How Do UPI Payments Work?

Getting Under the Hood of the World’s Fastest Growing Payments System

Abhav Kedia
Aug 5, 2020 · 9 min read

In July 2020, there were a record 1.49 billion UPI transactions, a 12% MoM increase from June’s 1.33 billion.

Ah UPI, the golden child of digital payments in India. Last week, I claimed that UPI was one of the most advanced payment systems in the world right now. By the end of this post, I hope to give you a reason to believe that.

On November 8, 2016, the Hon’ble PM of India Narendra Modi demonetized 86% of the physical currency in circulation in the country. This was a drastic attempt to reduce the use of cash in the country and merge the parallel and formal economies. In a country that relied heavily on cash for transacting, this sudden shift towards digital payments was not an easy transition. But it was possible.

Possible, because of another event that took place earlier that year. On April 11, 2016, the Unified Payments Interface (UPI) was launched by NPCI, along with BHIM — the reference application for UPI.

What Is UPI?

Very simply put, the Unified Payments Interface is a set of common APIs (i.e., a software middleman) that provides two services — pay (push), and collect (pull). It enables these two operations using something called the Virtual Payment Address (explained below) of each transacting party.

Every customer making or receiving a UPI payment interacts with three key entities — the UPI application on their phones, the Payment Service Provider (PSP) and their Bank. The PSP and the Bank themselves interact with the UPI APIs which are hosted and maintained by the National Payment Corporation of India (NPCI).

UPI applications are the mobile apps that you are most familiar with — like BHIM UPI, PhonePe and Google Pay. They are usually deeply linked with the PSP and embed the PSP functions within themselves.

PSPs handle authentication for the user and connectivity with the bank and NPCI. They also serve as the back-end infrastructure for the UPI applications (aka 3rd Party Application Provider or TPAP). Note that only banks are directly allowed to interact with the UPI switch hosted at NPCI and for this reason, currently only banking entities can play the role of PSP.

Banks that hold the customer’s accounts are responsible for actually debiting the payer and crediting the beneficiary.

OK. Confused?

That’s okay, since there is a lot of jargon that we’ve had to cover. But bear with me and I promise it will be clearer soon, when we look at the transaction flow!

UPI transactions can be done using global identifiers like mobile number and account details or using Virtual Payment Addresses (VPAs). VPAs look something like — username@psp-handle (e.g. zomato@hdfcbank), where the psp-handle is an NPCI specified handle for the PSP. This “email like” address acts as a substitute for your underlying bank account information, while being convenient to remember and easy to share.

Now that we’ve talked about all the individual pieces, let’s see how they fit together in a typical UPI transaction.

Friday Night Pizza

Imagine it’s Friday and you’re gearing up to watch the big game at home. You have all your friends over. What’s missing? Pizza!

So you open up Zomato and decide to order from your favorite Pizza place in town. You pass your phone around and everyone picks out their pizzas and toppings. You are the coolest so you get the classic cheese-and-tomato, bare.

Once everyone’s made their selections, you have to decide how you want to pay. You select UPI from among several payment options since you know that this allows you to complete the entire payment using just your phone! You are now presented with a list of UPI apps to choose from.

  • You select one of these apps, say PhonePe.
  • You are automatically & securely redirected to the PhonePe application from your Zomato app.
  • Here, the virtual payment address (VPA) of the merchant (e.g. zomato@hdfcbank) along with payment information like amount and description are pre-entered from the redirect.
Example UPI Checkout Flow of PhonePe [source]
  • You need to confirm the amount and enter your authentication details.
  • This involves two sets of authentication (also known as Two Factor Authentication) — the first is enabled by your PSP and might be something like screen lock passcode or application PIN. The other is your UPI PIN, a standardized security measure mandated by NPCI.
  • Once you have entered your password and PIN, the payment information is handed over to PhonePe’s Payment Service Provider — the Payer PSP.
UPI Transaction Flow [cred: Sheeba Sheikh]
  1. The VPA of the Payee (Zomato), the payer’s account information and transaction details are securely sent from your phone to your PSP’s server.
  2. They are forwarded to the UPI interface (at NPCI).
  3. [a] UPI forwards this to the Payee PSP. [b] The PSP responds with the account details of the Payee (merchant), using its in-house mapping of VPA to account number.
  4. [a] UPI forwards the account details of the payer (you), obtained in step 2, to the your bank and asks them to debit your account. [b] The bank responds to UPI after debiting your account.
  5. [a] UPI then instructs the merchant’s bank, aka beneficiary bank, to credit the payee’s account (obtained in step 4). [b] The beneficiary bank responds with a success to UPI after having credited the payee’s account.
  6. UPI responds to the payer’s PSP with a success confirmation.
  7. You get a notification on your phone saying the payment is successful!

At this point you are redirected back to Zomato, which confirms that your payment has been received and lets you know that your order is on its way!

If you’ve used UPI before, you will know that all of these steps happen in a matter of seconds. That’s very good, because you can’t really wait too long when it comes to pizza.

Note that no money has actually flowed through the PSPs. Indeed PSPs only act as the authentication and identity brokers in the transaction flow, and the money is transferred directly between the accounts at the underlying banking institutions.The keen observer might have also noticed that not everyone has received the money that is due to them in the transaction flow above. The payer has been debited and the payee has been credited, but the payer’s bank still owes the beneficiary bank.

With 1.49 billion transactions in July, there were on average, about 556 transactions every second on the UPI network. But the banks don’t settle their balances (move money) every time a transaction takes place — that would not be feasible!

Instead when UPI has received confirmations from both banks about their respective debit and credit transactions (after step 5 above), the NPCI makes a note by calculating and adjusting the net position between both banks, a process called Clearing. That is, the payer bank has to pay the beneficiary bank the amount of this new transaction. This net position changes every time a UPI transaction is made from one bank to another. Similar to credit card processing these net positions are settled periodically (four times a day in UPI) by actually transferring the money between the banks in a process called Settlement.

The Cake — What Makes UPI So Great?

Several innovations over existing systems make UPI stand out. I will talk about these from two perspectives — interoperability and open innovation.

UPI was designed for radical interoperability between money custodians, payment rails and front-end customer experiences. This is enabled through a common interface and common standards for identifiers and security. These allow UPI to switch seamlessly between different PSPs (and UPI apps) on the front-end and different payment systems on the backend, all enabled through a common security implementation to make life simpler for the payer and the payee.

The simplest example of this interoperability is the inter-bank access of the PSP (Payment Service Provider). This enables it to access the funds in any underlying bank account of the customer. This is a simple but useful feature. Say you have an SBI account and an Axis Bank account, with funds in the SBI account but bill payments due in the Axis account. Before the advent of UPI, you would log into SBI, make a NEFT transfer to your Axis Bank, wait for the payment to complete, then log into your Axis Bank account and pay the bill. With UPI, you can manage your money in both accounts using the same PSP and move your money between them with fewer than 10 clicks/touches!

Another example is the *99# service — a USSD based user experience (the same one that is used to check prepaid balances) for UPI payments. Using this service, the functionality of the payer PSP is performed by a mobile-native interface that allows even feature phone users to initiate payments. Incredibly, this service does not even need an internet connection to transact. Services like these are crucial to bringing the benefits and convenience of UPI payments to everyone in Bharat, a country that has about 500 million feature phone (mobiles other than smartphones) users.

A final example of interoperability is the introduction of mandates in the UPI ecosystem through UPI AutoPay, launched by NPCI just last week. With AutoPay, you can now set up recurring payments for services like bills and insurance premiums.

You can imagine a world where there is seamless interoperability between all your money custodians (banks and pre-paid instruments like wallets), all payment rails (like card networks, RTGS, IMPS & ECS), and enabled through all PSP applications providing accessible and delightful user experiences. In such a future, you will have a common checkout experience whether you’re shopping for clothes in-store, buying books online, paying your bills, buying a car or setting up a mandate for monthly SIP transactions.

Remarkably, despite providing the standardization necessary to enable interoperability as described above, UPI is functionally a minimal, layerable infrastructure that allows innovations on the payer’s end and the acquiring (merchant) end.

By standardizing the second factor of authentication with the UPI PIN, NPCI enables varied customer experiences for the first factor. For example, apps like Google Pay and PhonePe use screen lock and application passcodes, while another application might use biometric information like iris scan and fingerprints. Yet another may use a debit card CVV to authenticate users or solve for visually impaired citizens using voice authentication.

We have talked about how de-linking PSPs and banks provides interoperability. But it also opens the gates to innovation. Today you can use any UPI app for payment initiation, whereas previously you were stuck with your bank’s proprietary netbanking application. Instead, UPI allows innovative technology companies that really understand the user’s needs, preferences and usage of their smartphones to provide accessible and intuitive experiences. This means customized banking applications for different age-groups, different languages and different levels of smartphone use.

Finally, if you’ve shopped online before 2015, you might remember paying through Netbanking. Well, it seemed to work just fine so what was the problem with that? So many things, as described in this excellent piece comparing UPI and Netbanking. These include frustrating, inconsistent integrations for merchants and poor UX and stuck payments for users. But my favorite is the stat that NetBanking checkout took a whopping 50 user clicks/touches on average. With current UPI apps this has come down to fewer than 10!

UPI is transformative public infrastructure designed for robust private innovation.

Wrapping Up — What It All Means

To put this in a larger context, since its launch in 2016, UPI has become an integral first component of India’s move towards Open Banking. This is a paradigm shift that enables the opening up of financial lives of customers by providing access to banking infrastructure and data (with appropriate user consent) for startups and FinTech companies. This leads to better outcomes for all industry participants, but mainly for customers themselves.

UPI marked the first step by opening up payment initiation, and India is steadily progressing towards a fully open financial infrastructure. This progress is bolstered by the recent addition of key new pieces to the fold — the Data Empowerment and Protection Architecture (DEPA) and the Open Credit Enablement Network (OCEN). These are ushering in “UPI moments” in the wealth/finance management and lending spaces respectively.

About DICE

DICE (Digital India Collective for Empowerment) is an industry body focused on the Indian Digital Payments ecosystem. DICE takes an India first approach to creating collaborative industry-regulator relationships in the thriving ecosystem. Follow us at @indiadice on Twitter.

DICE India

India First Approach to Digital Payments Industry