UPI

UPI (Unified Payments Interface) is India's instant-payment rail, operated by the National Payments Corporation of India (NPCI). Two QR formats coexist: the plain upi://pay URI scheme (simple, works in every UPI app) and the NPCI BR Code — an EMVCo MPM subset with Merchant Account Information (tag 26) carrying the VPA. UPI processed 11+ billion transactions per month by 2024; every Indian banking and payment app supports it.

Canonical spec: NPCI UPI Product Overview and NPCI OC 97 — Standardization of UPI QR Code Format.
URI scheme: upi://pay?pa=VPA&pn=NAME&am=AMT&cu=INR — the simplest UPI QR format. Works in every UPI-enabled app.
Parent spec: EMVCo MPM v1.1. UPI reserves merchant-account tag 26 in BR Code format.
Regulator: Reserve Bank of India (RBI) — issues UPI circulars; NPCI is the operator.

Two QR formats

upi:// URI scheme. Simple URL-encoded payment intent. Used by every consumer-facing UPI QR (Paytm/Google Pay/PhonePe stickers at small merchants). Readable by every UPI app.
NPCI BR Code (EMVCo MPM). TLV-encoded format with tag 26 for UPI Merchant Account Information. Used for unified/interoperable QRs (Bharat QR) and larger enterprise deployments where the QR may simultaneously carry UPI + RuPay + cards.

upi:// URI scheme — parameters

Param	Name	Required	Notes
`pa`	Payee address (VPA)	Yes	Format: `user@handle`. Example: `alice@oksbi`, `merchant@paytm`.
`pn`	Payee name	Yes	URL-encoded. Shown to payer for confirmation.
`am`	Amount	No	Decimal string: `10.00`. Omit for static "enter amount" QRs.
`cu`	Currency	No	Always `INR`. UPI is INR-only by regulation.
`tn`	Transaction note	No	Free-text memo shown to payer, max 50 chars.
`tr`	Transaction reference	No	Merchant-provided ID for reconciliation.
`mc`	Merchant Category Code	No	4-digit ISO 18245 MCC. Required for merchant accounts, optional for P2P.
`tid`	Terminal ID	No	POS terminal identifier.
`url`	Invoice/product URL	No	Deep-link the payer can open after payment to fetch receipt.

NPCI BR Code — tag 26 structure

When a unified QR uses BR Code format instead of plain upi://, the UPI-specific payload lives in tag 26 as a nested TLV:

Sub-tag	Name	Length	Notes
`00`	GUI — Global Unique Identifier	variable	Fixed value `upi.npci.org`. Identifies the scheme as UPI.
`01`	VPA	variable	The virtual payment address. Example: `merchant@oksbi`.
`02`	Merchant code	variable	NPCI-assigned merchant identifier for acquirer reconciliation.

VPA format rules

Format: user@handle — a username followed by @ and a PSP handle identifying the payment service provider.
Username part. 3–63 chars, alphanumeric plus ., -, _. Case-insensitive per spec — but some apps treat it as case-sensitive (see pitfalls).
Handle part. PSP-assigned. Common handles: @oksbi (SBI), @okicici (ICICI), @okhdfcbank (HDFC), @paytm (Paytm), @ybl (PhonePe → Yes Bank), @ibl (PhonePe → IDFC FIRST), @apl (Amazon Pay via Axis).
Total length. Max ~50 chars including the @.
Resolution. On scan, the payer's app resolves VPA → bank account via NPCI. The resolution returns the registered account holder's name, which the payer's app displays for confirmation.

Canonical test vector — `upi://` URI scheme

VPA merchant@oksbi, name TEST MERCHANT, fixed amount ₹10.00, with reference INV-2026-0001:

upi://pay?pa=merchant@oksbi&pn=TEST%20MERCHANT&am=10.00&cu=INR&tn=Invoice%20INV-2026-0001&tr=INV-2026-0001

Minimal "enter amount" static sticker:

upi://pay?pa=merchant@oksbi&pn=TEST%20MERCHANT&cu=INR

Common pitfalls

VPA case-sensitivity in practice. NPCI spec says VPA is case-insensitive. In practice some apps (older PhonePe, Paytm) fail on mixed-case VPAs. Always emit lowercase: alice@oksbi not Alice@OKSBI.
URL encoding of payee name. The pn parameter takes spaces and accented chars, which must be percent-encoded. TEST MERCHANT → TEST%20MERCHANT. Apps that don't decode correctly show garbled names on the confirmation screen.
Currency must be INR. UPI is INR-only by RBI regulation. Any other cu value is silently dropped or rejected. International receivers require RBI Liberalised Remittance Scheme compliance and don't use UPI.
Amount must be positive. am=0 or am=-5 is rejected. For "enter amount" QRs, omit the am parameter entirely.
₹ symbol in the amount. Never include the rupee symbol or "Rs." in the am value. am=10.00, not am=₹10.00.
Overlay fraud at POS. Physical UPI stickers are a well-documented fraud vector in India. An attacker pastes a sticker with their own VPA over the merchant's. The RBI's anti-fraud circulars require merchants to display the expected VPA as printed text next to the QR so payers can verify.
GST + 1099-K analog. UPI commercial receipts count for GST filing. Merchants with aggregate receipts exceeding ₹20 lakh/year must register for GST; those exceeding ₹10 crore must generate e-invoices on the GST Invoice Registration Portal. UPI transaction data is shared with the GST Network (GSTN) for reconciliation.
Investment solicitation restricted. SEBI prohibits UPI for unregistered securities solicitation. UPI QRs promoting "guaranteed returns", token presales, or MLM schemes trigger SEBI enforcement.
Consumer Protection (E-Commerce) Rules. A printed UPI QR that accepts payment is a commercial offer under the 2020 E-Commerce Rules. Merchant must display refund policy alongside the QR. UPI payments are instantly final; refunds must be initiated as a separate UPI push from merchant back to payer.

UPI-app compatibility

App	`upi://` URI	NPCI BR Code	Notes
Google Pay (Tez)	Yes	Yes	Largest UPI app by volume.
PhonePe	Yes	Yes	Full UPI + BR Code support.
Paytm	Yes	Yes	Full UPI + their own Paytm wallet fallback.
Amazon Pay	Yes	Yes	Via Axis Bank (`@apl` handle).
BHIM	Yes	Yes	NPCI's reference implementation. Safe baseline for testing.
Every major bank app (SBI YONO, ICICI iMobile, HDFC PayZapp, Axis Mobile)	Yes	Yes	All UPI-enrolled banks ship UPI support in their consumer app.
Generic iOS/Android camera	Partial	No	Native cameras parse the `upi://` scheme and offer "Open in UPI app" on newer devices, but don't render BR Code TLV directly.

UPI