Table of contents
Open Table of contents
Introduction
Digital payments ecosystem built on Unified Payments Interface (UPI) has emerged as the most popular method of payments system for in-house digital payments in India, especially after the demonetisation act in late 2016, digital payments are on the steady rise. The recent pandemic has further accelerated the need to shift from cash-based payment instruments to contactless, digital payments. This post dives deep into the heart of India’s real-time payment landscape – exploring the hurdles we face while uncovering practical solutions to ensure a truly secure, scalable, and user-friendly real-time payment system.
How we got here
The recent advances in technology has drastically reduced the cost of ownership of a smartphone and helped increase the cellular coverage and internet connectivity over the years and has thus enabled for a deeper penetration of smartphone based banking solutions. This can also be seen in African countries with the adoption of SMS and other cellular based payment systems.
One of the reason for quick adoption of UPI by merchants in India was the use of QR codes (paper based stickers), instead of Point of Sale machines and other hardware based onboarding alternatives. However, QR based payments isn’t new. In China, QR codes played a crucial role in the growth of mobile payment services. They enabled businesses to accept digital payments without investing in hardware such as a point of sale (PoS) terminal. Since 2011, WeChat and AliPay have popularised QR code based payments in China.
Additionally, India is home to the cheapest mobile data plans in the world, with one gigabyte (1GB) of data costing an average of just USD 0.09. A country with young population and increased smartphone penetration along with high speed internet connectivity has fuelled the adoption of QR code (both static and dynamic) based digital payments.
Since its inception, UPI has powered India’s RTP (Realtime Payments) ecosystem, fuelled by government support and regulatory push. However, it is dependent on existing payment systems such as IMPS and RTGS for its complete operation, and fund transfer between remitter and the beneficiary bank is deferred and settled at regular intervals. Ideally, for any given RTP transaction, processes such as netting, reconciliation, and attainment of settlement should occur within the transaction’s life cycle in near real-time for all involved participants (at least from a client’s perspective)
Privacy concerns
Abusing transaction notes field
UPI 2.0 onwards allows for server side signed UPI requests. While this allows better security and provides protection against tampering of QRcode data, fields like Transaction notes are non-editable along with the Amount field. This leaves the end-user at a disadvantage due to the lack of choice concerning the kind of data (in the form of transaction notes) that is sent to the intermediaries involved in the transaction. The data often includes details like vendor name, reference number, etc, which opens up possibilities for abuse with detailed profiling of a given individual’s bulk transactions data which the banks and other intermediaries are mandated to store.
Here’s an example for a payment I made for a food delivering app.
Device Hard-Binding
India’s banking systems are excessively dependent on users’ phone numbers linked to bank accounts, especially for SMS-based second-factor authentication. In addition, UPI has a device hard-binding requirement that restricts its usage to a single device linked to the SIM of the user’s phone number.
Have a device without google play services? Good luck with figuring out how to get it working. You’re now a second class citizen, a minority so small, compared to the vast majority of UPI users, none of the existing apps will make an effort to support degoogled devices.
I believe users should be offered alternatives like TOTP, passkeys and hardware-based authentication tokens that can help prove identity without relying on any external or third-party providers and allow for the usage of digital payments beyond a single device or even a smartphone.
I personally find it annoying that I can’t use UPI from a web portal! While there are alternatives like Netbanking, the UX is just not the same. While I’m not a fan, but I think UPI apps can learn from how Neo-banks like N26 or Revolut allow for adding or removing additional devices (including web access) based on an existing verified primary device (which is a requirement for PSD2 ).
Excessive reliance on SIM card and thus smartphone is not good from both usability and practical standpoint, in my opinion. This is particularly important in countries like India, which has one of the highest gender gaps in access to technology in the world, with 67% of men owning mobile phones compared to only 33% of women 1