Everything You Should Know About Facebook’s Libra

Facebook Libra cryptocurrency - all you need to know about it - Razorpay payment gateway

With so much buzz about Facebook’s Libra all over the internet, we wanted to make things easier for you. We made a ton of research on the newest innovation, so you don’t have to!

Let’s jump right in.

Apparently, a couple of years ago, Mark Zuckerberg expressed his interest in cryptocurrencies in an interview in the subtlest manner. Seems like he was earnest about exploring opportunities in the financial services industry.

Facebook revealed Libra, a cryptocurrency, along with a consortium of 27 partners and associations earlier. Libra was conceptualised around a mission – to enable a simple global currency infrastructure that empowers billions of people. 

Let’s slow down and understand what the deal is all about.

What is Libra, exactly?

Facebook’s Libra is not just a cryptocurrency.  It’s a “reliable digital currency” all about delivering “the Internet of money” through an efficient infrastructure. The cryptocurrency is intended to be sent to any part of the world with a bare minimum of a fee. 

How is Libra any different from all the other cryptocurrencies out there? 

We thought you’d wonder. 

Since we’re all familiar with Bitcoin, let’s understand the whats and hows of Libra through painting a contrast.

Although built on the same fundamental axiom as Bitcoin, Libra aims to have a stable value, while it gets backed by a number of currencies. 

And, unlike Bitcoin, which is open in nature, Libra is not going to be so. A bank does not issue Bitcoin or manage it either. You can pretty much download a crypto wallet and get going. But Libra is more like digital money with traits of fiat money, if that makes sense.

Libra is also not as decentralised as the other cryptocurrencies. You can open and download the open source code for free in the case of Bitcoin. There are speculations about Libra having multiple central nodes instead of one centralised node, which can be controlled by a legion of stakeholders.

We all know how secure Bitcoin is because of its decentralised nature. It’s next to impossible to hack, being one among the most secure computer networks ever. We’ve already talked about Libra having multiple centralised nodes. This may create a few loopholes concerning security.

So, what’s the idea behind Libra anyway?

Libra is all about making financial services accessible for everyone, irrespective of their geographical location or financial background. The Libra case study talks about how people with less money end up spending way too much money on financial services. And, this is something that should not go unaddressed. 

With the belief that a low-cost money movement will create better economic opportunities, Libra is to charge a very insignificant amount as the fee for transactions.

Libra is also conceptualised to put an edge on advanced financial inclusion, ethical factors, and the integrity of the ecosystem. 

How does Libra work?

Let’s talk a little about the flow of events. 

Imagine you buy Libra. What happens next?

The money goes into a bank account and stays there. It won’t budge because the idea is to match the value of a Dollar or Euro. When Libra’s value is that of a currency, it’s immediately backed by a Dollar or a Euro in the bank.

Why so?

Because, the account holding of Libra in a bank will generate interest based on value, which can be used to return the initial investors of the cryptocurrency. 

Again, comparing with Bitcoin, Libra can be created without a limit on the number, unlike Bitcoin, which is said to have an upper limit of 21 million. And, creating Libra is also not as laborious as Bitcoin, since Bitcoin consumes a lot of electricity.

If Libra works the way it’s told to work, we should all be able to send it to any business on a global scale. 

The best part is, you can also convert Libra back to your preferred currency. Calibra, Facebook’s wallet will convert Libra at the current conversion rate and helps transfer money into a bank account.

What can you use Libra for?

Libra is built in a way that any organisation can accept a coin and make a wallet on top of it. So, Libra is not just limited to Facebook. The cryptocurrency is intended to be for all of Facebook’s users (about 2.7 billion), including Messenger. 

Libra can be used for multiple purposes. Since the partnership is branched out all the way to Uber, Spotify, and more, it’s expected that one can buy services on the partnered businesses through Libra. You can also run Facebook ads using Libra.

Facebook also went about setting up Calibra, a subsidiary. This is going to make Libra accessible to all users. The idea is to expand and build more financial services as a layer on Libra. 

You can set up a Libra wallet from any part of the world by providing identity proof. The only setback will be faced by regions that have limitations on the use of social networks. 

Libra is said to work all over the world from the year 2020.

How do things look for Libra in India?

We all know about the crypto-ban in the country and how there is a draft law that proposes a 10-year jail term for holding, selling or dealing in cryptocurrency.This could also mean that Libra may never make an entry at the Indian financial services landscape.

Considering how India is also moving towards a fintech revolution, it can do more good than bad if Libra were to set itself to work in the county. This is particularly great for Facebook since Indians are heavy users of Facebook and WhatsApp. 

There is a lot of hush-hush about the reputation though. Facebook has an underlying negative tension since it hasn’t safeguarded its user information to the best it could. Concerns about security since it’s money we’re dealing with, simply cannot be sidelined. 

Speaking of security, Libra is not as decentralised as a cryptocurrency usually is. This can pose a threat, or help Libra represent itself as “not a cryptocurrency but is like one” and find its way into the Indian market. 

Let’s say Libra does enter the Indian fintech. What could possibly happen? If you think about it, Libra can compete with our favourite UPI. Since UPI, digital payments have gotten way easier than ever, mobile payments had a breakthrough, and the country moved a step ahead in its fintech journey. Libra could give UPI a run for its money.

Libra could also become one of the prominent methods of online transactions since payment solution companies will also come forth to support the same.

We’ve talked about UPI contributions from various cities and states of the country. Now, let’s talk about rural areas. From our previous report, we know where tier-3 cities stand with UPI. But can we all agree upon the fact that tier-3 cities have WhatsApp and Facebook users? Of course.

If people from these areas aren’t really catching on to UPI, could it be possible that since they already have WhatsApp and Facebook, or either one among the two, they’re a step closer to financial inclusion? 

Maybe.

 

Online Payment Fraud: What Is It and How Razorpay Prevents It

FeaturedFraud Prevention for Online Businesses

This is the second blog in our series on online security and fraud prevention. To understand more about online safety (how to distinguish between a secure and non-secure website, how to ensure you are making a secure payment) read the first part here. To understand how online payment fraud occurs and the steps to prevent it, read on!


There is a reason why banks put up disclaimers announcing that their employees do not ask you for sensitive data, or that you should never reveal details like your OTP to an unknown person.

Online payment fraud is a reality of the internet age we live in and the numbers are only set to increase with the increasing digital adoption in India. According to a study by the credit information company

Experian and the International Data Corp (IDC), the fraud risk in India is currently pegged at 8.1 points; second only to Indonesia (8.7 points) and significantly higher than the average 5.5 points in the Asia Pacific region.

A 2016 consumer study conducted by ACI Worldwide places India at the fifth position in terms of total card fraud rates; behind Mexico, Brazil, United States, and Australia.

As they say, the best weapon against any problem is education; so let’s begin by understanding the different types of payment frauds that occur in India and how online sites and payment gateways like Razorpay prevent it.

Online Payment Fraud: The Different Types

The most common types of online fraud occur via phishing or spoofing, data theft, and chargeback or friendly fraud. We have explained these in detail below.

Online Phishing or Spoofing

Phishing is the process of accessing one’s personal information through fraudulent e-mails or websites that claim to be legitimate.  The information gathered this way can include usernames, passwords, credit card numbers, or bank account numbers.

The most widely used method for phishing is to redirect an online user (from an email or SMS) to an “official” website where they are asked to update their personal information.  You are thereby tricked into revealing personal information that you would ideally not reveal to anyone else.

Phishing can also occur via other electronic means such as SMS, instant messaging, and on email. You can be redirected to make a payment on a website that looks legitimate, but which is created to capture your card details so they can be used later.

According to reports, India is the third-most targeted country for phishing attacks, after the US and Russia.

Data Theft

Sometimes, dishonest employees or partners can steal credit card data from businesses and use this for committing fraud. Most online sites take stringent measures to ensure that such privacy breaches do not occur.

Instead of storing credit card details as is, for instance, websites and payment gateways use methods like tokenization and encryption to keep the data secure.

Razorpay takes data security very seriously. We are a certified ISO-27001 compliant organization, which means we undergo stringent audits on our data privacy processes.

Chargeback Fraud or Friendly Fraud

Let’s say a customer makes an online purchase. Later, they claim that the purchase was made fraudulently and ask for a chargeback – even though they made the purchase themselves! (A chargeback – in the simplest of terms – is an order from a bank to business, asking it to return the amount paid for a possibly fraudulent purchase.)

This is known as chargeback fraud or friendly fraud, where business processes a transaction since it seems legitimate; only to be issued with a chargeback later on.

Chargeback frauds cause GMV losses and are a hassle for any business. We have a Razorpay Chargeback Guide that will help you understand why chargebacks happen and take steps against fraudulent charges.

The Effect of Payment Fraud on Businesses

As per the current terms and conditions, a credit card issuer (i.e., the bank) does not consider the cardholder liable for any fraudulent activity; for both card-present and card-not-present frauds.

Therefore, payment frauds involving credit cards have a significant effect on the business community and a significant impact on a merchant’s bottom line. Every time a customer issues a chargeback, it leads to loss of both inventory and GMV. This is especially true for retail establishments, where the profit margins are usually small.

Regarding industry, the subscriptions industry continues to have the highest rate of fraud for two main reasons:

  • Subscriptions are essentially a card-dependent service; wherein the USP of the service is that the customer does not have to make manual payments. It is easy to claim that one’s card was used without knowledge in such a scenario.
  • Fraudsters and hackers use subscription services to ‘test’ cards. Online subscription services usually provide a one-month free trial, but one needs a credit card to initiate the trial period. Since the value is negligible, such payments usually go unnoticed by a card owner. If the card details are incorrect, the subscription business shares a detailed authorization error; thus making it easy for the hacker to modify their strategy and continue using the cards.

Razorpay: How We Help Businesses Reduce Fraud and Mitigate Risk

Apart from the mandatory protocols, Razorpay has its processes (developed in-house by our tech whizkids) to detect and prevent fraud and mitigate risk. As a payment gateway and a converged payments solution company, we take data security very seriously.

By delving into our data and analyzing patterns, we have been able to institute processes that ably discern between a ‘normal’ and a ‘suspicious’ transaction with credible accuracy. These systems are divided into two types:

a) Systems for detecting ‘Merchant Fraud’

Merchant fraud occurs when someone creates a fake or bogus company with no intention of selling any product to the customer. The business appears legitimate; but since it offers no actual goods or services, all users who make an online purchase only end up losing their money.

As a payment gateway, Razorpay has strict processes in place to vet every company which uses our gateway for processing payments. Some of the ways how we check for merchant fraud include:

KYC checks: Adhering to strict KYC norms even before we onboard a business is an integral part of fraud mitigation. We have an in-house ‘Risk and Activation’ team that runs background checks on new businesses and vets them before they are ‘live’ on our payment gateway.

At Razorpay, we take this check one level higher by monitoring all suspicious and potentially fraudulent businesses, and the transactions that originate from them.

Transaction monitoring: Razorpay Payment Gateway has an inbuilt ‘Risk’ logic which can sniff out a possible fraud faster than a K9 squad. Let’s say a merchant who gets 3-4 online orders in a day suddenly starts to get 300 daily orders.

A sudden spike in transaction velocity (number of transactions per minute/hour/day), volume (amount transacted for), or pattern (international orders for a local brand) is an indicator of fraud and our systems immediately flag such transactions for further investigations.

Our ‘Risk’ logic also has 72 odd rules for monitoring the thousands of transactions on our payment gateway on a daily basis. This logic is designed according to the merchant, and our logic pathway can easily differentiate between standard day-to-day transactions and those that carry a high probability of risk.

b) Systems for detecting ‘Customer Fraud’

Customer fraud occurs when a stolen or lost card is used for suspicious activities. It can also occur for other payment modes. Not only does this affect the user, but it is also detrimental to e-commerce websites as it increases cases of refunds and chargebacks, and leads to loss of GMV.

At Razorpay, we strive to protect both our merchants and our customers. Which is why we conduct extensive transaction monitoring as well to protect both their interests. How do we do it? Here’s a peek:

Checking for hotlisted cards: Every time a card is used for payment, our gateway connects with the card provider to check if the card has been hotlisted. (Hotlisting means that the card has been blocked temporarily or permanently for use). This is done in real-time so that a verified transaction is still completed within seconds, while the suspicious ones get flagged.

Pattern-based transaction monitoring: We also use geographical and pattern-based transaction monitoring (as for detecting merchant frauds) to identify suspect transactions. This helps us in preempting and preventing chargeback frauds and other types of customer frauds. We have a hit ratio of being able to identify 85% of fraudulent cases in advance.

Online Fraud Prevention: The Future

Online fraud will remain a contentious issue even in the days to come. The more we connect and transact online, the bigger the threat. Moreover, since we cannot eliminate it, the solution must be to remain on guard every single second. The only way to prevent online fraud is through vigilance and regulation.

A good example here is the 3D Secure (3DS) protocol that VISA had developed to keep its customers safe, and which has since been adopted by other card companies like American Express, MasterCard, and JCB International.

A similar process is the 2FA used in India, which is mandatory for all cardholders and card-issuing banks. The RBI has also mandated online alerts for all card transactions – even those where the cardholder physically swipes their card at a PoS system.

For all transactions considered suspicious, cardholders have the option to issue a ‘de-activation request’ immediately and hotlist their cards.

The Indian government’s decision to appoint a nodal agency for dealing with phone frauds – called the FCORD initiative – is another praiseworthy step. We at Razorpay are also in touch with the MHA, which has designated the FCORD as the Nodal Agency for reporting and preventing Cyber Crime frauds in India, regarding the same.

While a zero-fraud system will take some days to achieve, we are constantly building new processes to minimize fraud risk for all consumers.

The bottom line though remains this: If you are building an e-commerce website, remember to follow all the protocols mentioned above and minimize the risk of fraud. Alternatively, find a payment gateway (hello there!) that has stringent security protocols already in place. We’re just a click of a button away!

How Secure Are Your Online Payments?

Featured

At Razorpay we strive to make every transaction done via our payment gateway a secure payment. We’re a technology-first online payments company and online payment security is in our DNA. We employ a ‘no stones unturned’ approach to safeguarding the interest of both the online businesses who use our products, as well as their consumers.

We also understand the assurance of secure payments is one of the primary drivers behind the choice of a payment gateway.

With the growing number of e-commerce users and transactions in India,, it is important that we are all aware of the mandatory security protocols for e-commerce websites; so that we can avoid fraudulent situations. As the saying goes, prevention is better than cure.

In this article, let me walk you through the security protocols and processes followed at Razorpay, and which you should look for, too, every time you transact online.

online payment security architecture and information flow

1. TLS Encryption

Data security on e-commerce websites or an online payment system begins the moment a user lands on the site. The TLS Certificate tells users that the data transmitted between the web server and their browser is safe.

As a payment provider, Razorpay uses the highest assurance SSL certificate on its website which is the EV SSL (Extended Validity SSL) certificate.

Without TLS Encryption in place, all data sent over the Internet is unencrypted and is visible to anyone with the means and intent to intercept it. An easy way to check if the e-commerce websites you frequent are SSL certified is to look at the URL and see if it uses ‘http://’ or ‘https://’ protocol.

The additional ‘s’ signifies a secure e-payment system. You can also look for the padlock icon at the beginning of the URL. Modern web browsers in their race to make the Web secure by default are now following the opposite paradigm – mark HTTP sites as “insecure”.

2. PCI-DSS Compliance

The PCI Security Standards Council is a global organization that maintains and promotes compliance rules for managing cardholder data for all e-commerce websites and online payment systems.

The Payment Card Industry Data Security Standards (PCI-DSS) is in effect a set of policies that govern how sensitive cardholder information should be handled.

Fact: The PCI Security Standards Council was created as a joint initiative by the four major credit-card providers: American Express, Visa, MasterCard, and Discover, in the year 2004. Over the years, the PCI-DSS standard has become the guiding principle for online security across the globe.

For an e-commerce website or an online payment system to be PCI-DSS compliant they have to follow certain directives:

Maintain a secure network to process payments: This involves using robust firewalls which can protect against malicious security threats. Further, the website or payment gateway should not use default credentials like manufacturer provided PINs and passwords, and must allow customers to change this data as needed.

Ensure all data is encrypted during transmission: When cardholder data is transmitted online, it is imperative that it be encrypted. Razorpay encrypts all information you share using checkout via TLS (Transport Layer Security). This prevents data interception during transmission from your system to Razorpay.

Fact: On the Razorpay Payment Gateway, all the details entered by a user like their name, address, and credit/debit card information are used only to process and complete the order. Razorpay never stores sensitive information like CVV numbers, PINs etc.

Keep infrastructure secure: This directive involves keeping abreast of new PCI-DSS mandates and using updated software and spyware to protect against known software vulnerabilities, running regular system and software scans to ensure maximum data protection.

Restrict information access: An important part of securing online payments on e-commerce websites is restricting access to confidential information so that only authorized personnel will have access to cardholder data. Cardholder data must be protected at all times – both electronically and physically.

3. Tokenization

Tokenization is a process by which a 16-digit card number gets replaced by a digital identifier known as a ‘token’. This is done to ensure the safety of the original data while allowing payment gateways to securely access the cardholder data and initiate a secure payment.

Fact: Even if a website gets breached and the tokens stored are hacked, it is immensely difficult to reverse-engineer the actual card number from the token itself. To do this, one needs access to the logic used for tokenization, which is not publicly available.

Credit card tokenization helps e-commerce websites improve security, as it eliminates the need for storing credit card data, and reduces security breaches. For more on how tokenization works and impacts online payments, you can read our in-depth blog.

4. Two-Factor Authentication

Two Factor Authentication, aka 2FA, or two-step verification is an extra layer of security added by e-commerce websites to ensure a secure payment for a customer.

This is a customer-facing authentication process, mandated by regulatory bodies like RBI, in that the transaction is processed only after the user enters a detail that only they could know, or have at hand (like a physical token or a security key). Many banks and other e-payment gateways also use the 2FA for their own payment modes.

Fact: 2FA is not a newly-minted technology, but it has recently become the de-facto method of authentication in the digital age. In 2011, Google announced 2FA for heightening online security for its service. MSN and Yahoo followed suit.

When you use Net Banking for a transaction, you are first asked to enter your username and password. As a final confirmation, the bank sends you an OTP on your registered mobile number. This process has been mandated by the RBI, is divided into two levels of authentication:

What the user knows: In this step, users fill in their card/Net Banking details such as username and password. This helps the payment gateway recognize which bank the card belongs to.

What the user (and only the user) has: This step is known as ‘Authorization‘ and is done through the OTP/PIN/CVV. The bank (and the payment gateway) can then confirm that the request for payment is initiated by the rightful user.

5. Fraud Prevention

Apart from these mandatory protocols, most e-commerce websites and payment gateways have their own fraud and risk prevention systems. Big data analytics and machine learning play a huge role in devising these risk prevention and mitigation systems.

By delving into our customer’s data and analysing patterns, we at Razopray can discern between a ‘normal’ and a ‘suspicious’ transaction with credible accuracy. Apart from this, there is a lot that you as a customer can do to reduce the risk of fraud. 

Always remember that:  

– Anyone of importance will never ask for your card data/passwords up front. Banks and financial service providers have a safe protocol to gain admin access to an account if the need ever arises.

– Passwords are safer when you don’t write them down. Keep strong passwords that you can remember, change them frequently, and refrain from writing them down somewhere.

– You have the right to dispute suspicious charges on your card or accounts. Raise a chargeback request for any unidentified transaction on your card. You have a legal right to a resolution.

If you are building an e-commerce website, remember that fraud prevention requires that you follow all the above-mentioned protocols. Or find a payment gateway (hello there!) that has stringent security protocols already in place. We’re just a click of a button away!

How ATM PIN (Instead of OTP) Boosted Our Payment Success Rates

If there is one thing the payment ecosystem obsesses about, it is ‘Success Rates’. This is because success rate has a direct impact on customer experience and revenue.

What is success rate for payments?

Success rate for payments refers to the number of successful transactions over total attempted transactions. Success rate is a critical criterion for all businesses; even a small dip could result in a compromised customer experience and revenue loss.

As a payments company, our singular focus has been to enhance customer experience by improving success rates. In this ongoing effort, our latest experiment was the implementation of ATM PIN instead of OTP/3-D secure PIN as 2FA (two-factor authentication) for debit card transactions.

The basic idea is that validating payments via ATM PIN requires fewer hops than 3-D secure PIN (validated through OTPs), hence more efficient.

 

Flow 1.png

Essentially, this makes ATM PIN-based transactions closed looped or on-us transactions. On-us transactions are where the acquirer and card issuer are the same entity. Removing two entities from the transaction flow makes the entire process more streamlined, time efficient, leading to higher success rates.

How ATM PIN Reduces Friction

Apart from enabling higher success rates, ATM PIN-based transactions are also convenient from the end customer standpoint. In terms of context, ATM PIN for online transactions is very similar to using a card at a physical store.

All that an end customer needs are – a card number, CVV and ATM PIN. Also, bad network and glitches in the bank’s SMS gateway are no longer pain points.

Rollout Plan

As much as we believed in the sheer potential of ATM PIN as a feature, we wanted to validate it through data. Part of our roll-out plan was to first test the feature across a sample set and measure success before we go the whole hog.

We also wanted to ensure that the transition to this new feature was seamless. Businesses who were part of the sample set got the feature update without having to make any change to their existing integration. The checkout directly went from the standard OTP option to include both the OTP as well as the ATM PIN option with zero intervention from businesses.

Week One

We kicked off Week One by rolling out the feature to a sample set of 50 randomly selected businesses. The ground rules to minimise the bias were:

  • Business size – an equal mix of small, mid-size and large businesses.
  • Average Ticket size – segmented as bucket one (Rs 1.00 – Rs 100), bucket two (Rs 100 – Rs 1000) and bucket three (Rs 1000 to Rs 5000).
  • Outliers and exceptions (like low transaction volumes) were removed from the list to remove potential skews to the average.

The key metrics we planned to analyse through this experiment were – success rates and customer preference for the ATM PIN option on checkout.

And, here’s what we saw at the end of Week One

  • Success rates increased by 3% for the ATM PIN feature when compared to the OTP feature.
  • The customer preference for the ATM PIN option over the OTP option was around 9.2%.

While the success rate needle didn’t move too much, the customer preference for selecting the ATM PIN option validated that we were on the right path.

Week Two

Given the outcome from Week One, we continued our experiment through Week Two, and the results just reiterated our belief. Hence, we tweaked our sample set to include 50 new businesses, making the total count 100.

The insights at the end of Week Two were:

  • Success rates continued to grow from 2.5% to 3.1%.
  • Customer preference moved from 9.2% to 12.4%.

Given the consistent uptick both for both success rates and the customer preference, we decided to keep the experiment running for a couple of weeks more to understand the impact of the ATM PIN feature better.

Week Ten

At the end of Week Ten, we saw a staggering increase in success rates. The average increase in success rates was around 10%, with few businesses observing as much as a 16% increase in success rates. As far as customer preference goes, we noticed that nearly 28% of customers consciously chose the ATM PIN option over the OTP option on checkout.

ATM PIN graph.png

With the increase in success rates, our chargebacks and refunds also noticed a dip, improving the overall efficiency.

Given the significant impact of the ATM PIN feature, we have now enabled the feature to 8,000 businesses.

What Next?

ATM PIN as a feature has been nothing short of stellar in its performance and ease of use. We plan to extend the feature to all our customers and make ATM the default option once there is a majority preference for the ATM PIN option by end customers.

If you are a Razorpay customer and do not have the ATM PIN option on your checkout, sit tight, it’s coming to you real soon! And, for all other business out there, here’s another reason to sign up with Razorpay 🙂

 

UPI 2.0 – New Features, Missing Links, and the Effect on Indian Businesses

razorpay upi

When UPI was first launched in 2016, it was rightly heralded as a game changer. We couldn’t agree more, because the inherent structure of the NPCI’s flagship offering is designed to become the sole platform for seamless interoperability of PSPs (Payment Service Providers) in the country.

But for it to become a truly universal payment option, the existing UPI solution needs to be more than a peer-to-peer platform. And the UPI 2.0 is just that! The upcoming launch is a much better, revamped version of UPI that will go a long way in increasing digital adoption in the business sphere, and for peer-to-merchant transactions.

UPI 2.0 – The New ‘For Merchant’ Features

We all are aware that the upgraded UPI will have many new features; such as increased transaction limit of INR 2 lakhs. However, it is the ‘for merchant’ features – the one that will directly impact P2M transactions – that are of importance.

Use of overdraft accounts

Up until now, UPI payments were made only from saving accounts. But with overdraft accounts coming into play, merchants will be able to withdraw money even when there is a cash-deficit in their account. Business, therefore, does not have to stop just because of a temporary issue of insolvency.

Capture and hold facility

The facility to block a certain amount in user’s cards was already present due to a feature called ‘key auth’. Now, merchants accepting payments via UPI will also be able to do the same. Essentially, they will be able to block a certain amount of money on their user’s cards and debit/refund it a later date.

With this feature, UPI will become useful for a variety of business verticals (where it may not have been as popular before). Hotels, e-commerce companies, cab-booking services can block amounts on their guests’ credit cards as advance. This can also be done against security.

Businesses can then refund the same once the booking is completed. This will also be of use when buying stocks or IPOs and other such transactions.

Support for invoicing

Invoices, bills, or any other supporting documentation is not a necessity when making a peer-to-peer payment. A confirmation of receipt via mail or SMS is what most businesses look for.

However, in the P2M payment space, invoices are mandatory. So far, a merchant could only add a description of the payment asked. The support for invoices in UPI 2.0 means that businesses can use a single platform for sending invoices and receiving payments, instead of using separate mediums for the same.  

Easy resolution of refunds

Another reason why UPI had not permeated deeply into the business sector was that refunds were not a part of the initial core spec. So, if a merchant needed to refund money to their customer they would need to issue a fresh transaction. Now, UPI payments will also follow this mapping so that users and merchants can have clarity on the refunds made.

How the Upgrade Will Affect the Industry?

The increased popularity of UPI will also reduce the market for Wallets. Recent data shows that transactions on prepaid instruments like cards and Wallets have reduced by 14% between March 2017 and March 2018.

With UPI, this number will reduce further. Customers will want to use a platform that will allow direct bank transfer of money rather than uploading money into their Wallets.

UPI 2.0-adoption statistics-Razorpay

There is no doubt that the added features will open more use cases in the business sector, and allow for greater permeation. The capture and hold feature, by itself, can create hundreds of new use cases in the e-commerce industry.

Support for invoices will convert UPI from just a transactional medium to an informational medium as well. Refund mapping will solve a crucial industry pain point which will also translate into better user experience and more transparency.

What’s Missing From UPI 2.0?

As a comprehensive payment firm, Razorpay has been ready for UPI 2.0 for a while. We follow mandatory KYC procedures for all businesses, making acceptance of bank payments a breeze. We also have the industry knowledge and tech required to build on the new use cases offered by UPI.

However, there is one feature missing from the new launch, which is ‘mandates’. Mandates or standing instructions mean that UPI can become the go-to payment option for all recurring payments like SIPs, Mutual Fund payments, monthly subscriptions etc.

Also, the withdrawal of biometric Aadhaar-based payment feature will render it unusable by those who do not own a smartphone. The smartphone penetration rate in India will reach 28% by the end of 2018. This means leaving roughly 72% of the population deprived of the choice to use UPI, or any other digital payment solution.

Looking Ahead: What the Payments Industry Needs UPI to Be

Customers always prefer simpler, ubiquitous payment solutions that can reduce friction during online transactions. UPI transactions are direct and easier; as compared to loading money into, and withdrawing from, a prepaid instrument.

UPI can easily replace PoS solutions and make accounting and reconciliation easier for merchants.

For it to become the leader in digital transactions, it has to offer ubiquity. And it must drive large-scale adoption of digital payments. NPCI also needs to build a large merchant-acceptance network; both online and offline, because that is where the real push for ‘Digital India’ will come from.

**Originally published in Inc42.

Aadhaar Virtual ID (VID) – Get Your VID in 3 Simple Steps

Guess what’s common in getting a mobile phone connection, investing in mutual funds and opening a bank account? Submitting Aadhaar details! Yes, Aadhaar has become the de facto authentication/verification tool for a gamut of services today.

Using a single universal ID is great, but it brings along data security challenges. UIDAI decided to overcome this through the creation of simple, easy to use Virtual IDs (VIDs) in place of original Aadhaar numbers.

Why Aadhaar VID you ask? Simply put – to eliminate data misuse. With Aadhaar details required at several places today, people have become wary of sharing Aadhaar numbers in the fear that personal information might get stolen or misused. Aadhaar VIDs address this exact problem by masking the original Aadhaar number.

You can create a new Aadhaar VID for every instance you need. There is no way of tracing original Aadhaar numbers from Aadhaar VIDs, giving no space for any data or security breach.

However, Aadhaar VIDs still fulfill all personal verification requirements. Every Aadhaar VID can confirm your Aadhaar details like name, address, biometrics etc., thus seamlessly completing any eKYC process.

Getting an Aadhaar VID is super easy, and you can generate one, on your own in just a few minutes. Here’s how:

[CAUTION: The privacy of your Aadhaar information is vital. So please ensure you are on the official Aadhaar website (uidai.gov.in) before typing in your Aadhaar details]

1. Open UIDAI’s VID Generation page

aadhaar-vid2. Enter Aadhaar number, security code and click the ‘Send OTP’ button

adhaar-vid3. Enter OTP from mobile phone, select ‘generate VID’ and hit submit

aadhar-vidJust that! And your Aadhaar VID is sent to your registered mobile phone. Here’s a sample:aadhaar-virtual-id-vid

There’s more to Aadhaar VIDs than just a simple ID generation process. We’ve got all that covered in our FAQ section below –

FAQs

Q. Are Aadhaar VIDs permanent?

A. Aadhaar VIDs are temporary 16-digit numbers that can be generated by Aadhaar number holders. The current minimum validity of an Aadhaar VID is 1 day. So, you can create a new Aadhaar VID every day after 00.00hrs.

Q. Do Aadhaar VIDs expire?

A. Currently, there is no expiry or validity defined for Aadhaar VIDs. An existing Aadhaar VID is valid until a new one is generated.

Q. Is there a limit on the number of Aadhaar VIDs that can be created?

A. There is no limit on the number of Aadhaar VIDs that can be created. You can generate a new Aadhaar VID after the minimum validity period of 1 day.

Q. Can Aadhaar VIDs be created by anyone, on my behalf?

A. Only Aadhaar number holders can create Aadhaar VIDs.

Q. Can the same Aadhaar VID be used at multiple places?

A. Absolutely. A single Aadhaar VID can be used at multiple places, or a new one can be generated for each use case. The choice purely lies with the Aadhaar number holder.

Q. What happens if I forget my Aadhaar VID ?

A. An existing Aadhaar VID can be retrieved by following the same steps used to generate a new one.

Q. Can an Aadhaar VID be mapped back to an Aadhaar number?

A. It’s impossible to trace an Aadhaar number from an Aadhaar VID.

Q. I have not linked my phone number to my Aadhaar number, can I still get an Aadhaar VID?

A. No, currently Aadhaar VIDs can only be generated from the UIDAI portal through an OTP key. Hence, it’s mandatory to link your phone number to your Aadhaar number at the moment.

Q. Who is authorized to store Aadhaar VIDs?

A. No agency or service provider is allowed to store Aadhaar VIDs. Only UIDAI has access to all the Aadhaar VIDs generated.

Q. Where can Aadhaar VIDs be used?

A. Aadhaar VIDs can be used at all instances that require eKYC details.

At Razorpay, we support Aadhaar eSign (which uses Aadhaar VID) for creating e-Mandates as part of Razorpay Subscriptions. Our strength lies in delivering smooth, seamless customer experiences and even this time around, our team worked proactively to bake in the Aadhaar VID generation process as part of the Aadhaar e-Sign workflow.

So, if your customers need to set up e-Mandates using Aadhaar e-Sign, they can effortlessly do so, directly through the checkout page for Razorpay Subscriptions. Curious about e-Mandates? We’ve put together some FAQs, take a look.

 

How We Do Secret Management at Razorpay

As a payment processor, we deal with many secrets – Encryption Keys, database configurations, application secrets, signing certificates etc. Most of these secrets are required by a specific service (say the Razorpay dashboard) to do routine tasks (such as connecting to the database).

Secret Management is how you make sure that the specific service (and only that specific service) gets access to the correct (and latest) secrets.

This is mostly a non-problem when you are a small startup, but as we’ve grown from a small startup managing just a couple of servers, to managing large Kubernetes clusters, the way we store/use secrets has changed considerably.

Over time we’ve switched through various approaches in how we store and ship these secrets to our services.

Secret Management is a common orchestration problem and has multiple different solutions. This blog post walks you through Razorpay’s Secret Journey: how we’ve tried out various solutions over various timelines and what benefits did they bring us.

Stage 1: Ansible Vault

We started out with all of the secrets being stored in a common Ansible Vault file. Ansible is part of our DevOps tooling and used to configure servers. This vault file was used on automated Ansible runs, which would run on the live servers using Ansible-ssh.

However, this resulted in our CI pipeline having access to our production servers, which we weren’t comfortable with. Ansible-vault also did not permit any granularity on the secret access – everyone with access to the vault key had access to all the secrets.

To mitigate the CI-access issue, we moved to Hashicorp Packer, imitating the Netflix model of infrastructure deployments:

  1. Spin up a new base VM in EC2.
  2. Run ansible-ssh on the instance against the correct role
  3. Push the final image to Amazon as an AMI (Amazon Machine Image)

This is a very common infrastructure setup (Ansible+Packer) and works reasonably well.

Stage 2: Credstash

In order to get more granular control over our bakes, we switched to Credstash. Credstash is a well-established project (written in Python) for storing secrets safely in AWS. It does the following:

  1. Uses Amazon KMS to encrypt/decrypt secrets
  2. Uses AWS DynamoDB to store the encrypted secrets
  3. Supports a few nifty extras such as secret versioning

While we continued to use Ansible, Ansible’s Credstash module was an easy replacement for Ansible vault. It allows us to use:

lookup ('credstash', 'super_secret')

inside the Ansible jinja templates. We managed access using AWS IAM roles granted only to the Packer instance (we called these “baker instances”).

Stage 3: Alohomora

While Credstash served us well, we faced challenges with development velocity because of the bake process being slow. Each layer on our Ansible build system took anywhere between 10-45 minutes to run and led us to look for faster alternatives.

Since we were pretty happy with Credstash as our vetted secure storage method, we decided to take a leaf out of Etsy’s book and try out “configuration deployments”. The basic idea is to allow configuration updates on the same footing as your regular deployments – fast, easy, and accessible.

We’d already been using AWS CodeDeploy for deployments to our codebase and decided to merge the two approaches.

Instead of splitting deployments into two categories (which is what Etsy does), we decided to make some changes to our Code Deploy infrastructure. Because of our current usage of Ansible Vault and switch to Credstash, most of our applications relied on secrets being readable from specific files.

We worked around this problem by writing a small wrapper on Credstash called Alohomora. It does the following:

  1. Fetch secrets from a specific DynamoDB table using Credstash
  2. Write them to disk using a jinja template

The Jinja template is shipped alongside our codebase, and lets developers know exactly what secrets are exposed to the application. We run Alohomora as part of our deployment:

alohomora cast --env $CODEDEPLOY_GROUP 
--app $CODEDEPLOY_APP secrets.j2 license.j2

The extra variables ($CODEDEPLOY_*) are exposed by AWS CodeDeploy and let Alohomora decide which table to read the secrets from (It standardizes a naming scheme of credstash-$env-$app.

In case a secret is missing in the DynamoDB table, the deployment fails with an error message since we prefer to fail a deployment than allow it to go through with a missing secret.

We’re open sourcing Alohomora alongside this blog post, go check it at https://github.com/razorpay/alohomora. It has been a great enabler of faster configuration deploys at Razorpay, and we hope it can be of help to other companies pushing secret updates regularly to their applications.

Stage 4: Kubestash

Our Devops team bet on Kubernetes early on. We were running production code on our in-house Kubernetes cluster by Q3-2017. The Alohomora deployment script was moved to the entry point for our docker images and the IAM roles maintained using kube2iam (we’ve since switched to Kiam).

Alohomora, while working decently in a Kubernetes infra, wasn’t Kubernetes-native. As such, it gave us issues with:

Resource Quotas: We saw CPU spikes in the application during the deployment when Alohomora ran. As a result, we had to accommodate for higher resource quotas on the applications compared to what the service was using.

Python: Alohomora was written with Ubuntu 16.04 based deployments in mind and supported Python 2.7. We started facing issues with python dependencies with services using Python themselves. We’d have faced this issue with our Ubuntu setup as well, but running on docker exacerbated it.

Not Kubernetes First: Kubernetes already provides a secret management solution in Kubernetes Secrets. It allows for both file and environment variable based secrets. Running Alohomora and fetching secrets from Credstash felt like an alien solution in the Kubernetes world.

We found a solution in another small Credstash wrapper called Kubestash – a small command line application to sync your Credstash secrets to Kubernetes. We’ve since contributed patches to Kubestash that work with our specific workflow and allow for cluster level syncs.

This allows us to store our secrets using Credstash and know that they will get pushed automatically to our Kubernetes cluster using Kubestash. The primary command that we use is Kubestash Daemonall which syncs a complete dynamoDB table against a Kubernetes cluster. We run this as a single pod deployment in our cluster.

One caveat to keep in mind if using Kubernetes secrets is to make sure that your etcd store is encrypted, otherwise etcd will store all your secrets on disk, unencrypted.

You can find more details in the Kubestash documentation at https://github.com/af-inet/kubestash.

Alternatives

If you’re reading this, there are several other alternatives now available to you that you might wanna consider before picking a solution:

Confidante by Lyft : We didn’t try this out since this was released after we’d switched over to Credstash, but it is fairly similar in scope (KMS for encryption + DynamoDB for Storage). It also features a Web UI where users can update secrets.

Just Kubernetes Secrets: If you’re running on a managed Kubernetes cluster, this is a very good solution that you should consider. In our case, we wanted something other than etcd to be our primary secret store which is why we went with Kubestash (it lets us keep dynamoDB as the primary store)

AWS Parameter Store: The AWS Parameter store allows you to store arbitrary key/value pairs and grant access using IAM roles. There are some wrappers (similar to Credstash) that use Parameter Store instead of DynamoDB.

AWS Secrets Manager: Recently announced at this year’s AWS: Invent, this is a slightly costlier solution that allows for secret versioning and automated secret rollover using Lambda jobs. We might consider this if it supports a native Kubernetes integration (which might show up with AWS: EKS perhaps?)


Interested in automating things and helping us scale the most robust payments platform in India? We’re looking for Infrastructure Engineers at Razorpay! Check out the job postings at https://razorpay.com/jobs

India’s search for a ‘cashless’ economy

(This article first appeared in ET Tech on November 11th, 2016.)

Ever since the National Payments Corporation of India (NPCI) announced the UPI (Unified Payments Interface), there’s been a lot of conversation about how mobile wallets are staring down the barrel of a loaded gun.

How is India going cashless ?

There are about a dozen recognised wallets in India, and ‘digital payments’ is one of the fastest growing industries. These ominous announcements tell us that wallets will have to pivot, else get redundant. What I particularly found interesting was how the first time in history an entire industry is being disrupted by the incumbents – the Indian government no less.

With UPI taking stage from the 11th of April this year, there are about 29 banks that are likely to adopt it and other banks are in the course of joining the fray. UPI uses the existing infrastructure of Immediate Payments Service (IMPS) which enables money transfer from a bank or wallet to any other bank or wallet permitted by the RBI.

The grand adoption of UPI is expected to turn the tide from the use of paper money to digital money. This will act as a strong ‘digital framework’ by giving a unique identity to all financial instruments on UPI that will help ease online payments.

Introduction of UPI will offer huge opportunities in expanding the Indian e-payments ecosystem. We’re finally embracing our mobile-first ethos, by building a generation of products that are suitable to mobile. India was completely oblivious to the PC revolution and this comes as a blessing in many ways. By eliminating layers of complicated procedures and providing one common interface on a single app, the idea is to make the physical wallet an urban legend.

The Huddle’s

But let’s pause and process this whole hoopla. Under the veneer of ‘good times ahead’, lies a whole load of unanswered questions and ambiguity.

For example, UPI still needs a two-factor authentication; that dreaded security feature (or hassle, as some view it) is exactly why customers love wallets and yearn for simplicity in online payments. It’s a prerequisite to have enabled mobile banking on your account before you can start using UPI. When was the last time you saw someone use SMS banking? Chances are that you’ve never.

Above all, there’s a mountain of paperwork you need to fulfil in the digital age. And if that’s not enough, every seller has to support UPI before you can pay them using it. Essentially, it becomes another payment method of transacting apart from the existing ones, instead of being a simpler one.

Digital wallets companies will have to request NPCI to gain access to UPI and that is not happening anytime soon. Meanwhile, wallets that might be affected right now are the plain old vanilla wallets that allow you to carry digital money. If there are indeed such companies, their business models were flawed in the first place.

A digital wallet to merely ‘hold’ money is absurd and must offer more services if it needs to survive. Take Paytm for example. It has a whole host of services from booking bus tickets, mobile recharges to connecting online sellers. However, a limiting feature for transactions done through digital wallets is that they will need a card payment or netbanking transfer the recharge the wallet. RBI already puts a cap on the amount of money that can be stored and transacted per month in a digital wallet.

UPI’s ubiquity also hinges on the adoption of smartphones in India. While smartphone penetration is on the rise, it’s still not close to being the de facto mode of transacting. We’ll also have to re-educate users with respect to how UPI handles security, and how it is vastly different – something that has to start from scratch.

Verdict

These are still early days for UPI and its success depends on ease in norms. No other country in the world can boast of a robust payment solution system like the UPI if it has a successful launch.

It’s expected to unlock a new channel for growth in digital payments by adding to the plethora of options available. UPI will not compete directly with any mobile wallet to take on the top spot, but will join Indian businesses coming online in making India a ‘Cashless Economy’. And these are the earliest signs of that elusive search taking shape.