Auth n Capture, Aditya Kulkarni, 2021 - One book to understand the Indian digital payments ecosystem, from UPI, CC/DC, BNPL, e-NACH, BBPS, Aggregators, Wrappers, International Payments to how payments works for different sectors. This is an excellent book that gives a bird’s eye view of the ecosystem from the perspective of merchants, bankers, consumers, the regulator and a fintech product manager. If our digital payments has evolved so fast into something so incredible, it is due to the nimbleness of everyone in the ecosystem and I can’t be more proud of what the payments ecosystem has done in the last 10 odd years. This book is a bible to understand the basics. I happened to read it for building a payments system ground-up. However, it is definitely not for everyone (It can get pretty technical for people with no interest in tech).
My notes -
• NPCI’s payment products evolution - 1. IMPS - 24/7 inter-bank transfer 2. RuPay - India’s answer to MasterCard and Visa 3. UPI - built on IMPS rails 4. *99# - A somewhat failed USSD based payments system for feature phones 5. BBPS billing platform for bill payments 6. NACH - National Automated Clearing House where NPCI acts as clearing house 7. AePS - Aadhar enabled payments 8. Bharat QR - Unified QR for payments from UPI and cards
• Card Schemes or card networks facilitate card issuance, security (3DS), processing, settlement and card acceptance - Eg. Visa, MasterCard, Amex etc. They make money through BIN fees, certification fees and interchange fee (% of transaction value)
• Card schemes influence the ecosystem through capabilities (NFC), features (tokenisation) and commercials (interchange fee for diff merchants) and acceptance (What sectors are allowed)
• Payments have lot of exceptions from diff stakeholders. Eg. regulators - SEBI doesn’t allow wallet or credit products in investing and banks - SBI doesn’t allow wallet loading and HDFC doesn’t allow skill-based gaming etc.
• Banks and payment players share a unique relationship - they compete and collaborate at the same time
• Wallets (PayTM), BNPL (Simpl, Lazpay), EMI products (Zest) are some of the new payment fintech innovations
• Payment Instruments current available in India - CC/DC, Netbanking, UPI, Wallet, EMI & BNPL, Cheque/DD, Cash, Crypto
• Acquiring Banks are banks that process payments (CC/DC/UPI) on behalf of issuing banks
• Merchants would integrate with an acquiring banks like HDFC that can process Visa/Master through Payment Gateways like FSS, ISG, MIGS or CyberSource
• Payment Aggregators were born to reduce integration hassles for merchants for building payment integrations with multiple parties to handle various settlements. PAs (BillDesk, PayU, CC Avenue, RazorPay) offer single settlement for all types of transactions
• Payment Containers (PayPal, AmazonPay, PhonePe) are lite-payment aggregators. Here user has to create an account (unlike PAs) and login to it to access payment instrument (they save UPI, cards or have wallet linked to that account)
• TSP Wrapper - Technical Service Providers integrate with multiple PAs, PCs, Wallets and other payment processors and help route payments (They do not do settlements). Eg. JusPay, DreamPay
• All payment instruments are linked to a source - either a bank account, a credit source or a wallet
• Credit cards are differentiated based on credit limit, spending rules, credit period and variants (consumer vs corp, co-branded etc)
• Card network (Visa) gives the BIN (Bank-identification number), sets up networks to accept cards across channels and defines and enforces dispute management and arbitration
• Card Numbers are usually between 13-19 digits. Visa is 16 and Amex is 15. First digit is MII - Major Industry Identifier Amex is 3, Visa is 4 and Master is 5. 1-6 digits are BIN or IIN (Issuer id num) which identifies issuing bank. 7th to last but 1 digit is the actual card account number. Last digit is the checksum (uses Luhn’s or Mod10 to verify)
• EMV Chip (more secure) and Magnetic Stripe provide encoded card details along with the CVV1/CVC1. CVV2/CVC2 (Card verification code or card verification code) is used for online transactions (manually entered by user) where card is not present. 2FA earlier used to sign verification by merchant but is now mandatory PIN based
• Card Switch - the software that connects the issuing bank to the card network
• Prepaid cards and wallets need the PPI license (Pre-paid instruments) from RBI. Limit upto 10k with KYC and 2 lakh with Full KYC. PPIs can be reloadable (PayTM, Forex cards) or non-reloadable (Gift cards)
• Closed Loop cards - accepted by a single merchant (Shoppers stop card), Semi-closed - large network of merchants (Sodexo) and Open loop (HDFC Bank Gift card)
• Card use restriction - say ATM withdrawal or reloadability or merchant based on MCC (merchant category code) for Sodexo
• NBFC/LendingTech companies issue PPIs and load them with credit just-in-time (This is restricted as of July '22 if am not mistaken but book came out in '21)
• Netbanking is unique to indian payments - it was popular because of lower penetration of cards (I still use it!)
• Netbanking is one of the biggest value propositions of PAs - as there are 45+ banks, it is impossible for merchants to integrate with them individually. PAs have direct integration with few large banks HDFC, SBI, ICICI etc and for rest they use other PAs (like Russian nesting dolls). UPI has reduced netbanking to a large extent. (Without Netbanking, will PAs be relevant?) For investments, NBFCs and Education sectors, Netbanking is still preferred option
• BNPL - card-less credit (credit period 15 days). card and netbanking transactions go through multiple hops and need 2FA. BNPL is seamless. This is small-credit (utility bills, food, grocery) unlike big-credit used for big expenses (bike,car), aspirations (iPhone) or emergency. When user doesn’t pay, user is blocked (doesn’t affect credit score)
• NTC - New to Credit. When there’s no credit history, credit scoring is done based on education and job history etc. A small credit limit is given and extended later
• BNPL makes money by penalty fees for late payment and also charge MDR to merchants. Pricing is done to cover credit risks, cost of funds, infra and customer acquisition cost
• NPCI’s IMPS replaced NEFT and RTGS with its real-time 24/7 settlements. You still have to enter account number and IFSC code - UPI built on top of IMPS solves this by being mobile-friendly and user-friendly
• UPI works through VPA (virtual payment addresses) which maps to a bank account/debit card. One VPA can be linked to multiple banks or multiple VPAs to single account. Issuer PSP (bank/psp that creates the VPA) and Acquirer PSP (one processing the transaction) interact through a UPI switch (managed by NPCI)
• UPI is protected by device-binding - so device fingerprint/PIN and UPI PIN (2FA as prescribed by RBI)
• Only banks can create VPAs with an NPCI switch. So fintechs like GPay (ICICI, HDFC, Axis, SBI) , PhonePe (Yes Bank) tie up with them
• UPI payments can be made via QR code (static & dynamic - with amount embedded to replace CoD). Virtual VPAs are useful to segregate branches of retailers. UPI also support one-time (IPO subscription) and recurring (Autopay) and also payouts (disbursements of game winnings)
• Cash is the king and digital is divine (RBI). Even in online transactions, more than half are still paid as cash on delivery. Cash handling is hard - so companies try various things to avoid it - Mobile POS to swipe on the move, ePOS (SDK) that generate dynamic QR and via payment links
• Cryptocurrencies are everything that you don’t understand about money combined with everything that you don’t understand about computers - John Oliver
• If enough people believe in the value of something, it can be come currency
• Card vaults are the only places cards can be stored. Merchants and PAs cannot store cards. Only issuing banks can vault cards. Tokenisation was to avoid vaulting - this can be done only by card networks
• SI on cards - Standing instruction on cards is how recurring payments are processed on cards. First transaction must have 2FA. Max 5000 per debit. Pre-debit notification should be sent 24 hours prior and post-debit notification post debit.
• BillDesk is the official pioneer of payment aggregation in India and is still the market leader
• MDR - Merchant Discount Rate is the barometer of risk in the payments ecosystem. It varies by sector. E-commerce might be 1.80% and education 1%. (Its like insurance premium on a term policy). CP vs CNP (Card-present vs Card not-present) also affects transaction charges. MDR might be absorbed by merchant or passed to Customer
• Financial risk in digital transactions is controlled velocity checks (transaction limits, amount limits), risk engines (IP tracking, device fingerprints), tokenisation, encryption, PCI-DSS, 2FA and by onboarding “good merchants” (Unlike say, a gambling website)
• PAs underwrite merchants by understanding their business model, touchpoints, processes, policies etc. Banks are the ones that issue MID (Merchant IDs) but PAs take the financial risk to use the banking system
• A risky merchant can damage overall financials terribly since the PA’s take is very low and one bad transaction can wipe out all profits
• Sometimes PAs might use Master MIDs for the industry if the merchant is small and doesn’t have MID. Rates might be higher. PAs name will appear in the statement in this case.
• While MIDs are used to collect payments, Live IDs are used by PAs for settlements to merchants. One Live ID might be mapped to multiple acquiring banks (for performance-based routing). Card Vault is linked to Live ID.
• MDR is exempted for UPI and RuPay cards from 1st Jan '20. Issuer PSPs like Google Pay make nothing from UPI
• How PAs charge what’s owed to them - Upfront deduction (Deducted before settlement), Surcharge (borne by user) and Invoicing (Monthly). PAs avoid invoicing models as much as possible
• PA’s unit economics depends on what it charges its merchants vs what it costs with its banks and other payments issuers.
• PAs try to profit at merchant level, rather than on each payment instrument (it may lose on UPI but make money on cards and Netbanking for eg.)
• On-Us vs Off-Us rates and processing - PAs have diff rates if issuing bank and acquiring bank are same (On-us) or different (Off-us). They optimize a lot to lower rates here to maximize profit margins
• PAs that process a lot of transactions give free float to bank (PAs nodal account with the bank), so bank may provide little benefits to PAs in charges
• Chargebacks where PAs couldn’t recover money from merchants can wipe out their entire almost non-existent profits
• Best results will come from everyone in the group doing what’s best for himself and the group (John Nash). Price wars are thus harmful
• PA integrations are done via non-seamless/redirection flow (simplest), via iFrame (cannot add multiple PAs) or seamless merchant hosted page (better control on look-and-feel and routing and for multiple PAs but most effort). If PCI-DSS compliant, merchant can capture card details (if not, card details shouldn’t hit merchant’s servers)
• Decision to save card is made based on frequency of purchase (say Swiggy), dominant channel (say mobile app) and lock-in with one PA (Card vault have to be migrated. But this goes away with tokenisation I think). Saved card is merchant’s property and not PAs, if vaulted with PA (With tokenisation this will be a relic. That’s how fast our payments ecosystem is evolving that a book written a year back is already outdated)
• It is possible to have multiple Live IDs for different lines of business but a combined card vault (Ola does this)
• Behind a card transaction - Once user enters the card number, CVV and expiry and initiates payment,VISA/Mastercard directory will lookup the issuing bank and ACS (Access Control Server) of the issuing bank (OTP verification). Once this 2FA is completed, authorization ensues with the issuing bank checking available credit/balance and other risk checks and intimates the acquiring bank, PA, merchant and Customer and transaction is ‘Captured’ (For Pre-Auth, all above happens, except transaction is not captured)
• UPI has collect flow & intent flow. Collect flow is where you enter VPA in merchant app and your UPI app gets a notification to Pay. Intent flow is seamless app-to-app and works only on Android and iOS (Better success rate). GPay links the mobile number to VPA to make it seamless
• Transactions are routed real-time based on routic logic based on backup/failover, conversion or success rate, cost, fulfilling volume commitment (fine-tuned over long periods)
• Payment success rate = Successful transactions / Transactions initated by merchant or Received by PA (varies). Also measured by channel (web, mobile), payment modes, card type (CC/DC), card network, issuing bank etc. Sometimes low success rate is just an inconvenience and other times its real loss of business (depends on user’s intent - say food vs travel, environment, demographic etc.)
• Settlement - Issuing bank moves money to Acquirer bank which then moves it to PA, post which settlement to merchant is made. Some PAs borrow from NBFCs to settle early (otherwise it can be T+2). Risk is very low in this lending. PA’s add their margin on top of NBFC’s and make good with early settlement.
• Recurring payments can be 1. Fixed amount & fixed cycle. (Monthly SIP) 2. Fixed amount & variable cycle (Top-ups) 3. Variable amount & fixed cycle (Utility bills) 4. Variable amount & variable cycle (cab rides). Common recurring payment solutions - SI on cards (SI Hub by BillDesk), e-NACH, UPI Autopay, BillDesk
• Payout solutions - Periodicity, number of payouts, value and criticality, cost determines mode. Common usecases - refunds, vendor payouts, winnings in gaming, loan disbursements, agent incentives etc. RTGS, NEFT and IMPS, UPI are commonly used.
• International Payments - Nostro account - Foreign currency account in a bank in a foreign country. Vostro - Home currency account of foreign bank in own country. Payments are usually done over SWIFT network and a FIRC is issued to merchant (used to claim export incentives). Acquiring banks consider International PGs as big risk
• BillDesk’s EBPP platform brought billers (utilities, insurance, card companies etc.) and agents (third party apps, bankers) together so agents could extend bill payments to their customers (HDFC Bank’s Bill Pay)
• BillDesk’s EBPP works well but its become a monopoly so NPCI launched BBPS (Bharat Bill Payment Systems). Anybody can add utilities and those can be accessible to agents across the system.
• TSP - Technical Service Providers - specialized in payment aggregation (JusPay, DreamPay), BBPS (Setu.co), Banking APIs (Decentro) and Credit Card issuance (Hyperface.co). GPay is a TSP for UPI
• TSPs can become single-point failures but can also help implement routing logic across PAs (RazrPay or PayU routed through JusPay is common) and PGs based on optimization required (success rates, performance, commericials). TSPs are like Russian nesting dolls.
• Offline payments are done via POS (issued by Banks, Pine Labs, PayTM etc.), soft POS (can send payment link or generate dynamic QR) or through UPI QR code. BharatQR has acceptance for Visa, MasterCard
This is a book you must read if you have any interest in the Indian payments/fintech space. Nothing else I have come across is as comprehensive in its coverage. I have no doubt that this book will be outdated though in another 5 years time, with the fabulous pace in which our payments ecosystem is evolving to become the best in the world. 10/10
Subscribe To Our Free Newsletter |