đUPI Withdrawal Protocol Specification (UPIW)
Implementation of Withdrawal QR Protocol in UPI using UPI Lite Wallet
Last updated
Implementation of Withdrawal QR Protocol in UPI using UPI Lite Wallet
Last updated
Introduction
Unified Payments Interface (UPI) has revolutionized digital payments in India by providing a seamless and interoperable payment system. Integrating a withdrawal QR protocol, into the UPI framework can further enhance its capabilities. This document outlines the implementation process and benefits of this integration, utilizing the UPI Lite wallet and NFC cards for offline payments.
The withdrawal QR protocol enables users to scan a QR code and initiate a money pull request using UPI apps. This feature can streamline various use cases, such as ATM withdrawals, merchant refunds, peer-to-peer transfers, and offline payments via NFC cards.
UPI ID: The unique identifier of a UPI account. Optional unique identifier of the recipient's bank account. (Add it if you need to refund a specific customer)
UPI Lite Wallet: A lightweight wallet for UPI transactions with limited balance.
NFC Card: A Near Field Communication card containing encoded UPI withdrawal information.
QR Code: A Quick Response code containing UPI withdrawal information.
UPI Switch: The central routing mechanism for UPI transactions.
Transaction ID: A unique identifier for each transaction.
Digital Signature: A cryptographic signature ensuring the authenticity of the transaction.
Callback URL: The URL to which the withdrawal request is sent for processing.
k1: A unique secret identifier used to verify the withdrawal request.
The UPIW protocol uses a standardized format to encode and decode the withdrawal request data into a URI. This URI can then be embedded in a QR code or NFC card.
URI Structure:
callback: The URL to which the withdrawal request is sent.
k1: Secret key for authentication.
a: Maximum amount to withdraw.
id: Transaction ID.
sig: Digital signature for security.
Example URI:
The UPIW QR code or NFC card encodes the following JSON data structure:
Generate QR Code / Encode NFC Card
The system generates a QR code or encodes an NFC card with the withdrawal request details, including the UPI ID, amount, transaction ID, timestamp, callback URL, k1, and digital signature.
Scan QR Code / Tap NFC Card
The receiver scans the QR code using a UPI-enabled mobile app or taps the NFC card on an NFC-compatible phone or reader.
Display Withdrawal Details
The UPI app decodes the QR code or NFC data and displays the withdrawal details to the receiver for confirmation.
User Authentication (UPI PIN)
The receiver authenticates the transaction using their UPI PIN to confirm the withdrawal request.
Send Request to Callback URL
The authenticated request, along with k1 and other relevant data, is sent to the callback URL specified in the QR code or NFC card.
Check UPI Lite Wallet Balance
The UPI Lite wallet provider server checks the balance in the payerâs UPI Lite wallet to ensure sufficient funds are available for the transaction.
UPI Lite Wallet Processing
The UPI Lite wallet provider server at the callback URL processes the request, debiting the specified amount from the payer user's UPI Lite wallet.
Send Response to UPI Switch
The server sends a response back to the UPI switch indicating the success or failure of the debit operation.
UPI Switch Processes the Response
The UPI switch processes the response and forwards it to the recipient's bank if the debit was successful.
Recipient's Bank Network Processing
The recipient's bank credits the specified amount to the recipient's account.
Send Confirmation to UPI Switch
The recipient's bank sends a confirmation back to the UPI switch indicating the success of the credit operation.
UPI Switch Sends Confirmation to UPI App
The UPI switch sends a final confirmation to the user's UPI app, indicating the transaction's completion status.
Send Confirmation Notification
The user receives a confirmation notification on their UPI app, including transaction details such as transaction ID, amount, and timestamp.
Decoding the URI
The UPI-enabled mobile app or NFC reader decodes the encoded URI to extract the callback URL, k1, amount, transaction ID, and digital signature.
Request to Callback URL
The app sends a GET request to the callback URL with the parameters extracted from the URI.
Processing the Request
The server at the callback URL verifies the request using the k1 secret and checks the validity of the transaction ID and digital signature.
It ensures the user's UPI Lite wallet has sufficient balance.
If all checks pass, the server debits the amount from the user's UPI Lite wallet.
Response from Callback URL
The server sends a response back to the UPI switch indicating whether the debit operation was successful or not.
Further Processing by UPI Switch
The UPI switch forwards the response to the recipient's bank.
The recipient's bank credits the amount to the recipient's account and sends a confirmation back to the UPI switch.
Final Confirmation
The UPI switch sends a final confirmation to the user's UPI app, indicating the transaction's completion status.
Insufficient Funds: Notify the user if their UPI Lite wallet balance is insufficient to complete the transaction.
Transaction Failure: Provide clear error messages and guidance if any step of the transaction fails.
Network Issues: Implement retry mechanisms and offline support for NFC transactions to handle network connectivity issues.
NFC Card Encoding: The UPI URI data from the QR code can be encoded into an NFC card, purchasable from platforms like Amazon for around INR 200.
Offline Payments: Users can make offline payments by tapping their NFC card on a compatible reader or NFC supported Phone with UPI App opened. The reader decodes the NFC data and processes the payment similar to a QR code scan, with the added convenience of not requiring an active internet connection for the initial transaction request.
Partial Payments: If partial payments are allowed, users can pay part of the amount using their NFC encoded card which acts like a prepaid debit card.
Enhanced User Experience
The withdrawal QR protocol simplifies the process of pulling money by allowing users to scan a QR code or tap an NFC card and complete the transaction in a few steps, reducing the need for manual entry of details.
Increased Security
The use of digital signatures and UPI PIN authentication ensures that transactions are secure and protected against unauthorized access.
Versatile Use Cases
This protocol can be utilized in various scenarios:
ATM Withdrawals: Users can initiate cash withdrawals by scanning a QR code at an ATM, reducing the dependency on physical debit cards. Best part is they can choose any bank account while scanning. No need to keep looking for same bank ATMâs
Merchant Refunds: Merchants can issue refunds by generating a QR code that customers can scan to receive their money back.
Peer-to-Peer Transfers: Individuals can transfer money by sharing a QR code, simplifying the transfer process.
Offline Payments: Users can make offline payments by tapping an NFC card, making transactions possible without an active internet connection.
Interoperability
As UPI is an interoperable payment system, the withdrawal QR protocol can be used across different UPI apps and bank accounts, ensuring wide accessibility and convenience.
Integrating the UPI Withdrawal(UPIW) protocol with the UPI Lite wallet and NFC cards into the UPI framework offers a seamless, secure, and versatile solution for money pull transactions. By leveraging the existing infrastructure of UPI and enhancing it with QR code and NFC technology, this protocol can significantly improve the digital payment experience for users and businesses alike.
///////////////////////////////////////////////////////////////
Purpose:
Authentication: The k1 parameter serves as a unique secret key used for authenticating the withdrawal request. It ensures that the request originated from the legitimate user who scanned the QR code or tapped the NFC card.
Session Management: It helps in managing the session between the user's UPI app and the server handling the withdrawal request. Each k1 value is unique to a specific transaction, preventing replay attacks and unauthorized access.
Functionality:
Generation: When the QR code or NFC data is generated, a unique k1 value is created and embedded in the URI.
Verification: When the user's UPI app sends the withdrawal request to the callback URL, it includes the k1 value. The server verifies this k1 value to authenticate the request.
Uniqueness: Since k1 is unique for each transaction, it ensures that each withdrawal request is distinct, enhancing security.
Purpose:
Integrity: The digital signature ensures the integrity of the data embedded in the QR code or NFC card. It verifies that the data has not been altered or tampered with since it was signed.
Authentication: It provides a means to authenticate the source of the data. Only entities with the private key can generate a valid digital signature, ensuring that the data is legitimate.
Functionality:
Creation: The digital signature is created by signing the withdrawal request data (UPI ID, amount, transaction ID, timestamp, etc.) with a private key.
Verification: The user's UPI app and the server can use the corresponding public key to verify the digital signature. This process confirms that the data has not been modified and is from a trusted source.
Security: By using cryptographic methods, digital signatures provide a robust mechanism to secure the data against forgery and unauthorized modifications.
Purpose:
k1: Primarily used for authenticating the session and ensuring that the request is unique and valid for a specific transaction.
Digital Signature: Used to verify the integrity and authenticity of the data, ensuring that it has not been tampered with and is from a legitimate source.
Usage:
k1: Included in the URI and sent with the withdrawal request to the server for verification.
Digital Signature: Embedded in the QR code or NFC data and verified by the UPI app and the server to ensure data integrity.
Generation:
k1: Generated uniquely for each transaction and embedded in the URI.
Digital Signature: Created by signing the data with a private key and verified using a public key.
QR Code Data:
User scans the QR code and the UPI app decodes the URI.
App sends a GET request to the callback URL with the k1 and other details.
Server verifies the k1 to authenticate the session.
Server checks the digital signature to ensure data integrity and authenticity.
If all checks pass, the server processes the withdrawal and sends a confirmation.
đ¤ For more info, contact us: Nalanda Neeraj dev@ninjapay.me
