The Unified Payments Interface (UPI) provides a single interface for online payments across all NPCI systems using standard APIs. It aims to simplify payments and improve customer experience through interoperability. UPI allows for instant payments through a single click using two-factor authentication on mobile. It also enables use of virtual payment addresses instead of sharing sensitive bank details. UPI transactions use a central repository to route payments between participating banks in real-time, with strong security features like encryption and digital signatures.
2. The Unified Payments Interface (UPI) offers an architecture and a set of standard
Application Programming Interface (API) specifications to facilitate online payments. It aims
to simplify and provide a single interface across all NPCI systems besides creating
interoperability and superior customer experience.
Instant “Pay” (push) and “Collect” (pull) using single click two factor authentication where
mobile is first factor (what you have) and MPIN/Biometrics (what you know/are) as second
factor.
Ability to use Virtual Payment Addresses(VPA), thus eliminating the need to provide
sensitive account information to merchants or other individuals.
What is UPI
3. UPI Architecture
Scalable Architecture
Banks Banks
IMPS AEPS RuPay Ecom
Unified Payments Interface
NPCI
Standard Interface Standard Interface Standard Interface
Internet
Banking
3rd Party Apps
(Collect only)
Banks
*99#
APBS
NACH
NFS
*99#
Central Repository
UID-BIN
3rd Party Apps
(Collect only)
Mobile
application
Payment System Players (PSP)
Mobile
application
Mobile
application
4. “Payment Address" is an abstract form to represent a handle that uniquely identify an
account details in a “normalized" notation
Virtual Payment Addresses are denoted as “account@provider“
PSPs can allow their customers to create any number of virtual payment addresses and
allow attaching various authorization rules to them.
PSPs may offer “one time use” addresses or “amount/time limited” addresses or "limit to
specific payees" addresses to customers
What is Virtual Payment Address
5. A user id provided by PSP, resolved directly by that PSP, is represented as user-id@psp-
code (e.g. joeuser@mypsp)
IFSC code and account number combination, resolved directly by NPCI, is represented
as
account-no@ifsc-code.ifsc.npci (e.g. 1234500000000001@HDFC0000001.ifsc.npci)
Aadhaar number, resolved directly by NPCI using existing Aadhaar to bank mapper, is
represented as
aadhaar-no@aadhaar.npci (e.g. 234567890123@aadhaar.npci)
Examples of Virtual Payment Address
12. UPI Solution provides strong end-to-end security and data protection. The key Security
features of the Unified Payments Interface are:
Device Fingerprinting during the registration process
Credential Capture through NPCI Common Library
Credentials encrypted by using RSA 2048 Asymmetric Encryption
The decryption/encryption at NPCI will be performed through HSM
Message communication between PSPs and UPI over HTTPS
All messages are digital signed using SHA2 with RSA.
Security features
13. NPCI common library will be distributed to PSP’s for all the three major mobile operating
systems viz. Android, iOS & Windows.
Common library has the following security features:
Capture the credentials securely
Embedding Device and Transaction related data as salt into the Credential block for each
Transaction to
Prevent the Acquiring PSP to replay the Credential block
Ensure actual device finger print is sent to NPCI for every transaction
Ensure NPCI Common Library is used to Secure Credential capture
To encrypt the sensitive data (credentials like OTP, MPIN, and biometric data) using RSA 2048
public key encryption.
Digital Signature verification of xml payload of public keys before performing the credential
capture.
NPCI Common Library
14. Applications that integrate with PSP Apps to collect Payment
Web App, Desktop App, Mobile App etc
Re-imagine various use cases that can move to cashless through UPI
Sample PSP App/PSP Server provided by NPCI may be used
When developing mobile app, deep link to sample PSP app
Common Library will be part of Sample PSP and should not be directly used
PSP application itself which is provided to consumers/Merchants
PSP server including optional interface/sdk for merchants
PSP mobile app for consumers by embedding Common Library
Types of Applications
15. Sample Mobile App Flow – In app Payment
If UPIenabledAPPis not
availableuser will be
routed to
playstore/website to
merchant preferred PSP
APP