search

drenther / upi_pay

Flutter plugin for UPI (Only in India)
MIT License
58 stars 71 forks source link

Merchant payments (and potentially avoid issues seen with major payment apps) #38

Open reeteshranjan opened 3 years ago

reeteshranjan commented 3 years ago

Is your feature request related to a problem? Please describe.

  1. Merchant payments: UPI deep linking specification, implemented by this package, is for merchant payments by design though individual to individual payments are supported by several apps on an ad-hoc basis. Work on this feature will add merchant payment support.
  2. Security warning/errors on major apps: Discussion with Bank of Baroda UPI team reveals that several major payment apps are looking to avoid fraud on UPI by doing a strict check on authenticity of payments. This makes these issues appear more related to the lack of merchant signature in current version of the package. This is further seen in the following snippet from the UPI deep linking specification which is about how a UPI payment app should verify a UPI deep linking request (the ones made through this package)

Screenshot 2021-07-09 at 5 14 47 PM

Describe the solution you'd like

  1. Mechanism in which users can create merchant signature themselves:
    1. Provide an API that would generate the UPI transaction request in the format specified in point 3 in section 1.3 of UPI deep linking specification towards signing by a package user app using their merchant private key.
    2. Provide an API that would accept the UPI transaction data and the signature created and will perform the UPI transaction
  2. Provide an API that implements signing using the algorithm described in point 3 in section 1.3 (RSA512 and SHA256) for users that are OK with providing their private key and then performs the UPI transaction.

The API changes/additions should retain backward compatibility for non-merchant payments.

Describe alternatives you've considered

This aspect of the UPI deep linking specification has no alternatives.

Any example solutions

This feature is research based and is an attempt to implement part of the UPI deep linking specification not yet implemented. There is no example solution known.

Additional context

None

reeteshranjan commented 1 year ago

Talked today to Infosys SPT rep, who has been very helpful. He mentioned about implementing UPI outside country, and my point was "how would we do that?" if we are using this spec. Also mentioned the functional, security and on-ground issues blocking us. He concurred that we come to know where this spec is once we implement it, and now more has to be done.

He pointed me to get to Nandan through ekstep.org channel and also talk to iSPIRT as they have helped draft many DPI specs. A very genuinely helpful fellow he is.

Will be exploring further.

reeteshranjan commented 12 months ago

I connected with iSPIRT. They have reached back and have a call setup with them next week Friday. This is the group that has worked on various standards including the UPI payment protocol, as mentioned on their website. Let's see how this goes.

reeteshranjan commented 11 months ago

Discussion on call and email with iSPIRT is moving well. They have connected me to their volunteers to do further discussion on how to complete the spec definition. Fingers crossed.

tata-pay commented 8 months ago

Any progress mate?

kspoojary commented 7 months ago

Is there any update on this? We created current account with multiple banks and checked with them about public and private key. But bank people does not know anything about this. ..

Did anyone one able to use Deep linking in Android app . Please comment here with detailed steps 🙏

reeteshranjan commented 5 months ago

It was a circle back. iSPIRT pointed me to Sanjay Jain, whom I met at IITACB event, and he gave me his card to get any help. I have reached out to him, and he said he'll see what he can do. I have pinged back every few weeks to him; but have not heard back anything.

pratikjadhav12 commented 4 months ago

any updates bro

sureshramanujam commented 2 months ago

Is your feature request related to a problem? Please describe.

  1. Merchant payments: UPI deep linking specification, implemented by this package, is for merchant payments by design though individual to individual payments are supported by several apps on an ad-hoc basis. Work on this feature will add merchant payment support.
  2. Security warning/errors on major apps: Discussion with Bank of Baroda UPI team reveals that several major payment apps are looking to avoid fraud on UPI by doing a strict check on authenticity of payments. This makes these issues appear more related to the lack of merchant signature in current version of the package. This is further seen in the following snippet from the UPI deep linking specification which is about how a UPI payment app should verify a UPI deep linking request (the ones made through this package)

Screenshot 2021-07-09 at 5 14 47 PM

Describe the solution you'd like

  1. Mechanism in which users can create merchant signature themselves:

    1. Provide an API that would generate the UPI transaction request in the format specified in point 3 in section 1.3 of UPI deep linking specification towards signing by a package user app using their merchant private key.
    2. Provide an API that would accept the UPI transaction data and the signature created and will perform the UPI transaction
  2. Provide an API that implements signing using the algorithm described in point 3 in section 1.3 (RSA512 and SHA256) for users that are OK with providing their private key and then performs the UPI transaction.

The API changes/additions should retain backward compatibility for non-merchant payments.

Describe alternatives you've considered

This aspect of the UPI deep linking specification has no alternatives.

Any example solutions

This feature is research based and is an attempt to implement part of the UPI deep linking specification not yet implemented. There is no example solution known.

Additional context

None

@reeteshranjan : If this was the case then when using upi_india plugin I wonder how the payments happened about 3-4 months back in 2024? I believe these mandates are introduced by NPCI from the year 2017.

reeteshranjan commented 1 week ago

Could anyone post a screen capture of what happens when Phone Pe opens and what error it displays? A screenshot of the error displayed by PhonePe should work, too.

I have got some more connects and currently I am working with one of my juniors in Phone Pe to understand/proceed further. Payment apps like Phone Pe get some SDK from NPCI that implements their part of the UPI transaction with banks. So error that PhonePe shows will help understanding the overall flow better.

My junior in PhonePe knows several folks in NPCI, so this investigation would help him narrow down whom in NPCI to connect for our specific issue.

@sureshramanujam @marutichintan @drenther @itsmesubham @pratikjadhav12 @kspoojary @tata-pay @efficientaman @nillastudios @Chanelle25meyer @vshanthamoorthi @bvivek77 @chetanjrao @pepsighan @itss-sid @venky9885 @Thathwagnu @rvharjinderbains @dhirajkadam27 @sravan1432 @ajesh123 @suyogbargule @vinayvishnu725 @bashadev21 @adityasreebysani @jatinyadav25 @mangeshsvk @manojsinghal2003 @yashwp @lzzy12 @AnandMG02 @prince-vishal @viveknimkarde @ngaurav @senthil88

sureshramanujam commented 1 week ago

Hi Reetesh, I can explain why things are not happening.

After a few months of search, asking etc., I finally found that this won't happen l, just because all UPI payments done to merchants by any UPI app are only treated as C2M payments (Customer to Merchant). For any C2M payments the Merchant must be registered to accept ONLINE payments. No UPI app is authorised to make any merchant as ONLINE.

For example, if a merchant is registered as verified merchant on Google Pay Business, then GPay Business will issue a Merchant ID. Even in this case, GPay can only mark such registered merchants as OFFLINE. Meaning, customers can pay to these merchants only either by scanning their QR Code or pay to their phone number or pay to their VPA issued by GPay Business.

The only solution to overcome this problem is to use a payment gateway. Payment Gateways are PSPs (Payment Service Providers) registered as Developers with NPCI. Only PSPS have the authorisation to mark mark merchants as ONLINE. This, INTENT payments can now be done to such merchants who are specifically marked as ONLINE (accepts OFFLINE also).

Thanks, Suresh Ramanujam.

On Mon, Sep 9, 2024, 12:11 Reetesh Ranjan @.***> wrote:

Could anyone post a screen capture of what happens when Phone Pe opens and what error it displays?

I have got some more connects and currently I am working with one of my juniors in Phone Pe to understand/proceed further. Payment apps like Phone Pe get some SDK from NPCI that implements their part of the UPI transaction with banks. So error that PhonePe shows will help understanding the overall flow better.

— Reply to this email directly, view it on GitHub https://github.com/drenther/upi_pay/issues/38#issuecomment-2337255370, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZHDMW45T2FDU5K3EVUAADZVU7LLAVCNFSM5ACUAYOKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMZTG4ZDKNJTG4YA . You are receiving this because you commented.Message ID: @.***>

reeteshranjan commented 1 week ago

Hi Reetesh, I can explain why things are not happening. After a few months of search, asking etc., I finally found that this won't happen l, just because all UPI payments done to merchants by any UPI app are only treated as C2M payments (Customer to Merchant). For any C2M payments the Merchant must be registered to accept ONLINE payments. No UPI app is authorised to make any merchant as ONLINE. For example, if a merchant is registered as verified merchant on Google Pay Business, then GPay Business will issue a Merchant ID. Even in this case, GPay can only mark such registered merchants as OFFLINE. Meaning, customers can pay to these merchants only either by scanning their QR Code or pay to their phone number or pay to their VPA issued by GPay Business. The only solution to overcome this problem is to use a payment gateway. Payment Gateways are PSPs (Payment Service Providers) registered as Developers with NPCI. Only PSPS have the authorisation to mark mark merchants as ONLINE. This, INTENT payments can now be done to such merchants who are specifically marked as ONLINE (accepts OFFLINE also). Thanks, Suresh Ramanujam. On Mon, Sep 9, 2024, 12:11 Reetesh Ranjan @.> wrote: Could anyone post a screen capture of what happens when Phone Pe opens and what error it displays? I have got some more connects and currently I am working with one of my juniors in Phone Pe to understand/proceed further. Payment apps like Phone Pe get some SDK from NPCI that implements their part of the UPI transaction with banks. So error that PhonePe shows will help understanding the overall flow better. — Reply to this email directly, view it on GitHub <#38 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZHDMW45T2FDU5K3EVUAADZVU7LLAVCNFSM5ACUAYOKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMZTG4ZDKNJTG4YA . You are receiving this because you commented.Message ID: @.>

Hi Suresh, could you please list your source of info here? So we all can benefit?

I asked that because I see some sort of going off from the spec we are implementing, which handles merchant payments and gives us a way to behave as merchants etc. while invoking a UPI transaction; but without being a PSP, Payment app or a bank.