WhatsApp Payments are ‘Not Secure’
WhatsApp payments rollout started in India earlier this month and though the feature hasn’t even become available to all users yet, it has sparked a debate in the country’s digital payments community. WhatsApp payments are built on top of UPI, a layer that greatly simplifies interoperability between various banks, and questions are now being asked if the Facebook-owned messaging app is living up to the spirit of interoperability behind the UPI. Paytm, which operates the largest digital wallet in India, is one of the competitors to WhatsApp in payments, introduced its own UPI payments feature recently. Paytm CEO Vijay Shekhar Sharma said that Facebook with WhatsApp payments Facebook is “killing beautiful open UPI system with its custom close garden implementation.”
Sharma tweeted this on Wednesday and from there, the narrative online quickly shifted to Paytm being against “foreign” companies, though Sharma later clarified that his tweets were not about a foreign company, but rather about NPCI lettings WhatsApp integrate UPI payments without needing to incorporate safeguards other payments apps had to integrate. NPCI is a private entity run by a consortium of banks, which operates UPI and a bunch of other financial products, and acts as a quasi-regulator for the payments industry. In a televised interview, Sharma further went on to say that Facebook and WhatsApp are evil, although a Paytm representative later stressed that he was not talking in the context of the UPI, and that the statement was being blown out of proportion.
To understand more, Gadgets 360 reached out to Sharma and Paytm – while he wasn’t available, the company connected us to Deepak Abbot, Senior Vice President at Paytm, to give a detailed account of the company’s objections to WhatsApp’s payments implementation.
“I want to stress that this is not Paytm versus WhatsApp, this is not India versus foreign,” were the first words from Abbot, who explained that as far as Paytm was concerned, the issue was that the NPCI had allowed WhatsApp to add UPI features without requiring it to conform to the same rules as other apps, including Paytm. Gadgets 360 has also reached out to the NPCI to get its views on this question, and will update this piece once it replies.
“All apps so far had to adhere to a process by the NPCI, to create a smooth, interoperable experience that is not being required of WhatsApp,” Abbot said. “NPCI requires an app password, so unless you log in no one can check your account, you should be able to log out. Now you still have the MPIN to complete the transaction but with just one factor now someone can make payments. You can’t even log out. So that is not secure, and that is why all apps were supposed to have passwords.”
“Every app has a four to six week NPCI audit process, they certify the app. In the garb of UX and UI, it’s being packaged as WhatsApp to WhatsApp payments,” he continued. “A Paytm user can’t send money to a WhatsApp user. The NPCI needs to look at this, they are locking the consumer.”
This isn’t exactly correct though. In our testing, we were able to send money from Paytm to the VPA (virtual private address) a WhatsApp user found under Settings. Although WhatsApp is geared to make it easier to send and receive money between its users, it’s not impossible to use it to send money or receive it from people who are not on the app. Further, the interoperability between banks is maintained – as long as your bank is on the UPI, it’ll work with WhatsApp. However, WhatsApp on iPhone currently doesn’t let you send money to any VPA of your choice, something other UPI-based apps support.
Abbot agreed with this, but said that it goes against the spirit of interoperability. “I should be able to send money to anyone, regardless of the app they’re using,” he said, “and the way they’ve designed it is highly hidden and you know users don’t discover features that are buried behind menus.”
He also rejected the argument that WhatsApp’s UPI rollout was still a beta. “Beta should be invite only, the company controls who gets access, but if I’m on WhatsApp I can enrol everyone I know,” he said. “Such a long period for beta also gives them an undue advantage.”
“Why when we had to conform to all the different rules does WhatsApp get to pick and choose? Everyone should be on the same level,” said Abbot. He added that WhatsApp must immediately bring all the UPI features that other UPI apps have been required to support. When asked whether it would be better if all apps could use the features they needed, he said that until all players are offering the same features, it would not be right to change the requirements.
At the same time, Abbot isn’t in favour of increased regulatory oversight. “We all believe the NPCI has built a great product, and take them as a regulator, and of course the RBI is there as the final regulator,” he said.
To that end, Paytm plans to take its issues to the NPCI to try and ensure change. Once again, Abbot stressed that this is not a case of Paytm versus WhatsApp. “We will encourage NPCI to get WhatsApp to adhere to the requirements,” he said. However, on being asked whether Paytm is working with other UPI companies, such as PhonePe, or Google Tez, he said, “no, we will go to NPCI directly.”
Update: Gadgets 360 has received a statement from the NPCI where it has clarified its position on this matter. The NPCI has stressed that this is a trial run, and that WhatsApp will have to follow all the different UPI norms. You can read the statement below.
National Payments Corporation of India (NPCI)has been workingto facilitate digital payments in the country with globally recognised products like Bharat Interface for Money BHIM -Unified Payments Interface (BHIM UPI). We follow well-defined guidelines for BHIM UPI services with the objective of making our platforms interoperable and based on open standards, convenient and secure, offering multiple choices to consumers for rapid adoption for digital payments through banks and payment ecosystem players.
Currently, NPCI has given its consent to roll out WhatsApp BHIM UPI beta launch with limited user base of 1 million and low per transaction limit. Four banks will join the multi-bank BHIM UPI model in phases (in the coming weeks)and full feature product shall be released after the beta test is successful. Multi-bank model offer advantages such as transaction load distribution between banks and helps to integrate popular apps easily with BHIM UPI.
Broad principles for interoperability a) ability to send and receive money through any BHIM UPI ID b) intent and collect call and c) read & generate BHIM /Bharat QR code that are required in final BHIM UPI app. BHIM UPI enabled app which fulfils such principles only will be permissible for full scale public launch.
We work towards providing seamless experience to users of BHIM UPI platform and recognise the contribution of member banks and non-bank entities to reach to this level.
Update 2: Paytm has also sent out a response to the NPCI statement, which you can read below.
We welcome this statement by NPCI. It addresses the concerns of interoperability violation that we had raised. It also clarifies that the trial has been restricted to 1 million users, though we feel that a product with the stated violations could have been tried out amongst a much smaller base. We are still concerned that this statement is silent on the critical issue of safety/security of a financial transaction through UPI, where consumers need to mandatorily sign-in with username and password. This violation is fundamental and very serious. WhatsApp must implement login & password like all other BHIM UPI apps. This statement is also silent on other issues such as the requirement to send SMS notifications for every UPI transaction. We hope that future rollout will be fully compliant with all the guidelines. We wait to hear NPCI views on some of these missing aspects.