Merchant payments (and potentially avoid issues seen with major payment apps)

[reeteshranjan]

Is your feature request related to a problem? Please describe.

1. Merchant payments: UPI deep linking specification, implemented by this package, is for merchant payments by design though individual to individual payments are supported by several apps on an ad-hoc basis. Work on this feature will add merchant payment support.
2. Security warning/errors on major apps: Discussion with Bank of Baroda UPI team reveals that several major payment apps are looking to avoid fraud on UPI by doing a strict check on authenticity of payments. This makes these issues appear more related to the lack of merchant signature in current version of the package. This is further seen in the following snippet from the UPI deep linking specification which is about how a UPI payment app should verify a UPI deep linking request (the ones made through this package)

Describe the solution you'd like

1. Mechanism in which users can create merchant signature themselves:
   1. Provide an API that would generate the UPI transaction request in the format specified in point 3 in section 1.3 of UPI deep linking specification towards signing by a package user app using their merchant private key.
   2. Provide an API that would accept the UPI transaction data and the signature created and will perform the UPI transaction
2. Provide an API that implements signing using the algorithm described in point 3 in section 1.3 (RSA512 and SHA256) for users that are OK with providing their private key and then performs the UPI transaction.

The API changes/additions should retain backward compatibility for non-merchant payments.

Describe alternatives you've considered

This aspect of the UPI deep linking specification has no alternatives.

Any example solutions

This feature is research based and is an attempt to implement part of the UPI deep linking specification not yet implemented. There is no example solution known.

Additional context

None

[reeteshranjan]

Expecting to close the work on this in September. Merchant bank account setup, required for the work, has been delayed for various reasons.

[vshanthamoorthi]

hi @reeteshranjan, looking for this feature as currently transfer is flagged as possible fraud transaction. so please let me know if some help needed.

[reeteshranjan]

hi @reeteshranjan, looking for this feature as currently transfer is flagged as possible fraud transaction. so please let me know if some help needed.

Thanks for the offer to help!

As of now my work on getting a merchant bank account setup is delayed. If you have one (a commercial current account with UPI keys setup), and you wish to provide details for me to be able to develop and test the functionality, please do so.

I am expecting to move my own merchant bank account setup to move this week; but nothing sure as of now.

[vshanthamoorthi]

I have commercial bank accounts and UPI is setup for the same through gpay. does this work? if yes, let me know at vshanthamoorthi at gmail.com

On Mon, Sep 13, 2021 at 2:31 PM Reetesh Ranjan @.***> wrote:

hi @reeteshranjan https://github.com/reeteshranjan, looking for this feature as currently transfer is flagged as possible fraud transaction. so please let me know if some help needed.

Thanks for the offer to help!

As of now my work on getting a merchant bank account setup is delayed. If you have one (a commercial current account with UPI keys setup), and you wish to provide details for me to be able to develop and test the functionality, please do so.

I am expecting to move my own merchant bank account setup to move this week; but nothing sure as of now.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/drenther/upi_pay/issues/38#issuecomment-917984791, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJPYSRZNF5AII37KFHARMJLUBW4XPANCNFSM5ACUAYOA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[Chanelle25meyer]

I have commercial bank accounts and UPI is setup for the same through gpay. does this work? if yes, let me know at vshanthamoorthi at gmail.com … On Mon, Sep 13, 2021 at 2:31 PM Reetesh Ranjan @.***> wrote: hi @reeteshranjan https://github.com/reeteshranjan, looking for this feature as currently transfer is flagged as possible fraud transaction. so please let me know if some help needed. Thanks for the offer to help! As of now my work on getting a merchant bank account setup is delayed. If you have one (a commercial current account with UPI keys setup), and you wish to provide details for me to be able to develop and test the functionality, please do so. I am expecting to move my own merchant bank account setup to move this week; but nothing sure as of now. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#38 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJPYSRZNF5AII37KFHARMJLUBW4XPANCNFSM5ACUAYOA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[reeteshranjan]

I have commercial bank accounts and UPI is setup for the same through gpay. does this work? if yes, let me know at vshanthamoorthi at gmail.com … On Mon, Sep 13, 2021 at 2:31 PM Reetesh Ranjan @.***> wrote: hi @reeteshranjan https://github.com/reeteshranjan, looking for this feature as currently transfer is flagged as possible fraud transaction. so please let me know if some help needed. Thanks for the offer to help! As of now my work on getting a merchant bank account setup is delayed. If you have one (a commercial current account with UPI keys setup), and you wish to provide details for me to be able to develop and test the functionality, please do so. I am expecting to move my own merchant bank account setup to move this week; but nothing sure as of now. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#38 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJPYSRZNF5AII37KFHARMJLUBW4XPANCNFSM5ACUAYOA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

Sorry, that does not help. It's not about linking your account to UPI. It's about creating merchant public and private keys, and installing the public key in the NPCI network through your bank.

[vshanthamoorthi]

@reeteshranjan ,

how is this feature support going?

I try to understand the key generation and installation NPCI network. PNB bank people does not aware of key installation and i also could not find any ways to generation of Keys.

So You should guide us as well with which bank support this so that it will be easy to use this. thanks in advance for your help.

[reeteshranjan]

@reeteshranjan ,

how is this feature support going?

I try to understand the key generation and installation NPCI network. PNB bank people does not aware of key installation and i also could not find any ways to generation of Keys.

So You should guide us as well with which bank support this so that it will be easy to use this. thanks in advance for your help.

Did not get the chance to move the work on this. Looking to get the work on the bank part going in next 2-3 weeks as of now.

As you figured out, it's not straightforward; but all we need is the right setup with one bank account. So far I have managed to talk with BOB and ICICI. ICICI team was very well informed and they were aggressive, and I was hoping I could get that going and complete the work on this feature with a merchant account with them. However; for business-specific reasons, the account with ICICI was not opened. In next 2-3 weeks, I'll be looking to work with few other banks I have scouted. With the huge number of banks having their UPI presence, I am trying to pick few based on how good their UPI payment apps are.

[vshanthamoorthi]

@reeteshranjan - any update? waiting for this support eagerly.

[reeteshranjan]

@reeteshranjan - any update? waiting for this support eagerly.

I got the time to follow up with SBI today. They are resolving my queries on email. I hope to provide some concrete information in a week's time.

[reeteshranjan]

SBI is too slow to respond. For a product I am working with, an HDFC bank account has been opened. They are good, aggressive and informed, like the case with the ICICI bank team. A discussion with them is underway.

[reeteshranjan]

This is moving too slow.

I ended up setting up a current account with HDFC bank. They promised that doing this should be easy including for iOS case where there is no response returned to the app. However; first they are trying to sell their own solutions that conveniently work for Android only, or the UPI collect payment method that can be implemented by PSPs/banks only, unlike what this package or the deep proximity linking method does, which basically allows anyone to add UPI payments into their apps.

I am following up with them to close it asap.

[bvivek77]

Is your feature request related to a problem? Please describe.

1. Merchant payments: UPI deep linking specification, implemented by this package, is for merchant payments by design though individual to individual payments are supported by several apps on an ad-hoc basis. Work on this feature will add merchant payment support.
2. Security warning/errors on major apps: Discussion with Bank of Baroda UPI team reveals that several major payment apps are looking to avoid fraud on UPI by doing a strict check on authenticity of payments. This makes these issues appear more related to the lack of merchant signature in current version of the package. This is further seen in the following snippet from the UPI deep linking specification which is about how a UPI payment app should verify a UPI deep linking request (the ones made through this package)

Describe the solution you'd like

1. Mechanism in which users can create merchant signature themselves:

   1. Provide an API that would generate the UPI transaction request in the format specified in point 3 in section 1.3 of UPI deep linking specification towards signing by a package user app using their merchant private key.
   2. Provide an API that would accept the UPI transaction data and the signature created and will perform the UPI transaction
2. Provide an API that implements signing using the algorithm described in point 3 in section 1.3 (RSA512 and SHA256) for users that are OK with providing their private key and then performs the UPI transaction.

The API changes/additions should retain backward compatibility for non-merchant payments.

Describe alternatives you've considered

This aspect of the UPI deep linking specification has no alternatives.

Any example solutions

This feature is research based and is an attempt to implement part of the UPI deep linking specification not yet implemented. There is no example solution known.

Additional context

None

This is moving too slow.

I ended up setting up a current account with HDFC bank. They promised that doing this should be easy including for iOS case where there is no response returned to the app. However; first they are trying to sell their own solutions that conveniently work for Android only, or the UPI collect payment method that can be implemented by PSPs/banks only, unlike what this package or the deep proximity linking method does, which basically allows anyone to add UPI payments into their apps.

I am following up with them to close it asap.

---

Today, I tried using BHIM QR code decoded to URL (as is supplied with signing key). Selected googlepay to pay and it passed through. Although, it started giving U16 error next time onwards...too buggy APIs

`

[reeteshranjan]

With no good progress with ICICI, HDFC, SBI and Bank of Baroda, I have initiated this thread with official NPCI handles on Twitter https://twitter.com/reeteshr08/status/1488746633068089345

[reeteshranjan]

I have received a response from UPI NPCI handle on twitter to explain concerns. Have initiated discussion with them.

[vshanthamoorthi]

Thanks for your effort to get this addressed. This is really required for Apps to support UPI transfers directly from Apps without a third party payment gateway. your help is really appreciated.

On Wed, Feb 2, 2022 at 9:03 PM Reetesh Ranjan @.***> wrote:

I have received a response from UPI NPCI handle on twitter to explain concerns. Have initiated discussion with them.

— Reply to this email directly, view it on GitHub https://github.com/drenther/upi_pay/issues/38#issuecomment-1028062343, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJPYSR3IFN4KVIQRGHFVAITUZFFEBANCNFSM5ACUAYOA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you are subscribed to this thread.Message ID: @.***>

[reeteshranjan]

Responses from UPI handle were underwhelming and indifferent so far.

[reeteshranjan]

Appeal to everyone: could you please respond to my twitter thread with UPI and NPCI handles included in your response asking how this issue must be solved and how it helps you? https://twitter.com/reeteshr08/status/1488746633068089345

@drenther @bvivek77 @vshanthamoorthi @Chanelle25meyer

[reeteshranjan]

I am getting further response from the UPI twitter handle and looking to work out a mechanism to get banks to comply through the UPI system, so developers like us do not have to waste their time convincing banks to support. For example, I should have a UPI portal page to submit my bank account and public key and then it's the corresponding bank's business to include that by compliance, say within 1 week.

Also, for the iOS part being incomplete, the response being hackable etc. I am looking to provide changes in the specification directly to UPI team, rather than finding workarounds like we are forced to do so far.

For all this, trying to get connect with their team. Need all the luck so wish me!

[drenther]

@reeteshranjan absolute legend of a man. 👍👍

[vshanthamoorthi]

You are absolutely correct bro. It's UPI teams responsibility, it should be in a central place so that it's easy for anyone to submit the request.

All the very best for taking up this.

thanks, Shan

On Sat, Feb 5, 2022 at 3:01 PM Reetesh Ranjan @.***> wrote:

I am getting further response from the UPI twitter handle and looking to work out a mechanism to get banks to comply through the UPI system, so developers like us do not have to waste their time convincing banks to support. For example, I should have a UPI portal page to submit my bank account and public key and the it's the corresponding bank's business to include that by compliance, say within 1 week.

Also, for the iOS part being incomplete, the response being hackable etc. I am looking to provide changes in the specification to them directly to UPI team, rather than finding workarounds.

For all this, trying to get connect with their team. Need all the luck so wish me!

— Reply to this email directly, view it on GitHub https://github.com/drenther/upi_pay/issues/38#issuecomment-1030588609, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJPYSRYKQHBHSBTOA4NU7VTUZTU6PANCNFSM5ACUAYOA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

[reeteshranjan]

Thanks! Please review this draft that I am looking to propose to NPCI: https://docs.google.com/document/d/1XRtD63Dyv1g1UpaYlfTzPLi5DUWYarVDPTw1HpRvqb0/edit?usp=sharing. Please help me complete a review by next weekend.

[reeteshranjan]

Also do share a gmail or google business ID if you want to propose edits to this draft. Share it here or send to reeteshranjan@piaxis.tech

[venky9885]

Same Issue Transactions failing Reason shown : Limits exceeded

UPI_INDIA_FINAL_RESPONSE: txnId=YBLa8a6c8e566b24da4a4ea87f286012e78&txnRef=1603435405&Status=Failed&responseCode=01 I/flutter (30426): Transaction Failed

[chetanjrao]

Hi @reeteshranjan. Any updates on this?

[reeteshranjan]

Hi @reeteshranjan. Any updates on this?

I did not get proper closure from the UPI twitter handle. It's run for limited support/PR, and the responses eventually ended up being unhelpful. The work on the draft mentioned above could not be closed due to limited time. In case you want to contribute completing the draft, please let me know your gmail or google suite based email.

[reeteshranjan]

I saw an email notification for a comment from @chetanjrao that is probably now deleted. Putting it here for sake of information and discussion:

"Not sure if this would be of any help, all payments work on GPay by passing &mode=02 while starting the intent. All other apps fail only just for Merchant QR Codes (The ones that are kept in the local stores). Would like to connect to discuss more on this."

As per the UPI standard, mode=02 is for merchant QR codes, so using that for default payment transactions will be a hacky kind of approach. My personal opinion is to not take that path. Would like to hear from across repo owners and users more on this.

[reeteshranjan]

I would also like to explore more on the mode, which I have personally not done so far. Has anyone tried mode 04 and 05? I saw the examples on merchant signature (for merchant initiated payments) in the UPI standard and they are for mode 05 (Secure Intent). So does this mean mode 04 (Intent), will work without the signature, and is a potentially better alternative to mode 00 (Default Transaction)?

[chetanjrao]

I would also like to explore more on the mode, which I have personally not done so far. Has anyone tried mode 04 and 05? I saw the examples on merchant signature (for merchant initiated payments) in the UPI standard and they are for mode 05 (Secure Intent). So does this mean mode 04 (Intent), will work without the signature, and is a potentially better alternative to mode 00 (Default Transaction)?

No, I have tried all modes and combinations. It keeps failing. All SDKs consider the API initiator as a merchant, followed up by the assigned merchant id, and generate a signed URL for that specific payment. I don't see any documentation where we can create a signed URL for other merchants and create signed intents on their behalf

[chetanjrao]

There is no such parameter called Merchant VPA or UPI, in any of these SDKs. Any tampering of URI will obviously fail the transaction due to signature mismatch

[marutichintan]

I have tested all the merchant for pay using intent, but almost all failed with Security Error or Other Error, Only 1 Merchant is working for me is phonepe business. you can try upigateway.com it uses your phonepe business staff account to verify the payment.

[nillastudios]

mode=02 works on gpay but not on any other app. I really think they must stop this public key/private key nonsense and actually make these developer friendly. This way we can develop great softwares.

Should we make a proposal that UPI DPLI must work with any VPA, that way I can even send DL to my friend to get my money back. I don't see what kind of fraud they are trying to avoid

[nillastudios]

Thanks! Please review this draft that I am looking to propose to NPCI: https://docs.google.com/document/d/1XRtD63Dyv1g1UpaYlfTzPLi5DUWYarVDPTw1HpRvqb0/edit?usp=sharing. Please help me complete a review by next weekend.

BTW any updates?

[reeteshranjan]

Thanks! Please review this draft that I am looking to propose to NPCI: https://docs.google.com/document/d/1XRtD63Dyv1g1UpaYlfTzPLi5DUWYarVDPTw1HpRvqb0/edit?usp=sharing. Please help me complete a review by next weekend.

BTW any updates?

I have been trying to connect on twitter on posts that are UPI updates from authorities/leaders in the NPCI domain. Today I have tried to get attention on a post from Nandan Nilekani. If you wish to, please add your comments on this: https://twitter.com/reeteshr08/status/1572705381645950977 @drenther @marutichintan @bvivek77 @chetanjrao @nillastudios @vshanthamoorthi @venky9885 @Chanelle25meyer @chetanjrao @pepsighan @masterashu

[reeteshranjan]

mode=02 works on gpay but not on any other app. I really think they must stop this public key/private key nonsense and actually make these developer friendly. This way we can develop great softwares.

Should we make a proposal that UPI DPLI must work with any VPA, that way I can even send DL to my friend to get my money back. I don't see what kind of fraud they are trying to avoid

Do not agree with removing layers of security. The effort should be to make the public key work easy e.g. just upload on a some NPCI/UPI government portal and it automatically gets uploaded to the system without having to break one's head with opportunist banks' sales teams.

[drenther]

mode=02 works on gpay but not on any other app. I really think they must stop this public key/private key nonsense and actually make these developer friendly. This way we can develop great softwares.

Should we make a proposal that UPI DPLI must work with any VPA, that way I can even send DL to my friend to get my money back. I don't see what kind of fraud they are trying to avoid

Do not agree with removing layers of security. The effort should be to make the public key work easy e.g. just upload on a some NPCI/UPI government portal and it automatically gets uploaded to the system without having to break one's head with opportunist banks' sales teams.

Agree with @reeteshranjan on the point here

[reeteshranjan]

The benefit of 0 transaction fee with this standard and no implication of future/current charges when using payment gateways or bank solutions is, in my mind, lucrative for frameworks like ONDC. ONDC has buyer and seller apps. I was exploring building a buyer app and what I can see is that all layers of ONDC (buyer app, seller app, ONDC gateway) are IT systems/tools and they need to factor their operations cost in per transaction margins. Reducing these margins are key to ONDC' success, and hence this UPI standard can become a way to reduce margin overheads like payment transaction charge.

I have connected with many folks listed on LinkedIn as working for ONDC and have pitched this along with the UPI standard spec doc that is implemented and what this package is already capable of. There was interest and quick response. Discussions ongoing. Hopefully, this can move as a cog in the wheel for ONDC.

Twitter reach outs did not go anywhere so far. Both UPI and NPCI handles are good for simple PR only, not for deep tech discussions. At least it seems so with my experience.

[reeteshranjan]

Responses from ONDC fizzled out. ONDC folks seem to have a framework-only mindset, at least those who responded. They did not see how the above practical issue can use this standard.

Connected with NPCI employees listed on LinkedIn. This reach out seems to be going better. I guess they relate to this more. Connected with folks in product/innovation. Two positive responses so far about taking the discussion forward.

[reeteshranjan]

Responses from ONDC fizzled out. ONDC folks seem to have a framework-only mindset, at least those who responded. They did not see how the above practical issue can use this standard.

Connected with NPCI employees listed on LinkedIn. This reach out seems to be going better. I guess they relate to this more. Connected with folks in product/innovation. Two positive responses so far about taking the discussion forward.

Update: I have got very quick and interested NPCI phone call connect. Call tomorrow. Does anyone want to join the call? Reach out to reeteshranjan@piaxis.tech with your number. I'll join those interested on conf call.

If you have understood the core issues of the standard we are trying to deal with in this ticket, then joining the call makes sense. The call won't be about anything outside the spec and its issues.

[reeteshranjan]

Had a very good initial call with someone in NPCI. He will connect me to the folks working on deep linking and proximity integration.

[reeteshranjan]

Got a notification from the person I talked to inside NPCI. He says that the team is looking into it and will take time.

[itss-sid]

Got a notification from the person I talked to inside NPCI. He says that the team is looking into it and will take time.

Any update?

[itsmesubham]

Now that the payment gateways are not onboarding new customers, do we have any path on this? @reeteshranjan, I have everything but the signatures.

[reeteshranjan]

For various reasons, none of the different channels are moving anywhere so far.

One of my friends who handles legal work has advised to use https://en.wikipedia.org/wiki/Mandamus to get a high court order to make the bank comply with installing the public keys. The basis is that once there is a government specification that says that the bank has to install public keys (we have the public draft that mentions that), the bank cannot refuse as per this high court process.

I am tempted to take it up; however, my earlier relationship with HDFC in form of a current account will be over shortly and would be opening a current account with another bank within a month. I would be working with them from the beginning about this and see if the above process is even required, or just its mention will be enough.

[itsmesubham]

Sad lets do it, This would be a blessing and encourage a lot of people to start up, I hate the fact that I can bypass this payment gateways but still cant.

[efficientaman]

I was really looking forward to using the upi_pay package to bypass all these payment gateways but going by this thread, is there any possibility of doing that by July 2023?

[drenther]

I was really looking forward to using the upi_pay package to bypass all these payment gateways but going by this thread, is there any possibility of doing that by July 2023?

Not likely

[itsmesubham]

On Tue, 13 Jun 2023 at 1:12 PM, Soumyajit Pathak @.***> wrote:

I was really looking forward to using the upi_pay package to bypass all these payment gateways but going by this thread, is there any possibility of doing that by July 2023?

Not likely

— Reply to this email directly, view it on GitHub https://github.com/drenther/upi_pay/issues/38#issuecomment-1588728260, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADUZZ3OYNKPJ2BR7NHKTNLLXLAKYFANCNFSM5ACUAYOA . You are receiving this because you commented.Message ID: @.***>

I am using phonepe payment gateway just to create a upi intent have to pay them 1.8%

[drenther]

None of the banks or the payment apps are incentivised to make it open for OSS implementations like us to work with it. Even though NPCI's original spec is fairly open. None of that is enforced strictly. That's the gist of it basically.

[reeteshranjan]

Yesterday I attended an event at IITACB. Got a chance to raise the question to Nandan Nilekani who was one of the speakers on digital public infrastructure. He said: "I understand your frustration", and "it's early days".

Got one connect with Bharat Fund who dropped his card to me and said he will get me some connects in NPCI. Have reached out to him on email about the same.

An Infosys strategic products team representative, another speaker, pointed me to go through cdpi.dev. They themselves have worked out various things for DPI government projects.

There were various panels who were exploring how IITs can work with others: government, businesses etc. Most businesses do vertical-based (arising from their needs) academic work with IIT profs. I asked them if they can do more horizontal work by funding/supporting (with connects) work like what this project is for - giving back to open source. I asked them to give back to open source. One of the businesses did realise how they use Linux for everything, and asked me to come through a reputed forum like IITACB.

Touched back with the NPCI connect I had got. He responded quickly saying team was busy with something. He will check with them.