How UPI Actually Moves Your Money

Harshit SharmaApril 6, 2026

6 min read

You scan a QR code at a chai stall. Tap your phone. Enter your PIN. Done. The chai guy's phone buzzes. Money moved.

The whole thing took 3 seconds.

But how does money go from your bank to his bank, instantly, without either of you knowing each other's account numbers?

Let's break it down.

First, the players

To send money through UPI, you don't need anyone's bank account number. You just need their UPI ID.

A UPI ID looks like an email address: harshit@okicici or shopkeeper@ybl. It's called a VPA — Virtual Payment Address.

The part after the @ tells the system which app (and which bank behind it) to talk to. The part before is just you. One person can have multiple UPI IDs across different apps, all pointing to different or even the same bank account.

But the real thing running the show behind every transaction is NPCI, the National Payments Corporation of India. Every single UPI payment in the country passes through them. They're the central switch. They route messages between banks and make sure everyone gets their money.

Now let's trace the actual transaction

Say you're paying ₹200 to a shopkeeper. You scan his QR code. The QR just contains his UPI ID and maybe the amount. It's a text string encoded as squares:

upi://pay?pa=shopkeeper@ybl&pn=ChaiShop&am=200&cu=INR

That's literally it. A URL with some parameters. Any UPI app can read it.

Inside a UPI QR Code

Tap any parameter to see what it does.

upi://pay?&&

paPayee Address

The shopkeeper’s UPI ID. This is where the money goes.

Valueshopkeeper@ybl

Here's what happens next, in about 3 seconds:

You enter your PIN. Your phone encrypts it immediately. The app you're using (Google Pay, PhonePe, whatever) never sees your actual PIN. It's sealed in an encrypted box that only your bank can open.

Your app talks to NPCI. The app sends a message: "This person (you@okicici) wants to pay ₹200 to shopkeeper@ybl. Here's the encrypted PIN."

NPCI reads the address. It sees @okicici on your side and @ybl on the shopkeeper's side. Now it knows which banks to talk to.

NPCI asks your bank: "Hey, this person wants to send ₹200. Here's their encrypted PIN. Verify it, check their balance, and debit the money."

Your bank opens the encrypted box, checks the PIN, checks the balance, pulls ₹200 out. Sends back: "Done."

NPCI tells the shopkeeper's bank: "Credit ₹200 to this account."

Shopkeeper's bank adds the money. Sends back: "Done."

NPCI tells your app: "Transaction successful."

Your phone shows the green checkmark. The shopkeeper's phone buzzes. Done.

Transaction Flow

Watch a ₹200 payment move through the system.

Your Phone

NPCI

Your Bank

Shopkeeper’s Bank

Press Play to start the transaction.

Your Phone → NPCI

NPCI → Your Bank

Your Bank → NPCI

NPCI → Shopkeeper’s Bank

Shopkeeper’s Bank → NPCI

NPCI → Your Phone

But the money doesn't actually move instantly

Your money doesn't physically teleport from one bank to another in those 3 seconds.

Your bank debits you instantly. The shopkeeper's bank credits him instantly. But the actual money between the banks? That settles later.

NPCI runs multiple settlement batches every day. It adds up all the transactions between every pair of banks and says: "Okay, HDFC owes ICICI a net of ₹4.7 crore today. SBI owes YES Bank ₹2.1 crore." Then the Reserve Bank of India moves those net amounts between the banks' accounts.

Individual transactions are instant for you. Bank-to-bank settlement is batched and netted. The banks trust the system, so it works.

Settlement

6 transactions between 3 banks. See what actually settles.

HDFCICICI₹500

ICICIHDFC₹200

HDFCSBI₹300

SBIHDFC₹100

ICICISBI₹400

SBIICICI₹150

6 individual transactions throughout the day

The security is actually clever

Your UPI PIN is a 4 or 6-digit number (depends on your bank). Sounds weak, right? But it's protected by layers.

When you first set up UPI, your app sends a silent SMS from your phone. This binds your specific device, SIM card, and app to your bank account. Even if someone knows your PIN, they can't use it from a different phone.

Your PIN is encrypted on your phone using a key from NPCI's common library. It travels through the app, through NPCI, all the way to your bank, and nobody in between can read it. Not the app. Not NPCI. Only your bank.

On top of that, it's three-factor auth. Something you have (your phone + SIM), something you know (your PIN), and your registered mobile number. All three have to match.

The QR code at every chai stall

The QR code at a small shop is called a static QR. It's just a printed piece of paper with the shopkeeper's UPI ID encoded in it. The customer scans, enters the amount, pays.

It costs literally nothing to deploy. Print a QR code. Tape it to the wall. You're now accepting digital payments.

Dynamic QR codes exist too — generated per transaction with the amount pre-filled. That's what you see at Swiggy checkout or POS machines.

But the static QR at the paan shop is what made UPI explode. No card machine, no monthly fees. Just a piece of paper and a phone.

Why any app can scan any QR code

NPCI mandated interoperability. A PhonePe QR code works with Google Pay. A Paytm QR works with CRED. This is enforced by regulation.

This is different from how most payment systems work globally. Apple Pay doesn't work with Samsung Pay's merchant terminals. Venmo doesn't send money to CashApp.

UPI said: nope, everyone talks to everyone. The @handle in the UPI ID is how the system routes things, but the sender can use any app they want.

The apps are just interfaces. The protocol underneath is shared.

UPI Lite — the speed hack

For small payments under ₹500, there's UPI Lite. Instead of hitting the bank server for every ₹10 chai, you pre-load a small wallet (up to ₹2,000) on your phone.

Payments from this wallet don't need to contact your bank at all. The money is already on your device. It's faster and works even when bank servers are slow.

The scale is absurd

UPI processes over 14 billion transactions a month. That's not a typo. Billions. Every month.

The entire system runs through NPCI's infrastructure. Multi-datacenter, active-active architecture. If one data center goes down, the other picks up.

A single transaction times out after 30 seconds. If your bank debited you but the shopkeeper's bank didn't credit, the system automatically reverses the debit. That's why you sometimes see "refund initiated" — it's the system cleaning up after a partial failure.

Why this matters beyond India

UPI is being connected to payment systems in other countries. Singapore's PayNow, UAE, France, Sri Lanka. An Indian tourist can scan a QR code in Singapore and pay using their Indian bank account, in real time.

Other countries are studying the protocol because nobody else has pulled off instant, interoperable, free bank-to-bank payments at this scale.

The actual insight

UPI is not an app. It's not Google Pay or PhonePe.

It's a protocol. A set of rules for how banks talk to each other through a central switch.

The apps are just interfaces. The QR codes are just addresses.

Underneath, it's a messaging system. Your phone sends a message. NPCI routes it. Banks process it. Money moves.

3 seconds.

Written by Harshit Sharma. If you want to know when new posts are out, follow me on Twitter.