Unified Payments Interface (UPI)

The Unified Payments Interface (UPI) offers an architecture and a set of standard

Application Programming Interface (API) specifications to facilitate online payments. It aims

to simplify and provide a single interface across all NPCI systems besides creating

interoperability and superior customer experience.

Instant “Pay” (push) and “Collect” (pull) using single click two factor authentication where

mobile is first factor (what you have) and MPIN/Biometrics (what you know/are) as second

factor.

Ability to use Virtual Payment Addresses(VPA), thus eliminating the need to provide

sensitive account information to merchants or other individuals.

What is UPI

UPI Architecture

Scalable Architecture

Banks Banks

IMPS AEPS RuPay Ecom

Unified Payments Interface

NPCI

Standard Interface Standard Interface Standard Interface

Internet Banking

3rd Party Apps(Collect only)

Banks

*99#

APBSNACH

NFS

*99#

Central Repository UID-BIN

3rd Party Apps(Collect only)

Mobile application

Payment System Players (PSP)

Mobile application

Mobile application

“Payment Address" is an abstract form to represent a handle that uniquely identify an

account details in a “normalized" notation

Virtual Payment Addresses are denoted as “account@provider“

PSPs can allow their customers to create any number of virtual payment addresses and

allow attaching various authorization rules to them.

PSPs may offer “one time use” addresses or “amount/time limited” addresses or "limit to

specific payees" addresses to customers

What is Virtual Payment Address

A user id provided by PSP, resolved directly by that PSP, is represented as user-id@psp-

code (e.g. joeuser@mypsp)

IFSC code and account number combination, resolved directly by NPCI, is represented

as

account-no@ifsc-code.ifsc.npci (e.g. 1234500000000001@HDFC0000001.ifsc.npci)

Aadhaar number, resolved directly by NPCI using existing Aadhaar to bank mapper, is

represented as

aadhaar-no@aadhaar.npci (e.g. 234567890123@aadhaar.npci)

Examples of Virtual Payment Address

UPI – Message Flow

PSP 1

PSP 2Account

Provider 2

Account

Provider 1

A/C

providers

live in UPI

UPI

RespPay

ReqPay(PAY/COLLECT)

RespAuthDetail

ReqAuthDetail

RespPay

ReqPay(Debit)

RespPay

ReqPay(Credit)

Pay Transaction

Payee PSPUnified Payments Interface

Payer PSP

Acquiring Channel (Mobile App/E-Com)

Beneficiary Bank

Remitter Bank

54ReqPay debit RespPay debit

1

8

ReqPay

RespPay

2

3

6 7ReqPay credit RespPay credit

RespAuthDetails

ReqAuthDetails

AB

9

10RespTxnConfirmation

ReqTxnConfirmation

Financial

Non-Financial

Collect Transaction

Payee PSPUnified Payments Interface

Payer PSP

Acquiring Channel (Mobile App/E-Com)

Beneficiary Bank

Remitter Bank

54ReqPay debit RespPay debit

1

8

ReqPay

RespPay

2

3

6 7ReqPay credit RespPay credit

RespAuthDetails

ReqAuthDetails

AB

9

10RespTxnConfirmation

ReqTxnConfirmation

Financial

Non-Financial

C D

List of Core APIs

List of Meta APIs

List of Meta APIs

UPI Solution provides strong end-to-end security and data protection. The key Securityfeatures of the Unified Payments Interface are:

Device Fingerprinting during the registration process

Credential Capture through NPCI Common Library

Credentials encrypted by using RSA 2048 Asymmetric Encryption

The decryption/encryption at NPCI will be performed through HSM

Message communication between PSPs and UPI over HTTPS

All messages are digital signed using SHA2 with RSA.

Security features

NPCI common library will be distributed to PSP’s for all the three major mobile operatingsystems viz. Android, iOS & Windows.

Common library has the following security features:Capture the credentials securely

Embedding Device and Transaction related data as salt into the Credential block for eachTransaction to

Prevent the Acquiring PSP to replay the Credential block Ensure actual device finger print is sent to NPCI for every transaction Ensure NPCI Common Library is used to Secure Credential capture

To encrypt the sensitive data (credentials like OTP, MPIN, and biometric data) using RSA 2048public key encryption.

Digital Signature verification of xml payload of public keys before performing the credentialcapture.

NPCI Common Library

Applications that integrate with PSP Apps to collect Payment

Web App, Desktop App, Mobile App etc Re-imagine various use cases that can move to cashless through UPI Sample PSP App/PSP Server provided by NPCI may be used When developing mobile app, deep link to sample PSP app Common Library will be part of Sample PSP and should not be directly used

PSP application itself which is provided to consumers/Merchants

PSP server including optional interface/sdk for merchants PSP mobile app for consumers by embedding Common Library

Types of Applications

Sample Mobile App Flow – In app Payment

If UPI enabled APP is not available user will be

routed to playstore/website to

merchant preferred PSP APP

Sample Mobile App Flow – Collect Pay

UPI Over Internet

Thank You