How UPI Actually Works
Tracing a single ₹20 payment through India's digital infrastructure, from your phone to NPCI to the recipient's bank and back.
You open PhonePe. You scan a QR code at a chai stall. You enter ₹20 and tap pay. Two seconds later, the transaction is complete. The chai-wallah’s phone buzzes with a confirmation.
In those two seconds, your ₹20 travelled through at least six systems, was validated by three separate entities, and generated a data trail that multiple parties can access.
Most people never think about what happened in those two seconds. By the end of this chapter, you’ll be able to trace the entire journey, and you’ll understand why it matters that you can.
Before UPI: How Payments Used to Work
To understand why UPI is remarkable, you need to understand what came before.
Cash is the simplest payment: you hand over a physical object, the transaction is complete, and no third party is involved. Cash is private by default, nobody records that you bought chai. But cash requires physical presence, exact change, and trust that the notes are genuine.
Cheques introduced the idea of a promise: you write a paper instruction to your bank saying “pay this person this amount.” The recipient deposits it at their bank. The two banks then settle the difference between them. This takes days and involves manual processing at every step.
Card payments (debit/credit) digitised the process. When you swipe a card at a POS machine, the machine contacts a payment network (Visa, Mastercard, RuPay), which contacts your bank, which authorises the debit. But cards require physical hardware (POS terminals), merchants pay processing fees, and the system is built around international card networks.
NEFT and RTGS allowed bank-to-bank transfers, but required the recipient’s bank account number, IFSC code, and typically took 30 minutes to several hours.
UPI changed all of this. Launched in 2016 by NPCI (National Payments Corporation of India), UPI made it possible to send money between any two bank accounts in India, instantly, using just a phone number or a simple address, no account numbers, no waiting, no card terminals.
In 2023, UPI processed over 100 billion transactions worth more than ₹180 lakh crore. It’s the largest real-time payment system in the world. But how does it actually work?
The Cast of Characters
Before we trace the payment, let’s meet everyone involved. Think of it like a play, understanding who’s on stage makes the story clearer.
Your PSP (Payment Service Provider)
PhonePe, Google Pay, Paytm, CRED, the app on your phone. This is the interface, the front door. Your PSP doesn’t hold your money. It doesn’t process your payment. It’s a translator, it takes your tap and converts it into a standard message that the payment network understands.
Think of the PSP like a post office counter. You tell the clerk what you want to send and where. The clerk packages it correctly, stamps it, and hands it to the postal system. The clerk doesn’t deliver the letter.
Your Bank (Remitter Bank)
SBI, HDFC, ICICI, whichever bank account you linked to your UPI app. This is where your money actually lives. The bank is the one who actually moves the money, debiting your account and confirming the debit to the network.
NPCI (National Payments Corporation of India)
The central switch. Every single UPI transaction in India passes through NPCI’s infrastructure. NPCI doesn’t hold anyone’s money, but it routes every payment, receiving requests, resolving addresses, connecting banks, confirming transactions.
NPCI is to UPI what a telephone exchange is to phone calls, it doesn’t talk, but without it, nobody can reach anyone.
The Recipient’s Bank (Beneficiary Bank)
The chai-wallah’s bank, where the ₹20 will land. It receives a credit instruction from NPCI and adds the money to the recipient’s account.
The Recipient’s PSP
The app the chai-wallah uses (might be PhonePe, Google Pay, or any other UPI app). It receives the success notification and shows the confirmation.
The Journey of ₹20
Now let’s trace exactly what happens when you tap “Pay.” Each step is a cluster of packets flying through the network.
Step 1: You Authenticate
You scan the QR code. The app reads the QR data, it contains the recipient’s VPA (Virtual Payment Address), something like chaiking@ybl. You enter ₹20 and authenticate, fingerprint, face, or UPI PIN.
At this point, nothing has left your phone yet. The authentication happens locally on your device. Your app has confirmed that you are who you claim to be.
Step 2: Your App Talks to Its Server
Your PhonePe app sends an encrypted request to PhonePe’s backend servers: “User X wants to send ₹20 to VPA chaiking@ybl.”
PhonePe doesn’t process the payment itself. It packages your request into a standard UPI message format, a specific XML structure that all participants in the UPI ecosystem understand, and forwards it to NPCI.
This is where the dabbawala metaphor from Chapter 1 applies: PhonePe is the first dabbawala. It picks up your “lunchbox” (payment request), labels it correctly, and hands it to the next person in the chain.
Step 3: NPCI Receives and Routes
This is the most interesting step. NPCI’s Unified Payments Interface system is essentially a massive routing switch, think of it like a sorting facility in the dabbawala network, the place where lunchboxes are read, sorted, and sent on their way.
NPCI does several things:
Resolves the VPA, The address chaiking@ybl needs to be converted into an actual bank account. The @ybl suffix tells NPCI this VPA is registered with Yes Bank (PhonePe’s banking partner). NPCI looks up which bank account is linked to this VPA.
This is similar to how DNS works on the web (a topic we’ll return to). The VPA is a human-readable address. The actual bank account is the underlying identity. NPCI translates between them.
Validates the transaction, NPCI checks the message format, transaction limits, and basic fraud signals. Is this a valid VPA? Is the amount within limits? Does anything look suspicious?
Routes to your bank, NPCI sends a debit request to your bank (the remitter bank): “Please debit ₹20 from the account linked to User X’s UPI.”
Step 4: Your Bank Debits
Your bank receives the debit request from NPCI. It:
- Verifies your balance, Do you have ₹20 available? (Not just ₹20 in total, ₹20 that isn’t already held for other pending transactions.)
- Checks your limits, Have you exceeded your daily UPI transaction limit?
- Places a hold, ₹20 is set aside. It hasn’t left your account yet, but it’s reserved.
- Sends confirmation to NPCI, “Debit authorised.”
All of this happens in milliseconds. Your bank’s systems process thousands of these requests every second.
Step 5: NPCI Routes the Credit
NPCI receives the debit confirmation. Now it flips to the other side and sends a credit request to the recipient’s bank: “Credit ₹20 to the account behind chaiking@ybl.”
Notice the pattern: NPCI sits at the center, talking to both banks but never holding the money itself. It’s a messenger and a coordinator, a very powerful one.
Step 6: The Recipient’s Bank Credits
The recipient’s bank receives the credit instruction, adds ₹20 to the chai-wallah’s account, and confirms back to NPCI: “Credit completed.”
Step 7: The Confirmation Cascade
NPCI now sends confirmations back down the chain:
- To PhonePe: “Transaction successful.”
- To the recipient’s PSP: “Credit completed.”
- Both apps display success screens.
- Both phones may receive push notifications.
Total time: approximately 2 seconds. Six hops. Three validations. One NPCI switch at the center of everything.
Try It Yourself
The UPI Flow Tracer in the lab lets you trigger a simulated UPI payment and watch it move through each entity in real time. At each step, you can see what data that entity receives and records.
The Data Trail
Now let’s look at what happened from a data perspective. Forget the money for a moment, trace the information.
| Entity | What They Now Know |
|---|---|
| PhonePe (your PSP) | Your identity, device model, OS version, location (GPS), time, amount, recipient VPA, transaction ID. Over time: your complete spending patterns, favourite merchants, time-of-day habits, geographic movement. |
| Your bank | Account balance before and after, debit amount, NPCI reference number, timestamp. Over time: your income, outflow, balance trends. |
| NPCI | Both parties’ identities, amount, timestamp, both banks, both PSPs, VPA resolution, success/failure status. NPCI sees every UPI transaction in India. |
| Recipient’s bank | Credit amount, source reference number, timestamp. |
| Recipient’s PSP | Sender VPA, amount, time, transaction status. |
Five entities now have a record of your ₹20 chai. NPCI, sitting at the center, has the most complete picture, it sees both sides of every transaction.
In 2023, that means NPCI had records of over 100 billion transactions. Each one is a line connecting two people, two banks, an amount, and a moment in time. That’s a graph of India’s economic activity at a resolution no entity has ever had access to before.
The Packet Layer
Remember from Chapter 1: all of this is happening over packets. Each step, the API call from PhonePe to NPCI, the debit request to your bank, the credit confirmation, is a cluster of encrypted packets traversing the internet.
The encryption (TLS/HTTPS) means that intermediate networks can’t read the payment details inside the packets. But they can see the metadata: your device connected to PhonePe’s servers, which connected to NPCI’s servers, which connected to your bank’s servers. The pattern of connections reveals the transaction, even without reading the content.
Your ISP knows you used PhonePe at 8:47 AM. They don’t know you paid ₹20 for chai, but they know you used a payment app, and if they see the same pattern every morning, they can infer your habits.
Why This Architecture Matters
UPI’s design has several properties worth understanding:
Centralisation Through NPCI
Every UPI transaction flows through NPCI. This is a deliberate design choice, it means any two banks can transact without having bilateral agreements with each other. NPCI is the universal connector.
But centralisation has trade-offs:
- Single point of visibility: NPCI can see all of India’s digital payment activity.
- Single point of failure: If NPCI goes down, all UPI transactions stop. (This has happened, UPI outages affect the entire country.)
- Single point of control: NPCI can set rules, impose limits, and decide who gets to participate in the ecosystem.
Financial Inclusion
UPI is genuinely democratic infrastructure. The same system, the same protocol, the same NPCI switch is used whether you’re paying ₹20 for chai or ₹20 lakh for a car. A street vendor and a multinational corporation use the same rails. This is unusual globally, most countries’ payment systems have different tiers for different transaction sizes.
Data Concentration
The flip side of convenience is concentration. Before UPI, your financial life was fragmented across cash transactions (invisible), different bank accounts, and different payment methods. Now, a significant portion of Indians’ daily spending is captured in a single, searchable, queryable digital trail, distributed across PSPs, banks, and NPCI.
This data has enormous value. For financial services (credit scoring, insurance), for government (tax compliance, subsidy delivery), for law enforcement (tracking illicit transactions), and for surveillance.
The question of who controls this data, where it’s stored, and who can access it is the subject of the next chapter.
The Settlement Layer (What Happens After)
One detail most people don’t know: the “instant” UPI payment you experienced is actually settled in batches later.
When NPCI tells you the transaction succeeded, the money hasn’t actually moved between banks yet. What’s happened is a promise: your bank has committed to pay, and the recipient’s bank has committed to credit. The actual money movement between banks happens in batches throughout the day through the settlement process, where NPCI calculates the net amounts owed between banks and instructs the Reserve Bank of India to move the funds.
So the ₹20 you paid for chai was promised in 2 seconds but settled hours later. For you, it doesn’t matter, the money appeared in the chai-wallah’s account instantly. But at the banking infrastructure level, the actual movement of funds is batched and netted for efficiency.
This is why very occasionally, if a bank’s systems have issues, you might see a “transaction pending” state, the promise was made but the settlement infrastructure hasn’t caught up yet.
What You Now Know
After reading this chapter, you can trace a UPI payment from tap to confirmation. You understand:
- The six hops a payment takes
- Why NPCI sits at the center of everything
- What data each entity collects about your transaction
- Why “instant” payments are actually settled in batches
- How the packet layer underneath carries all of this
Every time you tap “Pay” now, you’ll know what’s happening in those two seconds. The next question is: where does all this data end up? That’s explored in Data Localisation in India.
Related: What Is a Packet? covers the foundation, how data actually moves across networks. Data Localisation in India explores why your payment data must stay within India’s borders.