WhatsApp's New Payment Service Leverages NPCI's UPIBeta Test Offers Two-Factor Authentication
WhatsApp, the global messaging app that has more than 200 million monthly active users in India, has leveraged National Payment Corporation of India's Unified Payment Interface platform to launch its beta payment service that will allow users to send money to other WhatsApp users, excluding merchant accounts.
The WhatsApp payment service uses two-factor authentication. In addition to using UPI, which enables account holders of any bank to send and receive money from their smartphones with a single identifier, it offers options for a second factor. Those include the Aadhaar number - a 12-digit individual identification number issued by the Unique Identification Authority of India, serving as proof of identity and address anywhere in India; a mobile number; or a virtual payments address.
The initiative is supported by major Indian banks, including State Bank of India, ICICI Bank, HDFC Bank and Axis Bank and the beta version is made available to the users in India only for now.
Dr. N Rajendran, chief technology officer at NPCI, says the authentication mechanism for the new WhatsApp service is similar to the verification required on Google Tez, which allows users to send money to anyone with a bank account even if they don't have their app on their smartphone.
At the back end, Rajendran says, banks must connect to NPCI's UPI using their payment service provider system, which will interface with banks' core banking systems, banks' customers, authentication systems and fraud and risk management systems. Banks can integrate UPI with their mobile banking system, if they have one.
For banks, the biggest benefit of the WhatsApp system are single-click two-factor authentication for subsequent transactions along with a universal application for transactions that leverages existing infrastructure, Rajendran says.
Because the new WhatsApp offering is a UPI-based payment system, a chat window transfer can be made. For this, the user must connect a bank account with the UPI interface, says Bengaluru-based Ratan Jyoti, CISO of Ujjivan Bank. This is possible only if sender and receiver both have WhatsApp installed on their device, he explains.
WhatsApp Integration with UPI
WhatsApp payment can be accessed via the payments option in the settings page, Rajendran explains. Tapping on it opens the verification page, where users must furnish the mobile number linked to their bank account.
Using an application that customers download on their mobile phones, the UPI service is designed to handle WhatsApp transactions - third-party payments, sending and receiving money below Rs 1 lakh - with minimum clicks.
Those who have used UPI before don't have to link the bank account to the number again. However, they must verify with a one-time password and create a four-digit UPI PIN, which will be required for every transaction. Bank accounts linked to WhatsApp payment service will show on the payments page. Users can send money to a friend by opening a chat window, tapping on the paper clip icon followed by the payment button. This will take users to the payment page, where they must enter the amount they want to pay.
Users must then configure the feature by first verifying their phone number via SMS and choosing a bank. The option to send a payment is then available from the main WhatsApp interface, in the same area where users can share a photo, video, file, contact information or location in the chat session.
"This is indeed a hugely disruptive launch as WhatsApp is riding on the UPI railroad and hence, should be as secure as any other UPI transaction which follows industry security and compliance standards including PCI DSS 3.2, ISO 27001 and EMV," says Gurgoan-based Sriram Natarajan, COO and former chief risk officer at Quattro, a business process outsourcing company catering to the banking sector.
Securing Payment Transactions
Rajendran suggests security practitioners focus on the security of mobile apps and APIs and says they can leverage NPCI's library (which captures and stores the customer data) to securely capture user credentials, says Rajendran.
To leverage the new WhatsApp service, banks must implement changes in their core banking systems, reconciliation systems and authentication system, plus develop interfaces with risk management systems, customer grievance and mobile application functions, he adds.
"Since the mobile number is the key identity token for several applications, it will help banks expand their delivery channels beyond their own infrastructure," he says. "While banks also may develop the interface for large merchants for on-boarding them, the communication between NPCI and the messenger are through secured NPCINET [NPCI's intranet]. Banks can handle the security while communicating with their customers and storing customer information at their end."
The transaction model is based on the Open API architecture; the credentials are always captured on the consumer's device.
The authentication is established through multiple layers on the back end, including banks and/or third parties; multiple "addresses" from various mobile devices and other forms of biometric data that the user users on the mobile.
"The security requirement would be similar to UPI as banks need to establish a good monitoring systems to authenticate users, along with the end point security and user (customer) awareness will be key," Jyoti says.
As consumers start to use the new payment service, CISOs must be on the lookout for social engineering attacks, Natarajan warns.