Interbank Mobile Payment Service (IMPS) is an instant inter-banking fund transfer through mobile, enabled by the National Financial Switch (NFS), operated by NPCI. As of March 2011, there are 7 certified banks offering this mobile banking service with four more in the pipeline. The seven banks have issued more than 6 million Mobile Money Identifier (MMID). However, the transaction volumes are yet to pick up.
Given that there are 96 scheduled banks and the Indian Government is contemplating to allow large private companies to run their own banks, there would be more than 150+ banks offering this mobile banking service. Presently, each bank is asking its mobile banking customer to download a client on their mobile. A smart phone user in higher earning bracket is more likely to have multiple bank accounts, creating performance issues and inconveniencing the mobile subscriber.
Though a banking customer may have multiple banking accounts, a smart-phone will have only one Telecom service provider (I am not counting the dual SIM phones here). A Telecom provider has an opportunity to step into this chaos and provide an Universal Mobile Banking application. In addition to supporting multiple banks, this universal client can also double as a credit & debit card store as well as mobile pre-paid payment instrument. In a nutshell, it would act as a personal payment gateway for a Telecom subscriber.
A Personal Payment Gateway is a secured server based application, residing inside the Telecom network and is NOT exposed to Internet. The Personal Payment Gateway can also be accessed through a secured mobile browser client or from a laptop connected to a 3G/4G network. Internet is bypassed all cases.
The following payment instruments can be presently supported by the Personal Payment Gateway, operated by the subscriber through the Universal Mobile Banking Client.
VAS (Value Added Service) providers and Mobile Phone manufacturers want to keep their control over their mobile platform. Thus they would want to have a strategy that gives them an independence from a Telco network. Thus they would prefer to have a standalone client that is not tied down to a Telecom provider. In such an approach, the standalone client would directly interact with multiple Mobile Banking and payment gateways over Internet. The Telco is rendered to the role of a pipe provider. Thus a Standalone Universal Mobile Banking Client is an Java ME, iPhone or an Android application residing inside a smartphone, and can communicate securely with multiple mobile banking and credit card payment gateways.
The smartphone user downloads a digitally signed mobile application from a trusted mobile app store.
In order to activate the application, the user needs a Public-Private Key Pair. She can either generate it and then get it certified as per procedures defined in IT ACT 2000 (updated in 2006), or can import a previously issued Digital Certificate issued by a CA (Certifying Authority) recognized by Indian IT Act 2000.
The banking & credit card gateways can be pre-loaded, searched from the app provider's Service Discovery Gateway or parameters downloaded from the Bank's web site or entered manually.
Unlike the Personal Payment Gateway, where the Telecom operator validates the transaction's integrity; the subscriber has to individually register with each new bank or card acceptor payment gateway.
If the digital certificate has been counter signed by an recognized Certifying Authority and the email and mobile phone number in the certificate are same as those provided by the subscriber to her bank/card payment gateway in the KYC (Know your Customer) process, then there will not be any additional authorization steps required. Else, the payment gateway can have an additional step to validate the mobile & mail id by sending a one-time random number that needs to be signed by the subscriber's Private Key and sent to the payment gateway from the mobile app. Once the digital certificate is tied to a banking account the subscriber is ready for the transaction. In this scenario, a bank customer may be having multiple smart-phones or a smart-phone & a 3G laptop and may wish to transact from multiple such devices. Thus it may be a good idea to tie one digital certificate to a specific device and keep a mapping of the mobile number, device fingerprint and digital certificate for additional security. If the phone is lost, then only the digital certificate corresponding to the specific device needs to be blocked/invalidated.
The Private Key is secured by a pass phrase. And, the bank account & card data stored in the device is encrypted using the Private Key. Thus, if the user forgets the pass phrase, all data is lost!
The app provider will provide access to UDDI service and PKI (Public Key Infrastructure) service among other services in a secured manner, either through SSL/TLS or through message level encryption.
From the user's experience perspective, both types of Universal Banking transactions will be same. But, from server side, that is, Financial Transaction Switch view-point all the Standalone client transactions will be ON-US and all the Personal Payment Gateway transactions will be OFF-US, see the NPCI FAQ for details of ON-US and OFF-US.
The following transaction service are provided:
Since withdrawing cash is not allowed for semi-closed pre-paid payment instrument, the money can only be pushed into the instrument and used for paying selected merchants accounts only.
Open pre-paid instruments are at par with Debit Cards.
Merchants can request to pay for goods and services through push gateways, that is, either through the Personal Payment Gateway or discovered from the App provider's Service Discovery Gateway.
On startup, the application is unlocked by a pass-phrase. This pass-phrase decrypts the transaction Private Key, this key in-turn used to unlock the bank/card details information. All data are encrypted in local storage in case of Standalone client and in server side for Personal Payment Gateway.
The Top level Menu Options are:
First the user selects the payment instrument from a list option, then select the beneficiary account option. A beneficiary needs to be registered for each payment instrument individually for a standalone client whereas for the Personal Payment Gateway, this registration is taken care of by the Telco.