What is UPI ? — Part 2

Continuing from where we left, in this story we will be discussing how a payment actually works and all the complex steps which take place in the background. But before that it is important to see all the preliminary actions which are performed to register a customer onto UPI.

Customer Registration and Device Binding

Whenever a new customer installs any UPI app, the PSP is responsible for verifying the customer and his device. The PSP generates a token, which is a hash of some of the device parameters such as IMEI number, application name, SimID, mobile number which can uniquely identify a device. This hash is sent as an SMS from the customer’s mobile phone to a Virtual Mobile Number (VMN), belonging to a partner SMS service provider. This action happens in the background and may even go unnoticed by the customer. The service provider, whenever it receives any SMS on this VMN, will send a callback to the PSP, with the hash and the mobile number. The PSP will mark the mobile number as verified upon receiving the callback.

Once the device is verified, PSP will fetch a key for this device from NPCI. This key will be used for encrypting the UPI Pin of the user everytime during a payment.

The PSP is supposed to perform the device binding everytime a customer reinstalls the application or changes his mobile phone. The key generated by NPCI is valid for 45 days and PSP should regularly check and rotate the key if needed.

Customer Verification and Device Binding

Account and VPA Management

Once the customer is verified, the customer should choose a bank and the PSP will fetch the customer’s bank account from NPCI. NPCI will return a list of all the accounts belonging to customer in the bank, including RuPay Credit Cards. The customer selects a bank account/ credit card account and creates a VPA for it.

The customer can create multiple VPAs and link bank accounts to it. NPCI does not mandate anything around the logic and rules for creating the VPA. TPAPs and PSPs have the authority to create and issue VPAs. The relationship between VPA and Account depends on the PSP. But generally, 1 VPA is mapped to 1 bank account and multiple bank accounts can all be mapped to the same VPA, out of which 1 of the bank accounts would be the primary bank account for this VPA.

The customer can perform multiple other actions such as

1. Set/reset/change UPI Pin
2. Check balance
3. Add/delete VPA

VPA is one of the payment addresses supported by NPCI. Payment Address is an abstract form that uniquely identifies account details in a normalized notation. In this architecture, all payment addresses are denoted as “account@provider” form. Address translation may happen at provider/gateway level or at NPCI level. Address should only contain a-z, A-Z, 0–9, . (dot), — (hyphen).

Few other payment addresses are :

1. IFSC code and account number combination, resolved directly by NPCI, is represented as account-no@ifsc-code.ifsc.npci (e.g. 12345@HDFC0000001.ifsc.npci)
2. Aadhaar number, resolved directly by NPCI using existing Aadhaar to bank mapper,is represented as aadhaar-no@aadhaar.npci (e.g.
   234567890123@aadhaar.npci)
3. RuPay card number, resolved directly by NPCI, is represented as card-no@rupay.npci (e.g. 1234123412341234@rupay.npci)

Payments

Broadly speaking, there are 2 categories of payments — Direct Payment to push money and Collect Payment to pull money from one account to another. While the processing and the participants remain the same, the only difference between the two is that — Direct Pay flow is Payer initiated, while Collect is Payee initiated.

Direct Payment

Direct Payment, also known as Push Payment or Intent payment or a Pay type of payment, is the more popular type of payment. Lets understand a Push payment with the help of a hypothetical scenario :

Rohit and Virat went out for dinner last night. Rohit wants to pay his share to Virat by UPI. Rohit is a customer on PhonePe, and has a VPA rohit45@ybl mapped to his bank account in SBI. Virat is a customer on Gpay, and has a VPA virat18@okhdfc mapped to his bank account in ICICI.

1. Rohit enters Virat’s VPA virat18@okhdfc on PhonePe and initiates a Push payment.
2. PhonePe will first resolve Rohit’s VPA rohit45@ybl and send a payment request to NPCI with Rohit’s complete account details and Virat’s VPA.
3. NPCI sends an address resolution request to the payee PSP, in this case Yes bank. Payee PSP will resolve Virat’s VPA and send back the complete details of Virat’s bank account.
4. NPCI then sends a debit request to the Remitter bank i.e. SBI .
5. Post successful debit, NPCI sends a credit request to the Beneficiary bank i.e. ICICI.
6. Once debit and credit are successful, NPCI will send payment confirmation to the Payer and Payee PSP.

Push Payment

Collect Payment

A collect payment is Payee initiated and can be thought to be as a mirror image of the Push payment. All the steps are similar in the purpose.

We have discussed P2P payments over here. P2M payments are similar but have few extra validations related to merchants. Next up, we will discuss UPI from a technical point of view.

Glossary

1. Payer PSP — Acquiring PSP which has acquired and issued VPA to the Payer. In the example discussed above, Yes bank was the Payer PSP who had issued the payer VPA rohit45@ybl to Rohit.
2. Payee PSP —Acquiring PSP which has acquired and issued VPA to the Payee. In the example discussed above, HDFC bank was the Payee PSP who had issued the payer VPA virat18@okhdfc to Virat.
3. Remitter PSP — Issuing PSP responsible for debit transaction for the payer. In the example discussed above, the bank where Rohit had his account i.e. SBI was the Remitter PSP.
4. Beneficiary PSP — Issuing PSP responsible for credit transaction for the payee. In the example discussed above, the bank where Virat had his account i.e. ICICI was the Beneficiary PSP.
5. P2P payment — Peer-to-Peer payment i.e. money transfer between individuals.
6. P2M payment — Peer-to-merchant payment i.e. money transfer from individual to business.