UPI: India's Unified Payments Interface

I tell about UPI to my friends in Western countries, When they tell how easy and seamless Apple Pay has made their payments, they&#x27;re often surprised that such system exists here. One can download GPay or plethora of other apps to setup UPI to sync with the bank accounts within minutes and conduct transactions.<p>With vernacular support&#x2F;affordable cellular data, these apps have found its users even among those who have never used a computer in their life to login to their banking portal or used debit card before to conduct any online transactions earlier.<p><i>Now, what &#x27;I&#x27; don&#x27;t like about it</i>,<p>Extraordinary dependence on &#x27;Mobile Number&#x27; for security, RBI(India&#x27;s central bank) requires personal phone number to be synced with the bank account, so these &#x27;UPI&#x27; apps send SMS from the phone at random to &#x27;verify&#x27; that it&#x27;s actually you i.e. if the phone number matches its you. If you are like me, who has the phone in aeroplane mode 24*7 or use cellular on-demand be prepared for transaction failures at best to getting locked out of the UPI apps at worst.<p>Then there is the question of SMS OTP as the backbone of Indian banking infrastructure&#x27;s 2FA security, we know SIM-Jacking attacks are getting prevalent every passing day, coercing an employee of a Telecom who earns minimum wage is not that difficult and especially since there is zero &#x27;cyber-security&#x27; awareness among much of the population; attackers just dupe many of them into giving them the OTP[1].<p>It&#x27;s high time banking infrastructure here start supporting hardware tokens or at least TOTP apps and UPI has to hedge its unique id dependence to email id as well.<p>[1]<a href="https:&#x2F;&#x2F;economictimes.indiatimes.com&#x2F;wealth&#x2F;save&#x2F;beware-of-these-6-frauds-while-making-payments-via-upi-amid-lockdown&#x2F;articleshow&#x2F;75671798.cms" rel="nofollow">https:&#x2F;&#x2F;economictimes.indiatimes.com&#x2F;wealth&#x2F;save&#x2F;beware-of-t...</a>

As a UPI user who is using this from literally day 1 and who is hard core advertiser of this, here are few important points:<p>1. Security: Signup requires phone number validation via SMS and phone number must be registered with bank. It also requires additional details like debit card validation. This makes is hard to spoof. After signup your device finger print is stored with NPCI and this works as 1st factor. An additional PIN is also required during signup. You can send money only from registered device and requires fingerprint and pin validation.<p>2. Every digital transaction in India triggers SMS, so that provides additional transparency to user.<p>3. All payments are from bank account to bank account and they happen in real time! Also no transaction fee!<p>4. Merchants require no special equipments and they advertise their VPA usually via QR code in shops so it’s easy for users to pay.<p>4. Online payments can be either user triggered or can be requested via pushing payment request to user app. However user needs to approve the request with pin.<p>Point 3 &amp; 4 were the biggest reasons why India adopted it pretty quickly. Also ofcourse due to Jio boom &amp; cheap chinese smartphones!

It amazes me how seemingly behind US banking is tech-wise. My home country for instance has the Nigerian Inter-Bank Settlement System for decades; it&#x27;s quite similar to the UPI but primarily led by the central bank (plus participation is mandatory for all banks&#x2F;bank-like institutions).<p>For anyone that&#x27;s curious, the platform&#x27;s home page at <a href="https:&#x2F;&#x2F;nibss-plc.com.ng&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nibss-plc.com.ng&#x2F;</a> has a nice little statistics summary of both POS and account-to-account transactions (you might have to scroll past the fold). There&#x27;s five-minute and whole day numbers for total transactions and error rate broken down into types of errors - it&#x27;s a nice bit of transparency.

I&#x27;d love for the US to adopt a standard that is bank agnostic, like ACH, but allows for near real-time payments from P2P but also person to business payments.<p>It&#x27;s a big problem when Visa, Mastercard, and PayPal control a large part of money transactions.

It is a super exciting time to be doing fintech in India. Here are the open APIs.<p>UPI = Venmo + Paypal<p>UPI Autopay = open credit card subscriptions pull<p>PCR = Open FICO+Equifax<p>NBFC-AA = Open Plaid<p>Digilocker = Open docusign+dropbox<p>OCEN = Open Lendingclub<p>Together, they are called IndiaStack (along with our upcoming health and drone apis).

UPI is a fascinating battle field of tech companies. I had a front seat to some of the negotiations happening to build platforms on UPI. There was a fear in India that foreign tech companies would monopolize that platform.<p>Concurrent with negotiations to build on UPI, there were also leaks and stories by both sides in the press to bolster or communicate positions. For example, there was one story where an official said that a tech CEO made a commitment. The tech CEO did not make that commitment. That company&#x27;s team had their own set of meeting notes confirming their position. Other companies were livid with the tech company for supposedly taking that position. With the story now published, the tech company could not publicly deny the story or else they would anger the other side. So they quietly rolled with it.<p>It is also a credit to PayTM&#x27;s CEO. Their CEO saw that succeeding with UPI was a matter of survival. Backed up against a wall, he fought back against his competitors with everything he had and is winning so far.<p>Someone needs to write a book on the behind the scenes happenings.

Brazil is doing a similar bank-agnostic system called PIX. Kinda interesting how in the previous thread where I mentioned it a lot of people were against it because it was &quot;not competitive&quot; while here I&#x27;m seeing (mostly) praise for UPI.<p>IMHO, this is how it should be, a bank-agnostic standard set by the central bank that other services use to connect to the central and with each other. Competition is good? Yes, but not when it&#x27;s a complete <i>mess</i>.

I love UPI and it has proved to be a boon in this time when I am scared of touching cash. It&#x27;s very fast, easy and quite reliable in my case. In Bangalore, it works literally everywhere. From the smallest shops to big supermarkets. Many small shopkeepers even discourage me from paying in cash.<p>But people need to realize one aspect of UPI that it is exactly as unsafe as cash. Would you send cash to someone over the phone for accepting delivery of a product later? No. So don&#x27;t do that with UPI.<p>Use UPI when it would be appropriate to use cash, when you&#x27;re standing face to face with the seller. Just think of it as more convenient cash. Otherwise, it is ripe for exploitation by thieves.

RBI recently issued a circular inviting companies to build a retail payments network, in parallel to UPI [1], under New Umbrella Entity (NUE).<p>Two key aspects of NUE are, it could be a for-profit, and it&#x27;ll be governed by India&#x27;s FDI rules, meaning foreign investments are allowed and could even be encouraged as FDI rules get relaxed.<p>Both these are in direct contrast to NPCI&#x27;s charter which is a not-for-profit and entirely owned by Indian entities. In fact NPCI is a quasi government organisation, owned by a combination of RBI and Indian banking association.<p>Google (through its India subsidiary) has already applied for building&#x2F;operating an NUE, and I won&#x27;t be surprised if Facebook has done it too.<p>I just hope that 20 years down the line we won&#x27;t end up with a fragmented quagmire with half a dozen payment networks each of which don&#x27;t talk to anyone else. UPI solved a huge problem of interoperability and it&#x27;ll be a shame if its seamlessness is squandered away.<p>[1] <a href="https:&#x2F;&#x2F;www.rbi.org.in&#x2F;scripts&#x2F;bs_viewcontent.aspx?Id=3832" rel="nofollow">https:&#x2F;&#x2F;www.rbi.org.in&#x2F;scripts&#x2F;bs_viewcontent.aspx?Id=3832</a>

It takes like 3 days to pay my Chase credit-card from my Citibank account. Lots of waste happening in the financial system.

Engineering wise, it&#x27;s a miracle that UPI works. All of the banks have very little in the way of consistency checks and proper abstractions. Everything is superglued together and very brittle. There was clearly little direct communication between NPCI, the issuing banks, and the users of the apis in development.<p>I agree with India&#x27;s protectionist attitudes that&#x27;s kept Western companies from monopolizing the ecosystem though. It works well enough, much to chagrin of SV tech companies lol.

Great idea; let&#x27;s have USPS administer it, like they used to do for money orders and wire transactions. No sense in replacing Mastercard with Google.

As an Indian citizen living in Germany right now, I sorely miss UPI. My workflow to order food in India - 1) open app and add things to cart 2) Google Pay (linked to UPI) prompts for my fingerprint and that&#x27;s it. In Germany, I mostly end up using SOFORT which involves remembering my account number, pin, and then using a mobile OTP. There&#x27;s no &quot;easy&quot; way to transfer money to friends - everyone either uses paypal or Transferwise, which requires an additional step to withdraw funds to your bank account. When shopping at brick and mortar shops, the payment options are either cash or a card. For a country that enjoys such a high standard of living, Germany has surprisingly underwhelming digital banking infrastructure.

The big concern I have here is that the address resolution seems similar to DNS... Which is very bad, IMHO. Are they taking necessary steps to mitigate ddos and Man in the middle attacks? If they&#x27;re not, they&#x27;re seeing themselves up for major disaster.

UPI is growing at an incredible rate.<p>One important reason for the growth is the explosive increase in 4G connectivity in the last 4 years, which has data usage on mobile see a compound average growth of 93% to become the highest in the world at 11.2 GB per user &#x2F; month. The rates are almost laughably cheap, at around 0.20 USD&#x2F;GB.<p>COVID has also driven more recent growth because people don&#x27;t want to handle cash.

The best feature of UPI for me is that it provides USSD code (*99#) to interact with the UPI. Since I only use FLOSS apps (via f-droid.org) on my LineageOS I use UPI without installing any UPI app (which all are proprietary e.g. PayTm, Gpay etc.).

There are just so many things that make me fearful of either losing my phone or having it irreparably damaged. The account recovery process can be a. too hard or impossible (Hi Gitlab!) or b. too easy (too simple security questions).

I&#x27;ve made five trips to India for business, the most recent was in 2017. The system that was instituted just before my last trip caused me major problems, as suddenly two things happened: foreign credit cards were no good for payments online (I had to get a colleague to buy my Taj Mahal ticket online and pay him back with cash), and it was suddenly much more difficult for some people I was trying to pay to accept payments in cash; restaurants and hotels could still get it done, but for others it was a major problem. I hope they have these issues straightened out by now.

The article looked great until the introduction of the NPCI system. It&#x27;s essentially a single point of failure, and the best place to observe all the transaction of the whole country. It&#x27;s controlled by the Government so it will be really tempting to peek into it.<p>&gt; Imagine the pain that everyone has to go through in reaching a consensus when configurations or infrastructures change. It would be chaos.<p>Welcome to the Internet.

Slightly OT, but what&#x27;s the simplest way to offer more payment options online in India? Is there a way to set up UPI as a foreign company?<p>For context: we&#x27;re a small B2C bootstrapped company offering online anatomy learning. We use Stripe and Paypal (via Fastspring), but it seems like it&#x27;s far from enough for the local market in India...

This looks like a Bancontact&#x2F;SEPA combination.

Remembering Bank A&#x2F;c number + IFSC is safe&#x2F;better

As if what we need is even more surveillance capitalism...

UPI is not nice.<p>1) UPI is unreliable. Based on my experience, it doesn&#x27;t work many times per day. I once needed to beg my friend to pay for me after realizing that it didn&#x27;t work when i purchased something in shop but had no money(only upi account)<p>2) It is closed source. UPI forces every App that uses UPI to use it&#x27;s closed source code.<p>3) I find Bank transfer like IMPS&#x2F;NEFT more reliable than UPI.<p>4) One advantage of UPI is it&#x27;s id which led to discovery of account (through qr code) . This is also the reason it got adopted by people.