UPI provides a transparent and convenient payment option; But how secure is it?
The Unified Payment Interface (UPI) was launched by the National Payments Corporation of India (NPCI) in 2016, and since then it has revolutionized the Indian payment ecosystem.
In FY 2022, UPI processed Rs 80 trillion worth of transactions, and recently NPCI also approved an additional 60 million users for UPI Whatsapp. But what makes a UPI transaction secure?
UPI offers convenience
UPI has provided consumers with a convenient and fast payment mechanism, whether for peer-to-peer (P2P) transactions or online or in-store purchases. UPI can be used anywhere in India free of charge. There are more than 150 apps available on play store and app store which facilitate UPI Paymentsand major e-commerce operators also launched their UPI products.
Even people who are not tech-savvy can use UPI to make payments, mainly thanks to UPI’s QR code-based and other payment features. “The UPI form factor plays an important role in its wider adoption. Easy to remember UPI addresses (phone [email protected]), shareable UPI QR codes, native chat window experience (Whatsapp pay) and other features make it easier to use,” says Amit Das, co-founder and CEO of Think360.ai, a comprehensive data science company.
Click here to learn more about why consumers prefer to pay with UPI
We are happy to share that we have given our approval to sixty (60) million additional users on UPI for WhatsApp.
To learn more, visit: https://t.co/MVOPKPMV6g pic.twitter.com/Ezqrd7pQMJ
— NPCI (@NPCI_NPCI) April 13, 2022
Traditionally, debit cards, credit cards, net banking and other payments have used two-factor authentication to secure a transaction, but security measures have hampered customer convenience. “In the payments ecosystem, the security and convenience of a payment were in an inverse relationship. If the security component was in place, then the convenience was down, and vice versa. debit and credit card have two-factor authentication mechanisms. This makes them safe but sometimes slow for the end consumer. But in UPI, a user just needs to remember their mobile number and install the UPI app on his phone,” says Saket Modi, entrepreneur and co-founder and CEO of Safe Security, a cybersecurity and digital business risk quantification company.
With many consumers wanting faster transactions, NPCI’s challenge was to create a product that was both secure and convenient.
Click here to learn more about how Genz and millennials prefer faster transactions using BNPL over other payment methods:
The safety of IPU network. One is the consumer side which can be seen publicly, and the other is the business side security.
The consumer side uses three authentication factors to secure a transaction on the UPI network.
“The first authentication factor is device binding. The second factor used is KYC verification by sending an SMS to the server. This verifies that the mobile number you have on the device is KYC verified with the account bank of the UPI network. The third is the UPI PIN,” Modi added.
He explains that each UPI app ties a user to their phone number. So, if you are using the BHIM UPI app on your mobile, you cannot use the same particular number to register for BHIM on another mobile phone without also porting the number to this new device. “This is because BHIM is linked to your profile with the number present on the mobile, and if you change your mobile, the number will also have to be taken.”
1) Consumer side
When a consumer downloads a UPI application from the Play Store or App Store, certain safeguards and protocols ensure that the user experience is as secure as possible without hampering convenience.
• SIM card: A UPI application will not allow a user to register if there is no valid SIM card. This is because UPI uses the unique cryptographic keys stored in a user’s SIM card to hard link the device to its server. Thus, the SIM card linked to the phone number registered with the user’s bank must be present at all times when using the respective UPI application. It also means that if you change your mobile, you must install the same SIM card in the new device. Otherwise, the UPI server will not be able to verify your details.
• UPI Application Access Code: This is optional. When enabled, this feature will prompt for a password each time you log into the UPI app. This password is different from a UPI transaction PIN.
• UPI PIN registration: When registering a UPI PIN, the application will ask for the last six digits of the user’s debit card and its expiration date. This will then be authenticated using the OTP method. Authentication can also be done using Aadhaar.
Learn more about Aadhaar-based UPI registration here
• Location Binding: This is an optional and additional security protocol where the UPI application requests access to users location in order to bind it. When you enable this feature, the UPI payment app saves the transaction’s originating location and device ID for reference when needed.
“We have built our UPI SALT application using NPCI’s SDK and API tools provided by them. We have also implemented a transaction recording feature based on location binding. This allows us to record from which locality or area a customer transacts most of their transactions, and if suddenly the same customer account becomes active in another area far away from their original location, our system will flag this, and we will then contact the customer and ‘ will let us know, and if they’re actually making the transaction, we’ll remove the flag; if not, we’ll take action. This feature helps us protect the customer because, without their knowledge, someone else might transact using his account elsewhere,” said Mahesh Shukla, Founder and CEO of PayMe India, an RBI-registered NBFC.
2) Backend business side security
There are over a hundred backend security protocols deployed at different levels of a UPI transaction.
UPI was designed as a Software Development Kit (SDK) and used an Application Protocol Interface (API) to communicate with each other. SDK and API tools were provided and developed by NPCI. Thus, the security measures are independent of the user’s own application security protocols. Therefore, any payment application can use UPI’s SDK to create its own custom application and also use its own security protocols. However, they will need to use the provided API tools to communicate information between different SDKs.
“We were one of the first security vendors hired by NPCI to manage the security of the UPI network when it launched. UPI is actually an SDK-based API toolkit that NPCI offers to interested companies. This SDK-based API toolkit can be seamlessly integrated into any application. As a result, network security is independent of the respective application. NPCI and payment processing banks will manage all backend security on the wider UPI network,” Modi added.