The Unified Payments Interface (UPI) provides a single interface for online payments across all NPCI systems using standard APIs. It aims to simplify payments and improve customer experience through interoperability. UPI allows for instant payments through a single click using two-factor authentication on mobile. It also enables use of virtual payment addresses instead of sharing sensitive bank details. UPI transactions use a central repository to route payments between participating banks in real-time, with strong security features like encryption and digital signatures.

1. Unified Payments Interface (UPI)

2.  The Unified Payments Interface (UPI) offers an architecture and a set of standard
Application Programming Interface (API) specifications to facilitate online payments. It aims
to simplify and provide a single interface across all NPCI systems besides creating
interoperability and superior customer experience.
Instant “Pay” (push) and “Collect” (pull) using single click two factor authentication where
mobile is first factor (what you have) and MPIN/Biometrics (what you know/are) as second
factor.
Ability to use Virtual Payment Addresses(VPA), thus eliminating the need to provide
sensitive account information to merchants or other individuals.
What is UPI

3. UPI Architecture
Scalable Architecture
Banks Banks
IMPS AEPS RuPay Ecom
Unified Payments Interface
NPCI
Standard Interface Standard Interface Standard Interface
Internet
Banking
3rd Party Apps
(Collect only)
Banks
*99#
APBS
NACH
NFS
*99#
Central Repository
UID-BIN
3rd Party Apps
(Collect only)
Mobile
application
Payment System Players (PSP)
Mobile
application
Mobile
application

4.  “Payment Address" is an abstract form to represent a handle that uniquely identify an
account details in a “normalized" notation
 Virtual Payment Addresses are denoted as “account@provider“
 PSPs can allow their customers to create any number of virtual payment addresses and
allow attaching various authorization rules to them.
 PSPs may offer “one time use” addresses or “amount/time limited” addresses or "limit to
specific payees" addresses to customers
What is Virtual Payment Address

5. A user id provided by PSP, resolved directly by that PSP, is represented as user-id@psp-
code (e.g. joeuser@mypsp)
IFSC code and account number combination, resolved directly by NPCI, is represented
as
account-no@ifsc-code.ifsc.npci (e.g. 1234500000000001@HDFC0000001.ifsc.npci)
Aadhaar number, resolved directly by NPCI using existing Aadhaar to bank mapper, is
represented as
aadhaar-no@aadhaar.npci (e.g. 234567890123@aadhaar.npci)
Examples of Virtual Payment Address

6. UPI – Message Flow
PSP 1
PSP 2
Account
Provider 2
Account
Provider 1
A/C
providers
live in UPI
UPI
RespPay
ReqPay(PAY/COLLECT)
RespAuthDetail
ReqAuthDetail
RespPay
ReqPay(Debit)
RespPay
ReqPay(Credit)

7. Pay Transaction
Payee PSPUnified
Payments
Interface
Payer PSP
Acquiring Channel
(Mobile App/E-Com)
Beneficiary
Bank
Remitter Bank
54ReqPay debit RespPaydebit
1
8
ReqPay
RespPay
2
3
6 7ReqPay credit RespPay credit
RespAuthDetails
ReqAuthDetails
A
B
9
10
RespTxnConfirmation
ReqTxnConfirmation
Financial
Non-Financial

8. Collect Transaction
Payee PSPUnified
Payments
Interface
Payer PSP
Acquiring Channel
(Mobile App/E-Com)
Beneficiary
Bank
Remitter Bank
54
ReqPay debit RespPay debit
1
8
ReqPay
RespPay
2
3
6 7ReqPay credit RespPay credit
RespAuthDetails
ReqAuthDetails
A
B
9
10
RespTxnConfirmation
ReqTxnConfirmation
Financial
Non-Financial
C D

9. List of Core APIs

10. List of Meta APIs

11. List of Meta APIs

12.  UPI Solution provides strong end-to-end security and data protection. The key Security
features of the Unified Payments Interface are:
 Device Fingerprinting during the registration process
 Credential Capture through NPCI Common Library
 Credentials encrypted by using RSA 2048 Asymmetric Encryption
 The decryption/encryption at NPCI will be performed through HSM
 Message communication between PSPs and UPI over HTTPS
 All messages are digital signed using SHA2 with RSA.
Security features

13.  NPCI common library will be distributed to PSP’s for all the three major mobile operating
systems viz. Android, iOS & Windows.
 Common library has the following security features:
Capture the credentials securely
Embedding Device and Transaction related data as salt into the Credential block for each
Transaction to
 Prevent the Acquiring PSP to replay the Credential block
 Ensure actual device finger print is sent to NPCI for every transaction
 Ensure NPCI Common Library is used to Secure Credential capture
To encrypt the sensitive data (credentials like OTP, MPIN, and biometric data) using RSA 2048
public key encryption.
Digital Signature verification of xml payload of public keys before performing the credential
capture.
NPCI Common Library

14.  Applications that integrate with PSP Apps to collect Payment
 Web App, Desktop App, Mobile App etc
 Re-imagine various use cases that can move to cashless through UPI
 Sample PSP App/PSP Server provided by NPCI may be used
 When developing mobile app, deep link to sample PSP app
 Common Library will be part of Sample PSP and should not be directly used
 PSP application itself which is provided to consumers/Merchants
 PSP server including optional interface/sdk for merchants
 PSP mobile app for consumers by embedding Common Library
Types of Applications

15. Sample Mobile App Flow – In app Payment
If UPIenabledAPPis not
availableuser will be
routed to
playstore/website to
merchant preferred PSP
APP

16. Sample Mobile App Flow – Collect Pay
UPI
Over
Inter
net

17. Thank You