View
588
Download
4
Category
Preview:
Citation preview
Unified Payments Interface (UPI)
The Unified Payments Interface (UPI) offers an architecture and a set of standard
Application Programming Interface (API) specifications to facilitate online payments. It aims
to simplify and provide a single interface across all NPCI systems besides creating
interoperability and superior customer experience.
Instant “Pay” (push) and “Collect” (pull) using single click two factor authentication where
mobile is first factor (what you have) and MPIN/Biometrics (what you know/are) as second
factor.
Ability to use Virtual Payment Addresses(VPA), thus eliminating the need to provide
sensitive account information to merchants or other individuals.
What is UPI
UPI Architecture
Scalable Architecture
Banks Banks
IMPS AEPS RuPay Ecom
Unified Payments Interface
NPCI
Standard Interface Standard Interface Standard Interface
Internet Banking
3rd Party Apps(Collect only)
Banks
*99#
APBSNACH
NFS
*99#
Central Repository UID-BIN
3rd Party Apps(Collect only)
Mobile application
Payment System Players (PSP)
Mobile application
Mobile application
“Payment Address" is an abstract form to represent a handle that uniquely identify an
account details in a “normalized" notation
Virtual Payment Addresses are denoted as “account@provider“
PSPs can allow their customers to create any number of virtual payment addresses and
allow attaching various authorization rules to them.
PSPs may offer “one time use” addresses or “amount/time limited” addresses or "limit to
specific payees" addresses to customers
What is Virtual Payment Address
A user id provided by PSP, resolved directly by that PSP, is represented as user-id@psp-
code (e.g. joeuser@mypsp)
IFSC code and account number combination, resolved directly by NPCI, is represented
as
account-no@ifsc-code.ifsc.npci (e.g. 1234500000000001@HDFC0000001.ifsc.npci)
Aadhaar number, resolved directly by NPCI using existing Aadhaar to bank mapper, is
represented as
aadhaar-no@aadhaar.npci (e.g. 234567890123@aadhaar.npci)
Examples of Virtual Payment Address
UPI – Message Flow
PSP 1
PSP 2Account
Provider 2
Account
Provider 1
A/C
providers
live in UPI
UPI
RespPay
ReqPay(PAY/COLLECT)
RespAuthDetail
ReqAuthDetail
RespPay
ReqPay(Debit)
RespPay
ReqPay(Credit)
Pay Transaction
Payee PSPUnified Payments Interface
Payer PSP
Acquiring Channel (Mobile App/E-Com)
Beneficiary Bank
Remitter Bank
54ReqPay debit RespPay debit
1
8
ReqPay
RespPay
2
3
6 7ReqPay credit RespPay credit
RespAuthDetails
ReqAuthDetails
AB
9
10RespTxnConfirmation
ReqTxnConfirmation
Financial
Non-Financial
Collect Transaction
Payee PSPUnified Payments Interface
Payer PSP
Acquiring Channel (Mobile App/E-Com)
Beneficiary Bank
Remitter Bank
54ReqPay debit RespPay debit
1
8
ReqPay
RespPay
2
3
6 7ReqPay credit RespPay credit
RespAuthDetails
ReqAuthDetails
AB
9
10RespTxnConfirmation
ReqTxnConfirmation
Financial
Non-Financial
C D
List of Core APIs
List of Meta APIs
List of Meta APIs
UPI Solution provides strong end-to-end security and data protection. The key Securityfeatures of the Unified Payments Interface are:
Device Fingerprinting during the registration process
Credential Capture through NPCI Common Library
Credentials encrypted by using RSA 2048 Asymmetric Encryption
The decryption/encryption at NPCI will be performed through HSM
Message communication between PSPs and UPI over HTTPS
All messages are digital signed using SHA2 with RSA.
Security features
NPCI common library will be distributed to PSP’s for all the three major mobile operatingsystems viz. Android, iOS & Windows.
Common library has the following security features:Capture the credentials securely
Embedding Device and Transaction related data as salt into the Credential block for eachTransaction to
Prevent the Acquiring PSP to replay the Credential block Ensure actual device finger print is sent to NPCI for every transaction Ensure NPCI Common Library is used to Secure Credential capture
To encrypt the sensitive data (credentials like OTP, MPIN, and biometric data) using RSA 2048public key encryption.
Digital Signature verification of xml payload of public keys before performing the credentialcapture.
NPCI Common Library
Applications that integrate with PSP Apps to collect Payment
Web App, Desktop App, Mobile App etc Re-imagine various use cases that can move to cashless through UPI Sample PSP App/PSP Server provided by NPCI may be used When developing mobile app, deep link to sample PSP app Common Library will be part of Sample PSP and should not be directly used
PSP application itself which is provided to consumers/Merchants
PSP server including optional interface/sdk for merchants PSP mobile app for consumers by embedding Common Library
Types of Applications
Sample Mobile App Flow – In app Payment
If UPI enabled APP is not available user will be
routed to playstore/website to
merchant preferred PSP APP
Sample Mobile App Flow – Collect Pay
UPI Over Internet
Thank You
Recommended