UPI, NEFT, EMV: A Hall Of Mirrors?

Pratima H

INDIA: Juggling is fun. To watch, that is. Unless one has mastered the craft of deftly letting go of one item in the air and precisely catching the other one, it’s not as slick and effortless as it may seem.

Now for advancements in financial technology broadly, and payments space in particular, this trick of ‘letting go’ can be extremely difficult and complicated. The orange in the air is not the same size as the apple in one palm, and the apple, in turn, is a lot smoother than the pineapple in the other palm.

Convenience, speed and security, respectively; are what financial players have been juggling and it has not been a spectacular feat to watch so far.

They can’t be blamed for struggling even now. To make a transaction happen at a breakneck pace is almost a paradox when one has to ensure that no one else eavesdrops on this pipe. Which, again, is contradictory to the idea that one wants the pipe to stay as much underground as possible, leaving the user with a smooth view to enjoy.

Marrying speed, safety and UI in a seamless way has been the bête noire for all mechanisms so far, and some episode or fiasco (ranging from outages, POS frauds to clunky delays) has always confirmed that struggle. That’s where UPI (Unified Payments Interface) tries to wedge itself a little differently (we tried to cover this ‘little’ bit in the first part). But would this attempt at being the answer after a space created by cards, digital wallets etc. be adequate enough?

Safe or Safer?

Let’s talk about security first. Now that UPI promises the convenience of a VPA (Virtual Payment Address) as the only button for users to worry about pressing, should we be thinking of ease or a simpler surface area that is now open for hackers. More so, as this VPA may contain all banks’ info and all banking details of a user.

Despite the transition from magnetic strip to chip card, as many as $4 billion in 2016, and upto $10 billion by 2020 are at risk, as hackers try to squeeze the reduced window of opportunity: An Aite Group study

Do you mean ‘attack surface’? Forrester researcher Arnav Gupta asks back before venturing that hackers can try but VPAs in themselves are not going to be of much use. “They are just like any other address.” He explains. One still needs the phone, the MPIN and the registered app of the PSP (Payment Service Provider) to make the transaction happen.

Sounds a relief? But yes, UPI does get many security decisions right as Harshil Mathur, CEO and Co-Founder, Razorpay maintains confidently.

1. It builds Second Factor right into the payment process, rather than add it as an afterthought. (MPIN, that can only be entered in your Smartphone)

2. VPAs can be regenerated and deleted at will. This lets people give away their VPA without any worries, and even create them for one-time use.

3. At the end, since UPI is just an IMPS (Immediate Payment Service) transfer, bank accounts are still involved in the process. The only difference is in the visibility of those details to the other side.

Safety questions do get a new texture when one looks at them through the experience that some recent EMV challenges have brought forth.

UPI is designed with a 'security first' mindset, as Deepak Kinger, Vice President, Banking and Financial Services, VirtusaPolaris underlines here. “The masking of account details using the VPA is its salient feature and provides a good solution to deal with credit card fraud. Although techniques like 'tokenization' have controlled EMV fraud, the threat of it continuing is still there. UPI helps address that.

In Mathur’s assessment, when we think of the EMV Fraud, it has a slight impact, but these are mostly orthogonal issues, as we don’t see cards going away anytime soon.

If we turn to Forcepoint here, Ajay Dubey, senior Channel Manager would not dismiss the doubt altogether though. The UPI environment handles huge money transfers and is, therefore, prone to attack by outsiders and/or insiders, he affirms.

“In both the cases attackers will try to steal identities to access the accounts illegally. Thus, Data security will be critical and it needs to protect against malicious insiders, accidental data leaks and malware based advanced attacks. Technology plays a paramount role in providing data security, while people and process are equally important. Highly sanitized environments are increasingly dependent on analytics and data modeling to identify anomalies in user behavior to protect networks. UEBA (User and Entity Behavior Analytics) and DLP (Data Leakage Prevention) are being widely used in high security environments.”

Another quirk that Gupta here observes in UPI implementation is that an unknown party can raise as many collect requests for a VPA as they want, practically spamming the payee. This may lead to some fraudulent behavior.

Kinger also cautions that banks and other apps supporting UPI will need to make sure that they are having the required security controls at the ‘point of impact’ where the conversion from the VPA to the actual customer account details happens. “They need to do adequate vulnerability and penetration testing before going live.”

One more question falls in the lap of security here. What if a user does not want to link every bank account(s)/he has, to an UPI app?

Gupta conjectures that most of the PSP (Payment Service Provider) apps allow customers to create VPA for the bank account they want to use. For eg. When a customer creates a VPA on Axis Bank PSP app he/she will have to specify the bank for which they are creating this handle for. And VPA only gets activated once customer creates and enters MPIN. “We don’t believe privacy is an issue here – all your financial transactions are visible to banks anyhow. UPI doesn’t open up that any further than they already.”

The choice of whether and not to link an account to a UPI address / app is completely with the customers, Kinger seconds. “They can decide which bank account to use for what purpose and make the connection accordingly. Privacy and security aspects with the use of UPI can be managed effectively since actual account details are masked; all the counterparty making the payments needs to be aware of is an email address like VPA.

This also means that the user experience is enhanced since there is no need to remember long account numbers and IFSC codes while making a transfer.”

A Word About The Juggler/s

While kinks have existed and confronted banks, financial players and merchants all the time, and with almost every format out there, there has to be something beefy that UPI brings to the table for them.

Or so we wonder.

If we look at banks to start with, apart from lower transaction costs, UPI also helps drive greater adoption of their mobile banking apps by customers and hence provides the opportunity to cross-sell and up-sell other services through the app, Kinger points out. “UPI is a game changer for all the players in the banking ecosystem and is definitely a key driver to move India to a cashless economy. It reduces the overall cost of transactions which benefits the entire ecosystem.”

For that to happen, interoperability between banks, APIs, and ecosystem-readiness are things that will have to fall in place, and sooner rather than later.

For Aug 2016: Transactions via Debit Cards POS amounted to roughly 183704.93 mn in value. The Amount of transactions via credit cards on POS was 257485.55 mn (Source: RBI)

At the moment, we have not seen any issues around interoperability other than poor implementation of the UPI from most of the banks; Gupta dismisses the worry away for a bit. He applauds NPCI for doing a great job by being in the center and playing an effective traffic cop. Ecosystem is something that still hangs in the air though.

“The problem in our opinion is at end-points. RBI should further open up this to allow other industry participants to become PSPs and fueling the innovation. Current crop of apps are very primitive and mostly support P2P. Some new initiatives are emerging like ICICI’s UPI collect and Yes Bank’s collaboration with fin-techs.” He reasons.

For Sandy Shen, Research Director, Gartner; UPI is something that offers interoperability among payers and payees with security mechanism. “Each bank can still launch their own banking/payment app, and consumers don’t need to know whether it is UPI enabled as it really sits at the backend. The job of the bank is to offer a good customer experience to make the payment process frictionless and also to connect more merchants to its apps so it brings more value to its own customers.”

By standardizing UPI as the 'money-transfer-API', NPCI is forcing banks to improve their interoperability. Mathur contends that this is something will let customers manage their bank accounts on multiple banks over a single banking application (from any of the banks). “Banks also have a silver-lining: If they work hard enough on their mobile app experience, they can gain back the market they have lost to mobile wallets in the last few years.”

Then there are merchants in the fray too.

For merchants, both offline and ecommerce players, in Kinger’s view, UPI provides a very viable alternative to using debit and credit cards because of the low transaction cost. They can accept cards even for very low-value transactions thus eliminating dependency on cash.

No. of online POS for all banks: 1461672; No. of Offline POS: 300 (Source: RBI, For Aug 2016)

Merchants can now collect money from their customers easily. A small-time merchant benefits greatly from UPI and can send invoices to their customers from the mobile app. Mathur cites that even small-time kirana stores can start accepting large payments from their regular customers over UPI. All the merchant needs to have is a mobile number ideally (currently a VPA is needed) and he/she can send a ‘collect’ request, which will appear as an option in the mobile app.

“For ecommerce players this is an extra payment method that they need to integrate and test. It also helps banks because they can now compete with wallets in mobile payments.”

Catch 22

UPI could turn into one more repurposed, repackaged, recycled avatar of what ‘has-been’. It could, alternatively, be the radical breakthrough that recent challenges with EMV etc. have ripened users and industry stakeholders for.

As to the ‘convenience’ orange, UPI implementation is still in its early stages and banks are still trying to understand how they can improve on it, Gupta reckons. He recommends that banks must focus on the UX and app design to make it easy and smooth for customers to transact via UPI. Kinger notes that the strategy that many banks are adopting to get onto the UPI bandwagon is to integrate it into their core architectures e.g. ICICI bank has integrated UPI into both its iMobile and Pockets apps.

The next couple of months are certainly critical. During this time the banks will aim to resolve the technical glitches and strengthen their API for better user interface for UPI to be used widely, Mathur hopes.

Execution, inclusion, scope, depth, impact and outreach are some more words turning into adverbs that would actually matter a lot before everyone starts UPI-ing payments.

Once customers get comfortable using it, they will start using it for their high value transactions instead of NEFT or RTGS, Kinger swirls the crystal ball towards UPI. The question bigger than anyone’s skepticism on this hope is that of timing.

Shen brings some more of that pinch of salt which is always handy. “It is not clear how the user experience looks, and whether it makes it easier or harder to pay from consumer’s perspective.”

Because if it’s a scenario that tilts for the ‘harder’ side, then throwing and catching the must-have’s of payments would get much more klutz-y.

It’s still juggling. Not dribbling.