Payments made via UPI are straightforward and convenient; UPI completed Rs 80 trillion transactions in 2022, but how secure are they?
A UPI transaction takes only a few seconds and is India’s most popular payment method. Here’s how security keeps up with the pace.
The National Payments Corporation of India (NPCI) released the Unified Payment Interface (UPI) in 2016, and it has since revolutionized the Indian payment environment.
UPI completed Rs 80 trillion in transactions in the fiscal year 2022, and NPCI just allowed an additional 60 million WhatsApp UPI users. What, on the other hand, makes a UPI transaction safe?
UPI Provides Convenience
Whether for peer-to-peer (P2P) transactions, online purchasing, or in-store shopping, UPI has offered customers an easy and rapid payment system. UPI may be used for free everywhere in India. UPI payments are supported by over 150 applications in the Play Store and App Store, and big e-commerce companies have also introduced UPI solutions.
Because of QR code-based UPI payment capabilities and others, even non-tech knowledgeable folks may utilize UPI to make payments. “A major part of UPI’s acceptance is its form factor. “It’s straightforward to use,” says Amit Das, co-founder and CEO of Think360.ai, a full-stack data science firm. “Simple to remember UPI addresses (phonenumber@upi), shareable UPI QR codes, native chat window experience (WhatsApp pay), and other features make it easy to use.”
Traditionally, two-factor authentication was used to safeguard transactions such as debit cards, credit cards, net banking payments, and others, but the security measures were inconvenient for customers.
“In the payments ecosystem, payment security and convenience were inversely related. When the security component was active, the convenience component was inactive, and vice versa. Debit and credit card payments, for example, use two-factor authentication. This makes them safe, but it also makes them sluggish for the end-user.
“However, with UPI, a user just has to remember their phone number and have the UPI software loaded on their phone,” Saket Modi, co-founder and CEO of Safe Security, a cybersecurity and digital business risk quantification firm. The difficulty for NPCI was to provide a safe and convenient system, given that many users wanted speedier transactions.
The UPI network’s security is divided into two parts. One is the consumer-facing security, which is visible to the public, and the other is the backend enterprise-facing security.
To secure a transaction on the UPI network, the customer employs three authentication elements. “The first authentication factor is device binding. The second factor is KYC verification, which is accomplished by sending an SMS to the server. This confirms that the mobile number on your device has been KYC confirmed against the bank account in the UPI network. The UPI PIN is the third,” Modi added.
The UPI network is secure in two ways, and one is the public-facing consumer side, while the other is the backend business security. A transaction on the UPI network is secured using three authentication elements on the consumer side.
“Device binding is the initial authentication factor. The second factor is KYC verification, which is carried out by sending an SMS to the server. This confirms that the mobile number on your device has been KYC validated with the bank account on the UPI network. Modi said, “The third is the UPI PIN.”
1) Consumer Side
When a user installs a UPI app from the Play Store or an app store, various precautions and regulations are in place to guarantee that the user experience is as safe as possible without sacrificing convenience.
• SIM Card: A UPI app will not allow the user to register if a valid SIM card is not present. UPI hard binds a device to its server using the unique cryptographic keys stored in a user’s SIM card. As a result, the SIM card associated with the phone number registered with the user’s bank must be present while using the UPI app. This also implies that you must use the same SIM card in the new one if you change phones. If you don’t, the UPI server won’t be able to authenticate your information.
- Location Binding: This is an optional and supplementary security mechanism in which the UPI app requests users for permission to link it to their location. When you enable this option, the UPI payment app will keep track of the transaction’s origin location and the device ID for future reference. We developed SALT, a UPI app, with the help of NPCI’s SDK and API tools.
We’ve also included a transaction recording function based on geographical binding. As a result, we can track where a client conducts most of his transactions and if another area far from his original location suddenly becomes active on that account. We’ll then call the client to advise him of the situation, and if he’s transacting legitimately, we’ll remove the flag; otherwise, we’ll take appropriate action. This functionality helps us secure the user because someone else may be transacting on his account without his knowledge,” said Mahesh Shukla, founder and CEO of PayMe India, an RBI-registered NBFC.
• Passcode for UPI App: This is an optional feature. When enabled, the UPI app will prompt you for a passcode every time you log in. This passcode is not the same as the PIN for a UPI transaction.
• UPI PIN Registration: When registering for a UPI PIN, the application will ask for the user’s debit card’s last six digits and the card’s expiration date. The OTP technique will then be used to verify this, and Aadhaar can also be used for authentication.
2) Backend Enterprise Side Security
There are over a hundred backend security protocols at various stages of a UPI transaction. UPI was created as a Software Development Kit (SDK) that communicated with each other via an Application Protocol Interface (API). NPCI has offered and built both the SDK and API tools. As a result, the security measures are unaffected by the security protocols used by the user’s application.
As a result, every payment app may create its bespoke app on top of UPI’s SDK and utilize its security procedures. They will, however, have to transmit information across SDKs using the API tools supplied. “When the UPI network was created, we were one of the first security providers hired by NPCI to manage security. UPI is an SDK-based API toolset that NPCI makes available to interested businesses.
This SDK-based API toolkit may be integrated into any project. As a result, network security is not dependent on the program in question. “All backend security on the larger UPI network would be handled by NPCI and payment processing institutions,” Modi stated.