Unified Payment Interface
-
Upload
akash-chandra -
Category
Documents
-
view
1.999 -
download
1
Transcript of Unified Payment Interface
![Page 1: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/1.jpg)
Unified Payment InterfaceNational Payment Corporation of India
- Akash Chandra
![Page 2: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/2.jpg)
What is NPCI ?
![Page 3: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/3.jpg)
NPCINPCI (National Payment Corporation of India) is the umbrella organization for all the retails payments in India, which is set up by RBI and IBA in April 2009.
NPCI launched the IMPS.NPCI launched the RuPay card.NPCI`s current initiative is the launch the UPI.
![Page 4: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/4.jpg)
UPIUnified Payment Interface is a system that provides an architecture and standard set of APIs to facilitate the online immediate payments. Core features of UPI :
Open Source Mobile First Interoperable Instantaneous Secure Cheap
Simple Innovative Easily Adaptable
![Page 5: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/5.jpg)
How UPI Functions with NPCI ?
![Page 6: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/6.jpg)
First Understanding AEPB and DBT with NPCI
AEPB : Adhaar Enabled Payment BridgeDBT : Direct Benefit Transfer
![Page 7: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/7.jpg)
Understanding AEPB and DBT with NPCI
Government Institution
Sponsor Bank Destination Bank
Beneficiary
NPCI Centrally Mapped Repository
![Page 8: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/8.jpg)
NPCI Central Repository
NPCI’s maintains an association between customer’s Adhaar number, Mobile number and Bank accounts. This central repository can be used to route payment instructions based on Adhaar number or mobile number.
![Page 9: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/9.jpg)
UPI with NPCI
Point of Sale(Payer)
NPCI Centrally Mapped Repository
UPI
The Payer/Payee information is sent, via PSP, to NPCI.
To identify the details of the second party involved, it either uses its repository or it contacts the second party PSP.
PSP to resolveVirtual Address
![Page 10: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/10.jpg)
UPI with NPCI
Payer`s Bank Payee`s Bank
Point of Sale(Payee)
Once both PSPs` information is available to NPCI proceeds with the debit and credit processes.
On successful completion the payer and payee PSPs are notified, which then notify their customers.
Point of Sale(Payer)
![Page 11: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/11.jpg)
Technical Architecture of UPI Gateway
![Page 12: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/12.jpg)
The Payment cab also be processed using USSD code via NUUP (National Unified USSD Platform)
![Page 13: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/13.jpg)
Core Elements in Payment
Other metadata attributes such as location, product code, mobile number, device details, etc. as required.
Payer and Payee account and institution details for routing transaction. Authentication credentials (password, PIN, biometrics, CVV, etc. as required
for debit, can be bank provided or 3rd party provided such as UIDAI). Transaction amount. Transaction reference. Timestamp.
![Page 14: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/14.jpg)
Virtual Payment Address
![Page 15: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/15.jpg)
Virtual Payment Address features
Unique mapping to Identifier (Person / Entity ). Global Identifier ( Adhaar number and Mobile Number ). PSPs can offer multiple virtual address to customers.
Pay and Collect Money. Pre authorization of multiple payments using ECS one time secure authentication and rule based access.
Standard set of APIs. 1-click 2- factor authentication.
![Page 16: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/16.jpg)
Virtual Address Archietecture
Normalized Architecture for payment address “account @ provider“The address must include : ‘ a – z ‘ , ‘ A – Z ‘ , ‘ 0 – 9 ‘ , ‘ . (dot) ‘ , ‘ – (hyphen)’ .
The Payment Address can be issues by :Bank : shyam.444@iciciPSP : abdul2014.irctc@mypspPPI : 000012346789@myppi
NPCI (using global identifiers ) - IFSC code and account number as [email protected] e.g. [email protected] Adhaar number as [email protected] e.g. [email protected] Mobile Number as [email protected] e.g. [email protected]
![Page 17: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/17.jpg)
Virtual Address Archietecture
- RuPay card number as [email protected] e.g. [email protected] A one time or time/amount limited tokens issued by a PSP, resolved directly by that PSP, is represented as token@psp-code e.g. ot123456@mypsp
![Page 18: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/18.jpg)
Virtual Address Archietecture
If the virtual ID is not created using identifiers that NPCI understands(Adhaar number, mobile number, IFCS code, Rupay card number etc.) then NPCI requests PSP to decrypt address using Translate APIs.
![Page 19: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/19.jpg)
Payments Structure
![Page 20: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/20.jpg)
Types of Payment Request
Direct Pay - Sender/Payer Initiated - System Initiated Collect Pay - Remote Collect - Local Collect
![Page 21: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/21.jpg)
Direct Pay
Sender Initiated Sender provides his credentials and receiver`s virtual address using his payment application.
E.g. Sending money to a friend.
System initiated Digitally signed request with receiver virtual address. E.g. System generated daily payment to agents.
![Page 22: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/22.jpg)
Direct Pay
Sender Initiated Sender provides his credentials and receiver`s virtual address using his payment application.
E.g. Sending money to a friend.
System initiated Digitally signed request with receiver virtual address. E.g. System generated daily payment to agents.
Direct Pay Transaction Flow
![Page 23: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/23.jpg)
Collect Pay
Remote Collect Payee send the request to the payer (through USSD or Smartphone) on his phone. So the payee doesn`t have to enter any credential.# Local exchange of encrypted credential is not currently supported in UPI.The sender`s phone on the arrival of request become point of entry of secure credentials.
Local CollectHere the payer`s address is captured to send the payment request.
![Page 24: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/24.jpg)
Collect PayCollect Pay Transaction Flow
![Page 25: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/25.jpg)
API Handling
![Page 26: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/26.jpg)
Important features of API
APIs behind the existing systems at NPCI are done over ISO 8583 Messages (0200/0210).
Asynchronous : The request and response sent via separate API. Allowing the APIs to work in a non-blocked mode. Unique Transaction ID for every response. APIs exposed via HTTPS using XML input and output.
![Page 27: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/27.jpg)
Important features of API API input data to set to URL in XML format with Content -Type
“application/xml” or “text/xml” URL : https://<host>/upi/<api>/<ver>/urn:txnid:<txnId>
host : API server addressupi : Static value to denote UPI transaction.api : Name of the API URL endpointver : Version of the APIs being used.txnID : Transaction id which will be used for load balancing purpose at UPI end
![Page 28: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/28.jpg)
Acknowledgement API
All APIs have same ack response as given below:<upi:Ack xmlns:upi="" api="" reqMsgId="" err="" ts=""/>
Ack : root element name of the acknowledgement message.api : name of the API for which acknowledgement is given out.reqMsgId : message ID of the input for which the acknowledgement is given out.err : this denotes any error in receiving the original request message.ts : the timestamp at which the receiver sends the acknowledgement.
![Page 29: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/29.jpg)
19 APIs provided by UPI
![Page 30: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/30.jpg)
API : ReqPay
Single API will be used for both Direct Pay and Collect Pay.
In Direct Pay, Sender will provide his/her complete credentials and only the virtual address of the Receiver.
In Collect Pay, the Receiver will provider his complete credentials and only the virtual address of the Sender.
![Page 31: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/31.jpg)
API : RespPay
To send back the response of the ReqPay API after the transaction.
![Page 32: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/32.jpg)
API : ReqAuthDetails
Used to authorize payment and also translate the PSP`s virtual address to global identifiers like Mobile Number, Adhaar Number , Account + ID)
![Page 33: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/33.jpg)
API : RespAuthDetails
This API is used by PSPs to authorize payment and send the required details to NPCI
![Page 34: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/34.jpg)
API : List PSP
This API allows the PSPs to request for all the registered PSPs with NPCI. This data is used for validating the PSP during the process of transaction.
![Page 35: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/35.jpg)
API : List Account Providers
This API allows the PSPs to request for all the registered PSPs with NPCI. This data is used for validating the PSP during the process of transaction.
![Page 36: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/36.jpg)
API : List Keys
This API allows the PSPs to request for and cache the list of public keys of account providers and other entities in the UPI eco system
![Page 37: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/37.jpg)
API : List Account
API allows PSPs to find the list of accounts linked to themobile by an account provider.
![Page 38: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/38.jpg)
API : List Verified Address
Entries API allows PSPs to request a and cache the List of Verified Address
Entries to protect customers from attempts to spoof well known merchants such as LIC, Indian Railways, ecommerce players, telecom players, bill payment entities, etc.
![Page 39: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/39.jpg)
API : Validate Address
This API will be used by the PSPs when their customer wantsto add a beneficiary within PSP application (for sending & collecting money).
![Page 40: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/40.jpg)
API : Set Credentials
This API is required for providing a unified channel for setting and changing MPIN across various account providers.
![Page 41: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/41.jpg)
API : Check Txn Status This API allows the PSPs to request for the status of the transaction.
The PSPs must request for status only after the specified timeout period.
![Page 42: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/42.jpg)
API : OTP-Request
This API allows the PSPs to request for an OTP for a particular customer from an issuer.
![Page 43: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/43.jpg)
API : Balance-Enquiry
This API Allows PSP to Request for Balance enquiry for auser.
![Page 44: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/44.jpg)
API : HeartBeat Messages This API is a mechanism for UPI system monitoring.(monitoring
connection with PSPs and sending EOD to PSPs)
![Page 45: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/45.jpg)
API : Request Pending Messages
This API allows PSP to request pending messages against a given mobile number or Adhaar number
![Page 46: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/46.jpg)
API : Request Txn Confirmation This API provides transaction status confirmation from UPI to PSP. At
the end of every transaction, this API will be initiated to second PSP for status confirmation
![Page 47: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/47.jpg)
Time Bound Request
<Rules><Rule name="EXPIREAFTER" value="1 miniute to max 64800 minitues"/><Rule name="MINAMOUNT" value=""/></Rules>
The part of code below shows the time bound aspect of the transactions.
![Page 48: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/48.jpg)
Security Considerations
![Page 49: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/49.jpg)
Class of Information
Non-Sensitive data - • Name, transaction history (amount, timestamp, response code, location, etc.)• Can be stored in unencrypted form.
Sensitive Data - • PIN, passwords, biometrics, etc. • Not to be stored and should only be transported in encrypted form.
Private Data -• Account number etc.. • May be stored by the PSP, but only in encrypted form.
![Page 50: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/50.jpg)
Class of Information
PSP is mandated to use a secure protocol when transmitting sensitive data such as account details from the device to the PSP server.
With Collect Pay request PSP needs to show the KYC information central system (using the NPCI`s API).
PSPs is mandated to safeguard account information within PSP system as per regulatory and the payment card industry (PCI DSS )compliance standards.
![Page 51: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/51.jpg)
Protecting Authentication Credentials
All APIs must be done over a secure channel (HTTPS).
Trusted common library for credentials (MPIN, PASSWORD, PIN BIOMETRIC ) is provided by NPCI.
Payment Service provider can`t store issuer specific authentication credentials outside common library.
Credentials encoded with Base64 encoding and are provided only during the transaction by UPI.
PSP can`t store the encrypted credentials in any permanent storage. Every messages within the unified system must be digitally signed. Every message has unique transaction ID (that spans across the
organizations for same transaction) and unique message ID for every request-response pair.
![Page 52: Unified Payment Interface](https://reader036.fdocuments.us/reader036/viewer/2022081502/586fb8741a28abe57d8b815d/html5/thumbnails/52.jpg)
Thanks!
Thank You !!