How UPI Actually Works
Tracing a single payment through India's digital infrastructure — from your phone to NPCI to the recipient's bank and back.
You open PhonePe. You scan a QR code at a chai stall. You enter the amount — ₹20 — and tap pay. Two seconds later, the transaction is complete. The chai-wallah’s phone buzzes with a confirmation.
In those two seconds, your ₹20 travelled through at least six systems, was validated by three separate entities, and generated a data trail that multiple parties can access. Let’s trace the entire journey.
The Cast
Before we follow the money, meet the players:
- PSP (Payment Service Provider): PhonePe, Google Pay, Paytm — the app on your phone. They don’t hold your money. They’re the interface.
- Your bank (Remitter bank): Where your money actually lives. SBI, HDFC, ICICI — whichever bank account you linked to the UPI app.
- NPCI (National Payments Corporation of India): The switch at the center. Every UPI transaction passes through NPCI’s infrastructure. They are the post office of Indian digital payments.
- Recipient’s bank (Beneficiary bank): The chai-wallah’s bank, where the ₹20 will land.
- UPI system: The protocol itself — a set of rules and APIs that all parties agree to follow.
The Journey of ₹20
Step 1: Authentication on your device
You authenticate — fingerprint, PIN, face. Your PSP app (PhonePe) confirms your identity locally and prepares a payment request. At this stage, nothing has left your phone yet.
Step 2: The request hits PhonePe’s servers
Your app sends an encrypted request to PhonePe’s backend: “User X wants to send ₹20 to VPA (Virtual Payment Address) chaiking@ybl.”
PhonePe doesn’t process the payment. They package it into a standard UPI message format and forward it to NPCI.
Step 3: NPCI receives and routes
This is where it gets interesting. NPCI’s Unified Payments Interface is essentially a massive routing switch. It receives PhonePe’s request and does several things:
- Resolves the VPA: Looks up
chaiking@yblto find which bank holds this account. The@yblsuffix tells NPCI this is a Yes Bank handle (PhonePe’s banking partner for UPI). - Validates the transaction: Checks format, limits, and basic fraud signals.
- Routes to your bank: Sends a debit request to your bank (the remitter).
Step 4: Your bank debits
Your bank receives the debit request from NPCI. It:
- Verifies your account has sufficient balance
- Checks your daily transaction limits
- Puts a hold on ₹20
- Sends a confirmation back to NPCI: “Debit authorized.”
Step 5: NPCI routes the credit
NPCI receives the debit confirmation and now sends a credit request to the recipient’s bank: “Credit ₹20 to the account behind chaiking@ybl.”
Step 6: The recipient’s bank credits
The recipient’s bank receives the credit instruction, adds ₹20 to the chai-wallah’s account, and confirms back to NPCI.
Step 7: Confirmation cascade
NPCI now sends confirmations back down the chain:
- To PhonePe: “Transaction successful”
- To the recipient’s PSP: “Credit completed”
- Both apps display success screens
Total time: ~2 seconds. Six hops. Three validations. One NPCI switch at the center of everything.
The Data Trail
Now let’s look at what was recorded and by whom:
| Entity | What they know |
|---|---|
| PhonePe | Your identity, device, location, time, amount, recipient VPA, transaction frequency, spending patterns |
| Your bank | Account balance, debit amount, NPCI reference number |
| NPCI | Both parties, amount, timestamp, both banks, success/failure, VPA resolution |
| Recipient’s bank | Credit amount, source reference, timestamp |
| Recipient’s PSP | Sender VPA, amount, time |
Five entities now have a record of your ₹20 chai. NPCI, sitting at the center, has the most complete view — they see every UPI transaction in India.
In 2023, UPI processed over 100 billion transactions. That’s 100 billion records in NPCI’s systems, each one a line connecting two people, two banks, an amount, and a moment in time.
The Packet Layer
Remember from Chapter 1: all of this is happening over packets. Each step — the API call from PhonePe to NPCI, the debit request to your bank, the credit confirmation — is a cluster of encrypted packets traversing the internet.
The encryption means intermediary networks can’t read the payment details. But they can see the metadata: your device connected to PhonePe’s servers, which connected to NPCI, which connected to your bank. The pattern of connections reveals the transaction, even without reading the content.
Why This Matters
UPI is a remarkable piece of infrastructure. It democratized digital payments in India in a way no other country has matched. A chai-wallah and a tech CEO use the same system, the same protocol, the same NPCI switch.
But understanding the system also means understanding its implications:
- Centralization: NPCI is a single point of visibility (and failure). Every transaction flows through one entity.
- Data concentration: Your complete financial behavior — every chai, every rent payment, every late-night purchase — is legible to multiple parties.
- Data localization: RBI mandates that all payment data must be stored in India. This is a policy decision with deep implications, which we’ll explore in the next chapter.
The system is not good or bad. It’s a system. And systems become visible when you trace what they actually do, packet by packet, hop by hop.
This is Chapter 2 of DataFolks. Previously: What Is a Packet?. Next: Data Localisation in India (coming soon).