image

How Does UPI Work Technically? The Full Payment Journey Explained 101

Every time you scan a QR code at a chai stall or split a dinner bill on PhonePe, a sophisticated sequence of events fires across multiple banks, servers, and security layers — all in under 10 seconds.

UPI — the Unified Payments Interface — is one of the most technically elegant payment systems ever built. Launched on April 11, 2016 by the National Payments Corporation of India (NPCI), it has grown from 2 crore transactions in its first year to over 24,162 crore transactions in FY 2025-26 — nearly 49% of the world’s entire real-time payment volume. By 2025, UPI was processing a daily average of 60 crore transactions with a success rate of 99.2%.

image

But what actually happens behind the scenes when you tap “Pay”? This guide breaks down the full technical journey — layer by layer, step by step.


What Is UPI? (Technical Definition)

UPI (Unified Payments Interface) is a real-time interbank payment protocol built on top of IMPS (Immediate Payment Service) infrastructure, regulated by the Reserve Bank of India (RBI) and operated by NPCI. It enables instant fund transfers between any two bank accounts in India using a smartphone — 24 hours a day, 365 days a year.

What makes UPI technically distinct from older systems:

  • It abstracts bank account details — users transact through a Virtual Payment Address (VPA), not account numbers or IFSC codes
  • It is interoperable — any UPI app (PhonePe, Google Pay, BHIM, Paytm) can send money to any other UPI app, on any bank
  • It settles in real time — not batch processing like NEFT; funds move instantly like IMPS but with far simpler UX
  • It is built on open APIs — NPCI publishes UPI APIs that banks and payment service providers integrate to participate in the network

The Four-Pillar Architecture of UPI

Before tracing the payment journey, you need to understand UPI’s four core participants. Every single transaction touches all four.

1. The User (Payer & Payee)

The person sending or receiving money. They interact with UPI through a mobile app — either a bank’s own UPI app or a Third-Party Application Provider (TPAP) like Google Pay or PhonePe.

2. Payment Service Provider (PSP)

The PSP is the bank or fintech entity that provides the UPI-enabled app. Every UPI app is backed by a PSP bank. For example:

  • Google Pay → Federal Bank / Axis Bank as PSP
  • PhonePe → Yes Bank as PSP
  • Paytm → Paytm Payments Bank as PSP

The PSP handles onboarding, VPA creation, and API communication with NPCI.

3. Banks (Remitter Bank + Beneficiary Bank)

There are two banks in every UPI transaction:

  • Remitter/Issuer Bank — the sender’s bank (where money is debited)
  • Beneficiary/Acquirer Bank — the receiver’s bank (where money is credited)

As of FY 2025-26, 703 banks are live on UPI — covering public sector, private, small finance, payment banks, and cooperative banks.

4. NPCI (The Central Switch)

NPCI is the nerve center of UPI. It acts as the central routing switch that:

  • Validates all transaction requests
  • Routes messages between the remitter bank and beneficiary bank
  • Maintains the VPA-to-account mapping registry
  • Enforces security, compliance, and settlement rules

Every single UPI transaction flows through the NPCI switch, regardless of which apps or banks are involved.


Step 0: UPI Onboarding — Before the First Payment

Before a user can make a UPI payment, a one-time onboarding process happens. Understanding this is essential to the full technical picture.

Step 0a — App Download & Mobile Number Verification The user downloads a UPI-enabled app and registers their mobile number. The app sends an SMS from the registered SIM to verify that the device + mobile number combination is authentic. This device binding is a critical security layer — it ties the UPI account to a specific physical device and number.

Step 0b — Bank Account Linking The app queries the user’s mobile number against NPCI’s mapper database to identify which bank(s) the number is registered with. The user selects their bank, and the app fetches the linked account(s) via a bank API call.

Step 0c — VPA Creation A Virtual Payment Address (VPA) — also called a UPI ID — is created. Format: username@bankname (e.g., anony@okaxis or merchant@ybl). This VPA is stored in NPCI’s central mapper. From this point on, no one needs to share their actual bank account number or IFSC to receive money.

Step 0d — UPI PIN Setup The user sets a 4-to-6 digit UPI PIN using their debit card’s last 6 digits + expiry date for authentication. This PIN is never stored by the app — it is encrypted end-to-end and used only to authorize transactions directly with the bank. The PSP never sees the PIN.


The Full UPI Payment Journey: Step by Step

Let’s trace a real payment: You pay ₹500 to a merchant at a local store using Google Pay.


Step 1: Initiating the Transaction (User Layer)

You open Google Pay, scan the merchant’s QR code (or enter their VPA manually). The app reads the QR code and extracts:

  • Merchant’s VPA
  • Merchant name
  • Amount (if preset) or you enter ₹500

You tap “Pay.” The Google Pay app (acting on behalf of its PSP bank) prepares a UPI payment request containing:

  • Payer VPA
  • Payee VPA
  • Transaction amount
  • Transaction reference number (TRN) — a unique ID generated by the app
  • Timestamp

Step 2: UPI PIN Authentication (Device + Bank Layer)

Before the request leaves your device, the app prompts for your UPI PIN. When you enter it:

  • The PIN is encrypted on-device using your bank’s public key (RSA encryption)
  • The encrypted PIN is bundled into the payment request
  • Your PIN never travels in plaintext — not to Google Pay’s servers, not to NPCI, only decryptable by your bank

This is one of UPI’s most important security design decisions: two-factor authentication built into every transaction (device possession + PIN knowledge).


Step 3: Request Reaches the PSP and NPCI Switch

The encrypted payment request travels from your app to Google Pay’s (PSP) servers, which forward it to the NPCI UPI switch via secure API.

NPCI performs the first layer of validation:

  • Is the payer VPA valid and active?
  • Is the payee VPA valid and active?
  • Is the transaction format correct?
  • Are daily/transaction limits within allowed thresholds?
  • Has this TRN been processed before? (duplicate detection)

If any check fails here, the transaction is rejected immediately without reaching either bank.


Step 4: NPCI Routes Request to the Remitter (Sender’s) Bank

Once NPCI validates the request, it routes it to your bank (the remitter bank) — in this case, whichever bank your linked account is in.

Your bank now performs:

  • PIN decryption — using its private key, it decrypts and verifies the UPI PIN
  • Account balance check — is ₹500 available?
  • Fraud check — is this transaction pattern suspicious?
  • Limit check — are you within your daily UPI transaction limit (default ₹1 lakh for P2P, higher limits for specific categories)?

If all checks pass, the bank:

  1. Debits ₹500 from your account (provisional hold)
  2. Sends an authorization confirmation back to NPCI

If the PIN is wrong, the transaction fails here. Multiple wrong PIN attempts can temporarily block UPI on your account (policy varies by bank).


Step 5: NPCI Routes to the Beneficiary (Receiver’s) Bank

With the debit authorized, NPCI routes the credit instruction to the merchant’s bank (the beneficiary/acquirer bank).

The merchant’s bank:

  • Receives the credit instruction from NPCI
  • Credits ₹500 to the merchant’s account
  • Sends a confirmation back to NPCI

Step 6: NPCI Confirms and Closes the Loop

NPCI receives confirmations from both banks — debit successful and credit successful. It:

  • Marks the transaction as complete
  • Generates a UPI Transaction Reference Number (UTR) — the unique identifier for this payment, useful for disputes
  • Sends success responses back to both the payer’s PSP (Google Pay) and the payee’s PSP (merchant’s UPI app)

Both apps receive the confirmation and display success screens. The entire journey — from you tapping Pay to seeing the green tick — takes under 10 seconds in standard conditions, and as fast as 2–3 seconds under optimal network conditions.

💡 Understanding payment infrastructure is critical for anyone building a digital business or marketing platform. Explore tools and guides for digital entrepreneurs at Finmaticx.


UPI Intent vs. UPI Collect: Two Payment Flows Explained

There are actually two distinct technical flows by which a UPI payment can be initiated. Understanding the difference matters for developers and merchants.

UPI Intent (Push Payment — App to App)

The most common flow in 2026. When you tap Pay on a merchant’s app, it deep-links directly into your UPI app with all payment details pre-filled. You authenticate with your PIN and the payment is complete.

  • Success rate: 92–95%
  • User experience: Frictionless — no typing, no switching apps
  • Mandatory on mobile under NPCI 2026 guidelines for Android apps and mobile web

UPI Collect (Pull Payment — Notification Based)

A legacy flow where the merchant sends a collect request to your VPA. You receive a notification in your UPI app, open it, review the request, and approve with your PIN.

  • Success rate: Lower — context switching leads to higher drop-off
  • Best for: Desktop web transactions where deep-linking to a phone app isn’t possible
  • Manual VPA entry restricted on mobile under NPCI guidelines effective February 2026

The data is clear: Intent flows deliver 10–15% higher success rates than Collect because they eliminate the notification latency and manual entry errors that kill conversions.


How QR Code Payments Work on UPI

QR codes are the dominant payment trigger for merchant payments (P2M) — P2M transactions now account for 63% of total UPI volume.

When a merchant generates a UPI QR code, it encodes:

  • The merchant’s VPA
  • Merchant name
  • Optional: pre-set amount
  • Optional: transaction note

When you scan it with any UPI app, the app decodes the QR, populates the payment form, and triggers a UPI Intent flow. The QR code itself contains no sensitive data — it’s simply a shortcut to initiate the payment address lookup.

As of 2025, 678 million QR codes have been deployed across India’s merchant ecosystem, making QR-based UPI the world’s most widely deployed contactless payment network.


UPI Settlement and Interbank Clearing

Real-time for users doesn’t mean real-time interbank settlement at the banking level. Here’s how the financial settlement actually works:

When you pay ₹500 and your bank debits you, the money doesn’t physically move to the merchant’s bank instantly at the banking layer. Instead:

  • NPCI maintains a multilateral net settlement — it aggregates all UPI transactions across the day
  • Banks exchange net positions with each other (how much each bank owes every other bank across all UPI transactions)
  • Settlement happens through RBI’s RTGS system — typically in multiple settlement cycles per day

From the user’s perspective, the credit is instant. From the banking back-end, it’s a netted, settled position across clearing cycles. This is how the system can handle 60+ crore transactions per day without the banking system collapsing under the weight of individual real-time wire transfers.


UPI Security Architecture: How Every Layer Is Protected

UPI’s security is multi-layered by design. Here’s each security mechanism and where it sits:

Device Binding (Registration Layer)
Your UPI account is bound to a specific device + SIM combination. Any attempt to use your VPA from a different device requires re-registration with OTP and PIN verification. This prevents remote account takeover.

End-to-End PIN Encryption (Authentication Layer)
Your UPI PIN is encrypted with your bank’s public key on-device before it leaves your phone. NPCI, the PSP, and any intermediate server cannot read it. Only your bank can decrypt it.

TLS 1.2+ Encryption (Transport Layer)
All API communication between the UPI app, PSP servers, NPCI, and banks runs over Transport Layer Security. Data in transit is encrypted.

Duplicate Transaction Detection (Transaction Layer)
Every transaction carries a unique reference number. NPCI’s switch checks this against a cache of recent transactions to prevent duplicate charges.

UPI PIN Never Stored (App Layer)
The PSP app (Google Pay, PhonePe, etc.) never stores your UPI PIN. It is entered, encrypted, and forwarded — nothing is retained at the app layer.

NPCI 2026 Updates (System Layer)
From August 2025, NPCI implemented: daily limits on balance enquiry and “list accounts” API calls, regulated processing windows for autopay mandates, and caps on certain API behaviors — all designed to reduce fraud surface area and improve system stability.

💡 Want to understand how digital payment systems like UPI connect to broader fintech and marketing intelligence? Read our guides on AI tools and digital strategy at Finmaticx.


UPI 2.0 Features: What Was Added

NPCI launched UPI 2.0 in August 2018, adding key capabilities that are now standard:

Signed Intent & Signed QR
Merchants can digitally sign their payment requests, allowing UPI apps to verify the merchant’s identity before the user sees the payment screen. This prevents QR code tampering attacks.

One-Time Mandate
Schedule a payment for a future date. The money is blocked (not debited) now and transferred at the specified time. Useful for IPO applications, advance bookings, and deferred payments.

Invoice in Inbox
Merchants can attach invoice details to a payment request, so users see exactly what they’re paying for before approving — reducing disputes.

Overdraft Account Linking
Users can link a pre-approved overdraft account to UPI, enabling credit-like functionality without a credit card.


UPI vs. IMPS vs. NEFT vs. RTGS: Technical Comparison

FeatureUPIIMPSNEFTRTGS
SettlementReal-timeReal-timeBatched (30 min)Real-time
Available24/724/724/724/7
Min Amount₹1₹1₹1₹2 lakh
Max Amount₹1–10 lakh (varies)₹5 lakhNo limitNo limit
IdentifierVPA / QRAccount + IFSCAccount + IFSCAccount + IFSC
Use CaseRetail, P2P, P2MP2P transfersBill payments, large transfersHigh-value corporate
Cost (P2P)FreeFree–₹5Free₹20–₹50

UPI’s key technical advantage over IMPS (which it’s built on) is the abstraction of bank details through VPA and the interoperability across all apps and banks through a single open standard.


UPI in 2026: Key Scale Numbers

These numbers matter because they validate UPI’s technical reliability at extraordinary scale:

  • 24,162 crore transactions processed in FY 2025-26
  • 703 banks live on UPI as of FY 2025-26
  • 99.2% transaction success rate
  • 60 crore daily average transactions in 2025
  • 49% of global real-time payment volume (IMF, June 2025)
  • 678 million QR codes deployed across India
  • 25 countries now using UPI technology
  • Transactions completing in under 15 seconds under 2026 backend optimization rules

💡 India’s UPI story is a masterclass in building scalable, interoperable digital infrastructure. For entrepreneurs and marketers building in this ecosystem, Finmaticx covers the tools, strategies, and intelligence you need to stay ahead.


Frequently Asked Questions: How UPI Works Technically

What is a VPA and how does UPI use it?
A VPA (Virtual Payment Address) is a unique payment identifier in the format username@bankname (e.g., john@okhdfcbank). UPI uses VPAs so users never need to share bank account numbers or IFSC codes. NPCI maintains a central registry that maps every VPA to its corresponding bank account, enabling real-time lookup and routing during transactions.

How does UPI authenticate a payment?
UPI uses two-factor authentication: device possession (your registered SIM and phone) and knowledge (your UPI PIN). The PIN is encrypted on-device with your bank’s public key before transmission, so it travels in encrypted form and is only decryptable by your bank. Neither the UPI app, PSP, nor NPCI can read your PIN.

What is the role of NPCI in a UPI transaction?
NPCI is the central switch and rule-enforcer for all UPI transactions. It validates payment requests, resolves VPAs to bank account identifiers, routes messages between the sender’s and receiver’s banks, detects duplicates, and manages the settlement instructions. Every UPI transaction passes through NPCI regardless of which apps or banks are involved.

How fast does a UPI payment settle?
From the user’s perspective, UPI payments settle in under 10 seconds — often 2–3 seconds under optimal conditions. Under NPCI’s 2026 backend optimization rules, most transactions complete within 15 seconds. At the interbank level, NPCI runs multilateral net settlement cycles through RBI’s RTGS system multiple times per day.

What is the difference between UPI Intent and UPI Collect?
UPI Intent is an app-to-app push payment where the merchant’s app deep-links directly into your UPI app with payment details pre-filled. UPI Collect is a pull payment where the merchant sends a request notification to your VPA that you approve manually. Intent has 92–95% success rates vs. lower rates for Collect, and is now mandatory for mobile app transactions under NPCI’s 2026 guidelines.

Is UPI safe? How is it secured?
Yes. UPI uses multiple security layers: device-SIM binding at registration, end-to-end PIN encryption, TLS transport encryption for all API calls, duplicate transaction detection, and the PSP never storing your PIN. From August 2025, NPCI added additional API rate limits and authentication framework upgrades to further reduce fraud risk.

What happens if a UPI payment fails?
If a payment fails after your account is debited, the amount is automatically reversed within a defined timeframe (typically within 24–48 hours per RBI guidelines, often faster). A failed transaction generates a UTR (UPI Transaction Reference) number that can be used to track the status and raise a dispute with your bank.

How does UPI work differently for merchants vs. individuals?
For individuals (P2P), UPI payments are completely free. For merchant transactions (P2M) above ₹2,000, a merchant discount rate (MDR) of 1.1% applies. Merchants access UPI through their acquiring bank, which provides a QR code or POS terminal. Merchant payouts from the beneficiary bank are processed per the bank’s own settlement cycles, though the UPI credit is instant.


Final Thoughts

UPI is not just a payment app — it is a national-scale financial protocol that has redefined what real-time money movement looks like. The elegance is in the layering: an open API standard (NPCI) + abstracted identity (VPA) + device-bound security (SIM + PIN) + real-time routing (IMPS rails) = a system that processes the equivalent of India’s entire GDP multiple times over every year.

For developers, understanding UPI’s architecture helps you build better integrations. For business owners, it clarifies why payment success rates vary and how to optimize checkout. For marketers and entrepreneurs, it is proof that well-designed digital infrastructure can transform an entire economy.

💡 Finmaticx covers fintech, AI tools, and digital marketing intelligence for entrepreneurs and marketers across India and the USA. Explore our full resource library here.

About the author

VAFX

View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *