Verify payment is actually completed using UPI (GooglePay specifically)

Question

This is pertaining to the UPI Payment system in India.

I am using the sample code at https://developers.google.com/pay/india/api/android/in-app-payments to initiate Google Pay App to make UPI Payment. And everything is working fine.

My concern is:

• As all this is at the client end (mobile app), a user (say, hacker) may generate random response values and invoke the server URL to tell the server that the payment is successful. How can I prevent that? How can I ensure that the payment was actually made?

In the provided example, there is a query parameter "url", does Google's server call this URL to update the payment status? I tried, but nothing happened (I created a page which saves the page URL (Request.RawUrl) in a text file, but on payment the page was not called).

May be Google does call this URL (and I missed something), may be it does NOT; can anyone confirm.

Repeat: My actual problem is how to prevent a hacker from fooling the server that the payment is made successfully.

Note: This is to be my first app, so banks are not ready to provide API/UPI integration.

Paytm provides an api to check transaction status, so not a problem with that.

If not a direct solution, any way around will also work as long as it prevents me from manually checking bank statements.

TIA.

Answer 1

We were implementing UPI payment for one of our client and realized same issue.

We haven't tried Secure Intent to solve the issue. As per NPCI Document, Signed content can be passed thru URI but does not know whether response also contains the signed info to verify its been done.. If it works, we have way to make it secure..