How does UPI Work?

The unified payments interface or the UPI Payments is an interface via which you can transfer money between bank accounts across a single window.

This is a real-time payment system where funds are credited instantly on a real-time basis.

Why UPI?

• UPI offers merchants a low–cost and efficient way to receive payments.
• UPI payments are credited to the merchant‘s bank account in real-time, which allows them to keep track of their finances more easily.
• UPI also allows merchants to accept payments from customers without having to share their bank account details or other personal information.
• It allows merchants to create and manage invoices easily.
• It allows enabling autopay/setup mandates.
• 2Factor security by default

Every customer making or receiving a UPI payment interacts with three key entities — the UPI application on their phones, the Payment Service Provider (PSP), and their Bank. The PSP and the Bank themselves interact with the UPI APIs which are hosted and maintained by the National Payment Corporation of India (NPCI).

UPI applications are the mobile apps that you are most familiar with — like BHIM UPI, PhonePe, and Google Pay. They are usually deeply linked with the PSP and embed the PSP functions within themselves.

PSPs handle authentication for the user and connectivity with the bank and NPCI. They also serve as the back-end infrastructure for the UPI applications (aka 3rd Party Application Provider or TPAP). Note that only banks are directly allowed to interact with the UPI switch hosted at NPCI and for this reason, currently only banking entities can play the role of PSP.

Banks that hold the customer’s accounts are responsible for actually debiting the payer and crediting the beneficiary.

Is UPI Secure?

The encryption format used by UPI transactions is highly secure and not easy to hack.

Upon signing up for a UPI app, your phone will send a push SMS for verification. This keeps the OTP from being copied from another device. Push SMSes bind your device to your mobile number and must be configured whenever your device is changed.

By creating a PIN for your transactions, UPI adds an extra layer of security. Each time you make a transaction, your PIN is required. Just having physical access to your phone will not suffice. Thus even if your phone is stolen, you will still have to enter your PIN to make transactions, and your money stays safe.

UPI Architecture:

Flow of UPI transaction?

1. The VPA of the Payee (Swiggy), the payer’s account information and transaction details are securely sent from your phone to your PSP’s server.
2. They are forwarded to the UPI interface (at NPCI).
3. [a] UPI forwards this to the Payee PSP. [b] The PSP responds with the account details of the Payee (merchant), using its in-house mapping of VPA to account number.
4. [a] UPI forwards the account details of the payer (you), obtained in step 2, to the your bank and asks them to debit your account. [b] The bank responds to UPI after debiting your account.
5. [a] UPI then instructs the merchant’s bank, aka beneficiary bank, to credit the payee’s account (obtained in step 4). [b] The beneficiary bank responds with a success to UPI after having credited the payee’s account.
6. UPI responds to the payer’s PSP with a success confirmation.
7. You get a notification on your phone saying the payment is successful!
8. At this point you are redirected back to Swiggy, which confirms that your payment has been received and lets you know that your order is on its way!

Note that no money has actually flowed through the PSPs. Indeed PSPs only act as the authentication and identity brokers in the transaction flow, and the money is transferred directly between the accounts at the underlying banking institutions.

References: https://www.npci.org.in/what-we-do/upi/product-overview