Unified Payment Interface (UPI) was launched by the National Payments Corporation of India (NPCI) in 2016, and since then, it has revolutionised the Indian payment ecosystem.
In the financial year 2022, UPI processed Rs 80 trillion worth of transactions, and recently NPCI also approved an additional 60 million users for WhatsApp UPI. But what makes a UPI transaction secure?
UPI Provides Convenience
UPI has provided consumers with a convenient and fast payment mechanism, whether it is for peer-to-peer (P2P) transaction or online shopping or in-store shopping. UPI can be used anywhere in India without any fee. There are over 150 apps available in the Play Store and App store that facilitate UPI payments, and leading e-commerce operators have also launched their UPI products.
Even people who are not tech savvy can use UPI to make payments, thanks mainly to QR code-based UPI payment features and others. “The form factor of UPI plays a large role in its greater adoption. Simple to remember UPI addresses (phonenumber@upi), shareable UPI QR codes, native chat window experience (Whatsapp pay), and other features make it easy to use,” says Amit Das, co-founder and CEO, Think360.ai, a full-stack data science company.
Click here to know more about why consumers prefer paying with UPI
Traditionally, debit cards, credit cards, net banking payments and others have used two-factor authentication to secure a transaction, but the security measures hindered customer convenience. “In the payments ecosystem, security and convenience of a payment were in an inverse relationship. If the security component was up, then the convenience was down, and vice-versa. For example, debit and credit card payments have two-factor authentication mechanisms. This makes them secure but, at times, slow for the end consumer. But in UPI, a user just needs to remember their mobile number and have the UPI app installed on their phone,” says Saket Modi, an entrepreneur and co-founder and CEO of Safe Security, a cybersecurity and digital business risk quantification company.
With many consumers wanting faster transactions, NPCI’s challenge was to make product that is secure as well as convenient.
Click here to read more about how Genz and millennials prefer quicker transactions using BNPL over other payment methods:
There are two aspects to the security of the UPI network. One is the consumer side which can be publicly seen, and the other is the backend enterprise side security.
The consumer side uses three authentication factors to secure a transaction on the UPI network.
“The first factor of authentication is device binding. The second factor used is KYC verification by sending an SMS to the server. This verifies that the mobile number you have on the device is KYC verified with the bank account in UPI’s network. The third is the UPI PIN,” added Modi.
He explains that every UPI app binds a user with their phone number. So if you use the BHIM UPI app on your mobile, then you can’t use the same particular number to register for BHIM in any other mobile phone without carrying the number on that new device too. “This is because BHIM is bound to your profile with the number present on the mobile, and if you change your mobile, the number will also have to be carried along.”
1) Consumer Side
When a consumer downloads a UPI app from the Play Store or app store, certain safeguards and protocols ensure that the user experience is as secure as possible without hindering convenience.
• SIM Card: A UPI app will not let a user proceed with registration if a valid SIM card is not there. This is because UPI uses the unique cryptographic keys stored in a user’s SIM card to hard bind the device with its server. So the SIM card tied to the phone number registered with the user’s bank has to be present at all times during the usage of the respective UPI app. This also means that if you switch mobiles, you have to install the same SIM card in the new device. Otherwise, the UPI server will not be able to verify your details.
- Location Binding: This is an optional and additional security protocol wherein the UPI app asks for location access from users in order to bind it. When you enable this feature, the UPI payment app will record the transaction’s origin location and device ID both for reference in case of need.
"We have built our UPI app SALT using NPCI's SDK and API tools provided by them. We have also implemented a location binding based transaction recording feature. This allows us to record from which locality or area a customer is making most of their transactions, and if suddenly the same customer account becomes active in some other area very far from his original location, then our system will flag it. We will then contact the customer and inform him about this, and if it's him genuinely transacting, then we will remove the flag; otherwise, we will take necessary actions. This feature helps us protect the customer since, without his knowledge, someone else might be transacting using his account elsewhere," said Mahesh Shukla, Founder and chief executive officer, PayMe India, an RBI-registered NBFC.
• UPI App Passcode: This is optional. When enabled, this feature will ask for a passcode every time you login to the UPI app. This passcode is different from a UPI transaction PIN.
• UPI PIN Registration: At the time of registering for a UPI PIN, the application will ask for a user’s last six digits of debit card and its expiry date. This will then be authenticated using the OTP method. Authentication can also be done using Aadhaar.
Read more about Aadhaar-based UPI registration here•
2) Backend Enterprise Side Security
There are more than a hundred backend security protocols deployed at different levels of a UPI transaction.
UPI was built as a Software Development Kit (SDK) and used an Application Protocol Interface (API) to communicate between them. Both the SDK and API tools have been provided and developed by NPCI. So the security measures are independent of the user’s application’s own security protocols. Therefore, any payment application can use UPI’s SDK to build their own custom app on top of it and use their own security protocols too. However, they will have to use the provided API tools to communicate information between different SDKs.
“We were one of the first security vendors contracted by NPCI to handle security for the UPI network back when they were launched. UPI is actually an SDK-based API toolkit that NPCI gives for use to interested companies. This SDK-based API toolkit can be embedded into any app seamlessly. As a result, the network security is independent of the respective app. NPCI and the payment processing banks will handle all the backend security on the broader UPI network,” added Modi.