THE slides makes basic concepts related to UNIFIED PAYMENTS INTERFACE and its SECURITY clear in most easy to understand and clear format.

1. UNIFIED PAYMENT INTERFACE AND
ITS SECURITY
AKSHAY DIXIT
BTECH.(CSE)
AKGEC

2. Your guide to UPI—the world’s most
advanced payments system
This is not hyperbole. India just crushed it!

3. PM launching UPI(30 DEC. 2016)

4. AGENDA
▶ 1.MISSION AND VISION
▶ 2.WHAT IS UPI?
▶ 3.WHY UPI?
▶ 4.BASIC STRUCTURE OF UPI
▶ 5.KEY INNOVATION TO UPI SUCCESS
▶ 6.PARTICIPANTS
▶ 7.KEY ASPECTS OF UPI
▶ 8.ROLE OF NPCI
▶ 9.ARCHITECTURE OF UPI
▶ 10.CONCEPTS

5. Contd..
▶ 11.VALUE PROPOSITION
▶ 12.ADHAAR FACILITIES SUPPORTED
▶ 13.NPCI CENTRAL MAPPERS
▶ 14.SECURITY CONSIDERATIONS
▶ 15.HOW SECURE IS UPI
▶ 16.IDENTITY AND ACCOUNT VALIDATION
▶ 17.PROTECTING ACCOUNT DETAILS
▶ 18.PROTECTING ACCOUNT CREDENTIALS
▶ 19.PROTECTING AGAINST PHISHING
▶ 20.MESSAGE SECURITY AND TRUST
▶ 21.ADVANTAGES
▶ 22.DISADVANTAGES
▶ 23.CONCLUSION

6. MISSION AND VISION
▶ Mission Statement
To ensure payment and settlement systems in the country are safe, efficient,
interoperable, authorised, accessible, inclusive and compliant with international
standards.
▶ Vision
To proactively encourage electronic payment systems for ushering in a less-cash
society in India

7. WHAT IS UPI ?

8. WHY UPI ?

9. BASIC STRUCTURE OF UPI

10. KEY INNOVATION TO UPI SUCCESS
▶ The term “Virtual Payment Address” is used to depict an identifier that can be
uniquely mapped to an individual account using a translation service. In
addition to Aadhaar number and Mobile number as global identifiers (mapped
by NPCI), PSPs can offer any number of virtual addresses to customers so that
they can use the virtual address for making and receiving payments.
▶ Virtual payment addresses provide innovative mechanisms for customers to
create addresses with attached rules for limiting amount, time (e.g., one time
use addresses), and payees.

11. PARTICIPANTS

12. KEY ASPECTS OF UPI
▶ The Unified Payment Interface is expected to further propel
easy instant payments via mobile, web, and other
applications.
▶ The payments can be both sender (payer) and receiver
(payee) initiated and are carried out in a secure,
convenient, and integrated fashion.
▶ This design provides an ecosystem driven scalable
architecture and a set of APIs taking full advantage of mass
adoption of smartphone.

13. Contd….
▶ Virtual payment addresses, 1-click 2-factor authentication, Aadhaar
integration, use of payer’s smartphone for secure credential capture,
etc. are some of the core features.
▶ It allows banks and other players to innovate and offer a superior
customer experience to make electronic payments convenient and
secure.
▶ Supports the growth of e-commerce, while simultaneously meeting the
target of financial inclusion.
▶ Proposed architecture is well within the regulatory framework of the
mobile and ecommerce transactions having 2 factors of authentication
(2FA).

14. ROLE OF NPCI
▶ Unified – hiding the complexity of dealing with disparate systems –
both internal and external to NPCI.
▶ Expandable – to allow for innovations in newer forms of identity,
authentication, and banking
▶ Adaptable -to the current way of life-
▶ Smart phones as an integral part of people’s identity
▶ Aadhaar as a form of online verifiable identity - authenticated by a
third party
▶ Allow customers to enter credentials on their own device – even
when the merchant requests funds.
▶ E Commerce.

15. Contd..
▶ Real Time – Allows banks to provide real time experience
for interactive transactions.
▶ Secure – Allows for traceability through the entire
transaction chain
▶ Monitorable - Allows for NPCI to monitor the system
centrally

16. ARCHITECTURE OF UPI

17. CONCEPTS
Every payment has the following core elements:
▶ Payer and payee account and institution details for routing and authorization
▶ Authentication credentials (password, PIN, biometrics, etc. as required for debit,
can be bank provided or 3rd party provided such as UIDAI)
▶ Transaction amount
▶ Transaction reference
▶ Timestamp
▶ Other metadata attributes such as location, product code, mobile number,
device details, etc. as required.

18. Value proposition
▶ Simplifying Authentication
▶ Simplifying Issuance Infrastructure
▶ Flexibility for Users
▶ Enabling 1-click 2-FA Transactions
▶ Embracing Mobile Adoption
▶ Stimulating Innovation
▶ Embracing Aadhaar Adoption
▶ Creating National Interoperability

19. ADHAAR FACILITIES SUPPORTED
▶ Aadhaar Authentication
▶ Aadhaar e-KYC
▶ Aadhaar Enabled Account (AEA)
▶ Aadhaar Payment Bridge (APB)
▶ Aadhaar Enabled Payment System (AEPS)

20. NPCI Central Mapper
▶ Aadhaar as the Payment Address
▶ Mobile as the Payment Address

21. SECURITY CONSIDERATIONS
For data security, the following classes of information are
defined:
▶ Sensitive Data - Data such as PIN, passwords, biometrics, etc.
These are not to be stored and should only be transported in
encrypted form.
▶ Private Data - Data such as account number. This information
may be stored by the PSP, but only in encrypted form.
▶ Non-Sensitive data - Name, transaction history (amount,
timestamp, response code, location, etc.) that can be stored in
unencrypted form

22. How secure is UPI?
Nilekani said the security is fool-proof as the transaction will happen in a
highly encrypted format. Already NPCI’s IMPS network handles more than
Rs.8,000 crore worth of transactions a day, which will exponentially
increase with the use of mobile phones.
2 Factor authentication – similar to OTP will be there as its mandated by
RBI. In this case, MPIN instead of OTP will be used.

23. Identity & Account Validation
Identity Data Validated When How
By
Mobile Device PSP & NPCI Customer SMS based OTP initially against the
(via common Registration & registered mobile and using
library) during HOTP/TOTP for implicit verification
transaction during every transaction
Aadhaar PSP Customer Aadhaar e-KYC / Authentication or
Number or Registration PAN card verification
PAN number
Customer PSP Customer Aadhaar e-KYC / Demographic
Name Registration Authentication, matching with PAN
card verification
Account PSP Every time a Ideally via an API offered by account
Details - payment account providers or via a small value (e.g.
Number, is added Rs.1/-) transaction
Account
Ownership,

24. Protecting Account Details
▶ Protecting during capture
▶ Verifying the account details with account provider
(bank, PPI, etc. - new API may be needed from
banks, or Re-1 transaction may be done to
validate)
▶ PSPs storing the data should be always in
encrypted form

25. Protecting Authentication Credentials
▶ Authentication credentials encrypted during capture using
the public key of the authentication provider
▶ "Trusted" common library for credential
(MPIN/Password/PIN/Biometrics) capture. This library
needs to bind customer mobile using HOTP/TOTP which is
verified as part of transaction

26. Protecting against Phishing
▶ 3 core techniques may be used to protect against phishing:
▶ Individual (nonentities)pay/collect transactions can be against pre-created
and verified address (quite like in the case of NEFT).
▶ Allow direct/collect against ONLY whitelisted within the payer’s pre-listed
entries. Payer must add the payee explicitly into this list (quite life NEFT
settings). During this, address verification can be done.
▶ For individuals
▶ PSP application should mandatorily share Aadhaar number and verified name
which is part of customer information block which can be shown by the second
PSP to their customer

27. Contd..
▶ For entities
▶ PSP application should mandatorily share PAN number and verified name
which is part of customer information block which can be shown by the second
PSP to their customer
▶ Whitelist entities (popular ones) and blacklist/rating at central
database (NPCI) and show “verified symbol

28. Message Security and Trust
▶ Every messages within the unified system must be digitally signed
▶ Every message has unique transaction ID (that spans across the organizations
for same transaction) and unique message ID for every request-response pair
▶ All APIs must be done over a secure channel (HTTPS)
▶ Auditing transaction (no sensitive data) data for appropriate number of years

29. ADVANTAGES OF UPI
▶ Minimal Charges and Instant
▶ No Need to Fill Details
▶ No need for Registration and always Available

30. Disadvantages of UPI
▶ Transaction Limit
▶ Requirement of Internet and Smartphone
▶ Difficult to Convince the Customers

31. CONCLUSION
UPI can replace NEFT, IMPS and RTGS as UPI has
only 1 unique ID of he recipient and is required for an
instantaneous transfer of funds. It is much more
easier than the other modes of transfer. In future it is
expected to replace the other modes of payments as
it makes payments very easily.