make periodic recurring payments like utilities bill, school fee, insurance premium and loan EMI payments. To enable businesses to accept periodic payments and hassle free experience for customers UPI 2.0 will have functionality where customers can provide one-time authentication for recurring payments to various merchants and billers. While the mandate creation is a one- time activity, it allows user’s account to be debited as per the agreed terms and condition, without the need for user to authenticate the transaction every time. UPI will offer the mandate service that will allow both remitter and beneficiary to create mandates or standing instructions through their respective banks. This mandate shall be registered immediately post the one time authentication by the remitter. To start with UPI 2.0 is expected to support only revocable mandates and mandates can be created on Virtual Payment Address only.

11. Conclusion

UPI has enabled mobile phone to be used as a primary payment device for making and accepting payments. UPI leverages high teledensity in India to enable every bank account holder to make digital transactions using a mobile phone. India, which has a poor merchant payment acceptance infrastructure UPI, enables even the smallest merchant to start accepting digital payments without the need for any POS machine. UPI has done away with the need to know the complicated payment details of the transacting parties, which makes payments easy and seamless for transacting parties. Compared to all other payment systems it would not be misplaced to say that UPI is the most advanced payment system in the world. With its standard set of APIs, UPI has allowed different banks to communicate with each other and has enabled interoperatability between disparate bank payment systems. In UPI there are no intermediaries like in card networks, which allows for low transaction costs and instant settlement. While all other digital modes of payments like cards etc. take days to complete the transaction and settlement process, UPI allows payment to be completed in seconds. UPI works on a safe, secure and robust platform with ample security features to make it more secure than any extant payment systems. Introduction of biometric authentication in UPI will not only make payments more secure but will also take a huge leap towards integrating next generation technology with current payments system. UPI can be a great enabler for financial inclusion in India and allow a huge set of population to be a part of digital economy.