I read two articles that imply that WhatsApp's t's and c's indicate that it is sharing your UPI PIN with Facebook and others - you can find them here and here. Both are based on an excerpt from WhatsApp's T's and C's that state that

When you register to use Payments, you provide your bank’s name, partial debit card number, and debit card expiration date. You will also be asked to provide your ATM PIN or UPI PIN, or to set up an UPI PIN for payment transactions if you do not already have one. We receive your debit card details and ATM PIN or UPI PIN securely, and we do not retain this information.

AND

To send payment instructions to PSPs, maintain your transaction history, provide customer support, and keep our services safe and secure, including to detect, prevent, or otherwise address fraud, safety, security, abuse, or other misconduct, we share information we collect under this Payments Privacy Policy with third-party service providers including Facebook. To provide Payments to you, we share information with third-party services including PSPs, such as your mobile phone number, registration information, device identifiers, VPAs, the sender’s UPI PIN, and payment amount. 

While these could theoretically be combined to imagine the worst - I wanted to point out a few key features of the UPI platform that make this impossible by design and should put to rest any concern one may have after reading the above mentioned articles.

I'm posting a few points that should clarify to the user that neither WhatsApp nor ANY OTHER UPI Payment APP see your UPI PIN. As such there is NO question of their sharing your UPI Pin with anybody.

I posted this clarification on one of the articles and am glad they have published it.

Regardless of what is worded in the T's and C's, the following points hold true:

1) The UPI architecture has a common library that is issued by NPCI to all application developers through a sponsor bank.

2) All sensitive data (last 6 digits of ATM card, PIN, UPIPIN) are ONLY entered inside this library.

3) All UPI apps have to go through extensive testing and certification - not to mention legal contracts - before they can go live.

4) NO Payments application - WhatsApp, Paytm, iMOBILE, BHIM, Hike or anything in future has access to the any of the data in item 2.

5) Privacy-wise, UPI’s architecture eliminates the need to provide the sender with your bank account details - the Virtual Payment Address (VPA) (abc@xyz) essentially hides the beneficiary’s bank account details from the sender or anyone in-between until it hits the banking system.

6) Transaction data (who paid whom how much and when) is visible in this case to WhatsApp's servers and they may be using "other third-parties including Facebook" for providing some services (for example velocity checks etc.) - but users should be reassured that nothing that allows them or any 3rd party to send money without the sender's consent.

The unique thing about the UPI platform is that transaction security is taken away from the domain of the application helping make UPI-based payments ubiquitous and moved to the UPI common library that is issued by NPCI.

Hope this clarifies and comforts you that all UPI apps are safe! Use the one that you are most comfortable with!

Disclaimer: I am a VC and an investor in payments industry startups - Ezetap, happay, NiYO, Moneytap, KredX, AffordPlan - I have no affiliation to WhatsApp, Facebook except as a consumer. I'm also a volunteer at iSpirt and an evangelist of IndiaStack.

About the Author - 

Sanjay Swamy is an Entrepreneur & Early-Stage Fintech Investor! #DigitalPayments & #Financial Services Fanatic! #IndiaStack_Evangelist!

This article was originally published on Linkedin