Almost six years after the National Payments Corporation of India (NPCI) launched Unified Payment Interface (UPI), transactions worth Rs 80 trillion were processed under it in financial year 2022. At the time of the launch, NPCI’s challenge was to make a product that was secure as well as more convenient than the tools that needed two-factor authentication. Here’s a look at what makes UPI fast and secure.
Consumer Side Layers
The consumer side actually uses three authentication factors, two of which have to be done only once. “The first factor is device binding. The second is KYC verification by sending an SMS to the server (which verifies the mobile number as the one attached to your bank account). The third is the UPI PIN,” says Saket Modi, co-founder and CEO of Safe Security, a digital business risk quantification company. The user is ‘bound’ to his SIM card. You can re-register with your existing SIM card (mobile number) every time you change your device. The UPI transaction PIN settings are carried forward along with the mobile number.
When a consumer downloads a UPI app, certain safeguards and protocols ensure user experience.
SIM Card: You need a valid SIM card to register with a UPI app because the unique cryptographic keys in a SIM card are used to hard bind the device with the server. So, if you switch mobiles, you can install the same SIM card in the new device.
UPI App Passcode: This is optional. This feature asks for a passcode every time you login to the app. This passcode is different from a UPI transaction PIN.
UPI PIN Registration: At the time of registering for a UPI PIN, the app asks for the last six digits of the user’s debit card and its expiry date. This is authenticated via an OTP or Aadhaar.
Location Binding: This is optional. UPI asks for location access so that it can match the transaction’s origin location and device ID if needed.
In-Built Security
There are more than a hundred backend security protocols deployed at different levels of a UPI transaction. Here are some of the prominent ones.
Software Development Kit: UPI is built as a Software Development Kit and uses an Application Protocol Interface so the security measures are independent of the app’s own security protocols and any payment application can use UPI’s kit to build a custom app on top of it. “NPCI and the payment processing banks handle all the backend security on the broader UPI network,” says Modi.
Server Handshake: When a user first instals a UPI app, the device ID details are sent to the UPI server. The server then sends back a unique token of characters to the device, which sends an SMS back to the server along with this unique token. This verifies both the user’s KYC and the token. “The device’s unique ID gets hard-bound with the UPI server. The user can go ahead and link his bank account,” says Modi.
SSL Certificate: NPCI’s UPI guidelines state that validation protocol via Hypertext Transfer Protocol Secure (HTTPS) with Transport Layer Security number 1.2 is used for data transmission. This ensures end-to-end encryption and users will be safe even on public WiFi or an unsecured normal mobile internet network.
ID Mapper: This allows a user to create a UPI ID based on his phone number and share that with others. No need for account numbers and other codes.
Read more on: www.outlookmoney.com
neelanjit@outlookindia.com