Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merchant payments (and potentially avoid issues seen with major payment apps) #38

Open
reeteshranjan opened this issue Jul 9, 2021 · 63 comments
Assignees
Labels
discussion enhancement New feature or request help wanted Extra attention is needed

Comments

@reeteshranjan
Copy link
Collaborator

Is your feature request related to a problem? Please describe.

  1. Merchant payments: UPI deep linking specification, implemented by this package, is for merchant payments by design though individual to individual payments are supported by several apps on an ad-hoc basis. Work on this feature will add merchant payment support.
  2. Security warning/errors on major apps: Discussion with Bank of Baroda UPI team reveals that several major payment apps are looking to avoid fraud on UPI by doing a strict check on authenticity of payments. This makes these issues appear more related to the lack of merchant signature in current version of the package. This is further seen in the following snippet from the UPI deep linking specification which is about how a UPI payment app should verify a UPI deep linking request (the ones made through this package)

Screenshot 2021-07-09 at 5 14 47 PM

Describe the solution you'd like

  1. Mechanism in which users can create merchant signature themselves:
    1. Provide an API that would generate the UPI transaction request in the format specified in point 3 in section 1.3 of UPI deep linking specification towards signing by a package user app using their merchant private key.
    2. Provide an API that would accept the UPI transaction data and the signature created and will perform the UPI transaction
  2. Provide an API that implements signing using the algorithm described in point 3 in section 1.3 (RSA512 and SHA256) for users that are OK with providing their private key and then performs the UPI transaction.

The API changes/additions should retain backward compatibility for non-merchant payments.

Describe alternatives you've considered

This aspect of the UPI deep linking specification has no alternatives.

Any example solutions

This feature is research based and is an attempt to implement part of the UPI deep linking specification not yet implemented. There is no example solution known.

Additional context

None

@reeteshranjan
Copy link
Collaborator Author

Expecting to close the work on this in September. Merchant bank account setup, required for the work, has been delayed for various reasons.

@vshanthamoorthi
Copy link

hi @reeteshranjan, looking for this feature as currently transfer is flagged as possible fraud transaction. so please let me know if some help needed.

@reeteshranjan
Copy link
Collaborator Author

hi @reeteshranjan, looking for this feature as currently transfer is flagged as possible fraud transaction. so please let me know if some help needed.

Thanks for the offer to help!

As of now my work on getting a merchant bank account setup is delayed. If you have one (a commercial current account with UPI keys setup), and you wish to provide details for me to be able to develop and test the functionality, please do so.

I am expecting to move my own merchant bank account setup to move this week; but nothing sure as of now.

@vshanthamoorthi
Copy link

vshanthamoorthi commented Sep 13, 2021 via email

@Chanelle25meyer
Copy link

I have commercial bank accounts and UPI is setup for the same through gpay. does this work? if yes, let me know at vshanthamoorthi at gmail.com

On Mon, Sep 13, 2021 at 2:31 PM Reetesh Ranjan @.***> wrote: hi @reeteshranjan https://github.com/reeteshranjan, looking for this feature as currently transfer is flagged as possible fraud transaction. so please let me know if some help needed. Thanks for the offer to help! As of now my work on getting a merchant bank account setup is delayed. If you have one (a commercial current account with UPI keys setup), and you wish to provide details for me to be able to develop and test the functionality, please do so. I am expecting to move my own merchant bank account setup to move this week; but nothing sure as of now. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#38 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJPYSRZNF5AII37KFHARMJLUBW4XPANCNFSM5ACUAYOA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

@reeteshranjan
Copy link
Collaborator Author

I have commercial bank accounts and UPI is setup for the same through gpay. does this work? if yes, let me know at vshanthamoorthi at gmail.com

On Mon, Sep 13, 2021 at 2:31 PM Reetesh Ranjan @.***> wrote: hi @reeteshranjan https://github.com/reeteshranjan, looking for this feature as currently transfer is flagged as possible fraud transaction. so please let me know if some help needed. Thanks for the offer to help! As of now my work on getting a merchant bank account setup is delayed. If you have one (a commercial current account with UPI keys setup), and you wish to provide details for me to be able to develop and test the functionality, please do so. I am expecting to move my own merchant bank account setup to move this week; but nothing sure as of now. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#38 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJPYSRZNF5AII37KFHARMJLUBW4XPANCNFSM5ACUAYOA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

Sorry, that does not help. It's not about linking your account to UPI. It's about creating merchant public and private keys, and installing the public key in the NPCI network through your bank.

@vshanthamoorthi
Copy link

@reeteshranjan ,

how is this feature support going?

I try to understand the key generation and installation NPCI network. PNB bank people does not aware of key installation and i also could not find any ways to generation of Keys.

So You should guide us as well with which bank support this so that it will be easy to use this. thanks in advance for your help.

@reeteshranjan
Copy link
Collaborator Author

@reeteshranjan ,

how is this feature support going?

I try to understand the key generation and installation NPCI network. PNB bank people does not aware of key installation and i also could not find any ways to generation of Keys.

So You should guide us as well with which bank support this so that it will be easy to use this. thanks in advance for your help.

Did not get the chance to move the work on this. Looking to get the work on the bank part going in next 2-3 weeks as of now.

As you figured out, it's not straightforward; but all we need is the right setup with one bank account. So far I have managed to talk with BOB and ICICI. ICICI team was very well informed and they were aggressive, and I was hoping I could get that going and complete the work on this feature with a merchant account with them. However; for business-specific reasons, the account with ICICI was not opened. In next 2-3 weeks, I'll be looking to work with few other banks I have scouted. With the huge number of banks having their UPI presence, I am trying to pick few based on how good their UPI payment apps are.

@vshanthamoorthi
Copy link

@reeteshranjan - any update? waiting for this support eagerly.

@reeteshranjan
Copy link
Collaborator Author

@reeteshranjan - any update? waiting for this support eagerly.

I got the time to follow up with SBI today. They are resolving my queries on email. I hope to provide some concrete information in a week's time.

@reeteshranjan
Copy link
Collaborator Author

SBI is too slow to respond. For a product I am working with, an HDFC bank account has been opened. They are good, aggressive and informed, like the case with the ICICI bank team. A discussion with them is underway.

@reeteshranjan
Copy link
Collaborator Author

This is moving too slow.

I ended up setting up a current account with HDFC bank. They promised that doing this should be easy including for iOS case where there is no response returned to the app. However; first they are trying to sell their own solutions that conveniently work for Android only, or the UPI collect payment method that can be implemented by PSPs/banks only, unlike what this package or the deep proximity linking method does, which basically allows anyone to add UPI payments into their apps.

I am following up with them to close it asap.

@drenther
Copy link
Owner

mode=02 works on gpay but not on any other app. I really think they must stop this public key/private key nonsense and actually make these developer friendly. This way we can develop great softwares.

Should we make a proposal that UPI DPLI must work with any VPA, that way I can even send DL to my friend to get my money back. I don't see what kind of fraud they are trying to avoid

Do not agree with removing layers of security. The effort should be to make the public key work easy e.g. just upload on a some NPCI/UPI government portal and it automatically gets uploaded to the system without having to break one's head with opportunist banks' sales teams.

Agree with @reeteshranjan on the point here

@reeteshranjan
Copy link
Collaborator Author

The benefit of 0 transaction fee with this standard and no implication of future/current charges when using payment gateways or bank solutions is, in my mind, lucrative for frameworks like ONDC. ONDC has buyer and seller apps. I was exploring building a buyer app and what I can see is that all layers of ONDC (buyer app, seller app, ONDC gateway) are IT systems/tools and they need to factor their operations cost in per transaction margins. Reducing these margins are key to ONDC' success, and hence this UPI standard can become a way to reduce margin overheads like payment transaction charge.

I have connected with many folks listed on LinkedIn as working for ONDC and have pitched this along with the UPI standard spec doc that is implemented and what this package is already capable of. There was interest and quick response. Discussions ongoing. Hopefully, this can move as a cog in the wheel for ONDC.

Twitter reach outs did not go anywhere so far. Both UPI and NPCI handles are good for simple PR only, not for deep tech discussions. At least it seems so with my experience.

@reeteshranjan
Copy link
Collaborator Author

reeteshranjan commented Nov 25, 2022

Responses from ONDC fizzled out. ONDC folks seem to have a framework-only mindset, at least those who responded. They did not see how the above practical issue can use this standard.

Connected with NPCI employees listed on LinkedIn. This reach out seems to be going better. I guess they relate to this more. Connected with folks in product/innovation. Two positive responses so far about taking the discussion forward.

@reeteshranjan
Copy link
Collaborator Author

Responses from ONDC fizzled out. ONDC folks seem to have a framework-only mindset, at least those who responded. They did not see how the above practical issue can use this standard.

Connected with NPCI employees listed on LinkedIn. This reach out seems to be going better. I guess they relate to this more. Connected with folks in product/innovation. Two positive responses so far about taking the discussion forward.

Update: I have got very quick and interested NPCI phone call connect. Call tomorrow. Does anyone want to join the call? Reach out to [email protected] with your number. I'll join those interested on conf call.

If you have understood the core issues of the standard we are trying to deal with in this ticket, then joining the call makes sense. The call won't be about anything outside the spec and its issues.

@reeteshranjan
Copy link
Collaborator Author

Had a very good initial call with someone in NPCI. He will connect me to the folks working on deep linking and proximity integration.

@reeteshranjan
Copy link
Collaborator Author

Got a notification from the person I talked to inside NPCI. He says that the team is looking into it and will take time.

@itss-sid
Copy link

Got a notification from the person I talked to inside NPCI. He says that the team is looking into it and will take time.

Any update?

@itsmesubham
Copy link

Now that the payment gateways are not onboarding new customers, do we have any path on this? @reeteshranjan, I have everything but the signatures.

@reeteshranjan
Copy link
Collaborator Author

For various reasons, none of the different channels are moving anywhere so far.

One of my friends who handles legal work has advised to use https://en.wikipedia.org/wiki/Mandamus to get a high court order to make the bank comply with installing the public keys. The basis is that once there is a government specification that says that the bank has to install public keys (we have the public draft that mentions that), the bank cannot refuse as per this high court process.

I am tempted to take it up; however, my earlier relationship with HDFC in form of a current account will be over shortly and would be opening a current account with another bank within a month. I would be working with them from the beginning about this and see if the above process is even required, or just its mention will be enough.

@itsmesubham
Copy link

Sad lets do it, This would be a blessing and encourage a lot of people to start up, I hate the fact that I can bypass this payment gateways but still cant.

@efficientaman
Copy link

I was really looking forward to using the upi_pay package to bypass all these payment gateways but going by this thread, is there any possibility of doing that by July 2023?

@drenther
Copy link
Owner

I was really looking forward to using the upi_pay package to bypass all these payment gateways but going by this thread, is there any possibility of doing that by July 2023?

Not likely

@itsmesubham
Copy link

itsmesubham commented Jun 13, 2023 via email

@drenther
Copy link
Owner

None of the banks or the payment apps are incentivised to make it open for OSS implementations like us to work with it. Even though NPCI's original spec is fairly open. None of that is enforced strictly. That's the gist of it basically.

@reeteshranjan
Copy link
Collaborator Author

Yesterday I attended an event at IITACB. Got a chance to raise the question to Nandan Nilekani who was one of the speakers on digital public infrastructure. He said: "I understand your frustration", and "it's early days".

Got one connect with Bharat Fund who dropped his card to me and said he will get me some connects in NPCI. Have reached out to him on email about the same.

An Infosys strategic products team representative, another speaker, pointed me to go through cdpi.dev. They themselves have worked out various things for DPI government projects.

There were various panels who were exploring how IITs can work with others: government, businesses etc. Most businesses do vertical-based (arising from their needs) academic work with IIT profs. I asked them if they can do more horizontal work by funding/supporting (with connects) work like what this project is for - giving back to open source. I asked them to give back to open source. One of the businesses did realise how they use Linux for everything, and asked me to come through a reputed forum like IITACB.

Touched back with the NPCI connect I had got. He responded quickly saying team was busy with something. He will check with them.

@reeteshranjan
Copy link
Collaborator Author

Talked today to Infosys SPT rep, who has been very helpful. He mentioned about implementing UPI outside country, and my point was "how would we do that?" if we are using this spec. Also mentioned the functional, security and on-ground issues blocking us. He concurred that we come to know where this spec is once we implement it, and now more has to be done.

He pointed me to get to Nandan through ekstep.org channel and also talk to iSPIRT as they have helped draft many DPI specs. A very genuinely helpful fellow he is.

Will be exploring further.

@reeteshranjan
Copy link
Collaborator Author

I connected with iSPIRT. They have reached back and have a call setup with them next week Friday. This is the group that has worked on various standards including the UPI payment protocol, as mentioned on their website. Let's see how this goes.

@reeteshranjan
Copy link
Collaborator Author

Discussion on call and email with iSPIRT is moving well. They have connected me to their volunteers to do further discussion on how to complete the spec definition. Fingers crossed.

@tata-pay
Copy link

Any progress mate?

@kspoojary
Copy link

Is there any update on this? We created current account with multiple banks and checked with them about public and private key. But bank people does not know anything about this. ..

Did anyone one able to use Deep linking in Android app . Please comment here with detailed steps 🙏

@reeteshranjan
Copy link
Collaborator Author

It was a circle back. iSPIRT pointed me to Sanjay Jain, whom I met at IITACB event, and he gave me his card to get any help. I have reached out to him, and he said he'll see what he can do. I have pinged back every few weeks to him; but have not heard back anything.

@pratikjadhav12
Copy link

any updates bro

@sureshramanujam
Copy link

Is your feature request related to a problem? Please describe.

  1. Merchant payments: UPI deep linking specification, implemented by this package, is for merchant payments by design though individual to individual payments are supported by several apps on an ad-hoc basis. Work on this feature will add merchant payment support.
  2. Security warning/errors on major apps: Discussion with Bank of Baroda UPI team reveals that several major payment apps are looking to avoid fraud on UPI by doing a strict check on authenticity of payments. This makes these issues appear more related to the lack of merchant signature in current version of the package. This is further seen in the following snippet from the UPI deep linking specification which is about how a UPI payment app should verify a UPI deep linking request (the ones made through this package)

Screenshot 2021-07-09 at 5 14 47 PM

Describe the solution you'd like

  1. Mechanism in which users can create merchant signature themselves:

    1. Provide an API that would generate the UPI transaction request in the format specified in point 3 in section 1.3 of UPI deep linking specification towards signing by a package user app using their merchant private key.
    2. Provide an API that would accept the UPI transaction data and the signature created and will perform the UPI transaction
  2. Provide an API that implements signing using the algorithm described in point 3 in section 1.3 (RSA512 and SHA256) for users that are OK with providing their private key and then performs the UPI transaction.

The API changes/additions should retain backward compatibility for non-merchant payments.

Describe alternatives you've considered

This aspect of the UPI deep linking specification has no alternatives.

Any example solutions

This feature is research based and is an attempt to implement part of the UPI deep linking specification not yet implemented. There is no example solution known.

Additional context

None

@reeteshranjan : If this was the case then when using upi_india plugin I wonder how the payments happened about 3-4 months back in 2024? I believe these mandates are introduced by NPCI from the year 2017.

@reeteshranjan
Copy link
Collaborator Author

reeteshranjan commented Sep 9, 2024

Could anyone post a screen capture of what happens when Phone Pe opens and what error it displays? A screenshot of the error displayed by PhonePe should work, too.

I have got some more connects and currently I am working with one of my juniors in Phone Pe to understand/proceed further. Payment apps like Phone Pe get some SDK from NPCI that implements their part of the UPI transaction with banks. So error that PhonePe shows will help understanding the overall flow better.

My junior in PhonePe knows several folks in NPCI, so this investigation would help him narrow down whom in NPCI to connect for our specific issue.

@sureshramanujam @marutichintan @drenther @itsmesubham @pratikjadhav12 @kspoojary @tata-pay @efficientaman @nillastudios @Chanelle25meyer @vshanthamoorthi @bvivek77 @chetanjrao @pepsighan @itss-sid @venky9885 @Thathwagnu @rvharjinderbains @dhirajkadam27 @sravan1432 @ajesh123 @suyogbargule @vinayvishnu725 @bashadev21 @adityasreebysani @jatinyadav25 @mangeshsvk @manojsinghal2003 @yashwp @lzzy12 @AnandMG02 @prince-vishal @viveknimkarde @ngaurav @senthil88

@sureshramanujam
Copy link

sureshramanujam commented Sep 9, 2024 via email

@reeteshranjan
Copy link
Collaborator Author

reeteshranjan commented Sep 9, 2024

Hi Reetesh, I can explain why things are not happening. After a few months of search, asking etc., I finally found that this won't happen l, just because all UPI payments done to merchants by any UPI app are only treated as C2M payments (Customer to Merchant). For any C2M payments the Merchant must be registered to accept ONLINE payments. No UPI app is authorised to make any merchant as ONLINE. For example, if a merchant is registered as verified merchant on Google Pay Business, then GPay Business will issue a Merchant ID. Even in this case, GPay can only mark such registered merchants as OFFLINE. Meaning, customers can pay to these merchants only either by scanning their QR Code or pay to their phone number or pay to their VPA issued by GPay Business. The only solution to overcome this problem is to use a payment gateway. Payment Gateways are PSPs (Payment Service Providers) registered as Developers with NPCI. Only PSPS have the authorisation to mark mark merchants as ONLINE. This, INTENT payments can now be done to such merchants who are specifically marked as ONLINE (accepts OFFLINE also). Thanks, Suresh Ramanujam.

On Mon, Sep 9, 2024, 12:11 Reetesh Ranjan @.> wrote: Could anyone post a screen capture of what happens when Phone Pe opens and what error it displays? I have got some more connects and currently I am working with one of my juniors in Phone Pe to understand/proceed further. Payment apps like Phone Pe get some SDK from NPCI that implements their part of the UPI transaction with banks. So error that PhonePe shows will help understanding the overall flow better. — Reply to this email directly, view it on GitHub <#38 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZHDMW45T2FDU5K3EVUAADZVU7LLAVCNFSM5ACUAYOKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMZTG4ZDKNJTG4YA . You are receiving this because you commented.Message ID: @.>

Hi Suresh, could you please list your source of info here? So we all can benefit?

I asked that because I see some sort of going off from the spec we are implementing, which handles merchant payments and gives us a way to behave as merchants etc. while invoking a UPI transaction; but without being a PSP, Payment app or a bank.

@SilurianYang
Copy link

Hi Reetesh, I can explain why things are not happening. After a few months of search, asking etc., I finally found that this won't happen l, just because all UPI payments done to merchants by any UPI app are only treated as C2M payments (Customer to Merchant). For any C2M payments the Merchant must be registered to accept ONLINE payments. No UPI app is authorised to make any merchant as ONLINE. For example, if a merchant is registered as verified merchant on Google Pay Business, then GPay Business will issue a Merchant ID. Even in this case, GPay can only mark such registered merchants as OFFLINE. Meaning, customers can pay to these merchants only either by scanning their QR Code or pay to their phone number or pay to their VPA issued by GPay Business. The only solution to overcome this problem is to use a payment gateway. Payment Gateways are PSPs (Payment Service Providers) registered as Developers with NPCI. Only PSPS have the authorisation to mark mark merchants as ONLINE. This, INTENT payments can now be done to such merchants who are specifically marked as ONLINE (accepts OFFLINE also). Thanks, Suresh Ramanujam.

On Mon, Sep 9, 2024, 12:11 Reetesh Ranjan @.> wrote: Could anyone post a screen capture of what happens when Phone Pe opens and what error it displays? I have got some more connects and currently I am working with one of my juniors in Phone Pe to understand/proceed further. Payment apps like Phone Pe get some SDK from NPCI that implements their part of the UPI transaction with banks. So error that PhonePe shows will help understanding the overall flow better. — Reply to this email directly, view it on GitHub <#38 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZHDMW45T2FDU5K3EVUAADZVU7LLAVCNFSM5ACUAYOKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMZTG4ZDKNJTG4YA . You are receiving this because you commented.Message ID: @.>

@reeteshranjan There is no way, neither MQR nor personal VPA can bypass the URL protocol wake-up method. This is a restriction order issued by NPCI, and PhonePE, GPay, and PayTM have all responded. But not long ago, I found that another protocol of PayTM supports wake-up support. I will analyze it here for you

paytmmp://cash_wallet?pa=test@upi&pn=&tn=353FW2M4NG5K1&am=100.00&cu=INR&mc=4468&url=&mode=02&purpose=00&orgid=159002&sign=dD1OyTQs4NIUQBVN==&featuretype=money_transfer

@amriteshfrommac
Copy link

Hey @reeteshranjan, I am working on a project that requires UPI deep-linking in app and I am getting the same issue with all the UPI apps but able to pay successfully through bank UPI id to a non-merchant user. I don't know the reason for this, perhaps this signing of intent is required only for third party UPI apps like (Gpay, Paytm, etc.). Would this be of any help in researching about this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
discussion enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests