In May 2021, Mastercard published a whitepaper highlighting the ubiquitous nature of Internet of Things (“IoT”) and the impact it may have on how individuals and enterprises make payments. This whitepaper, an outcome of collaboration between Global Open Network Japan Inc. and Mastercard, highlighted that payments through IoT may increase financial inclusion with pay-as-you-go options and identified certain use cases for services such as fitness, travel insurance, the sharing economy, and digital content.
On January 6, 2026, the National Payments Corporation of India (“NPCI”) took a step towards translating this into a reality by extending the UPI Circle framework to include IoT devices and software profiles, enabling delegated UPI payments through such devices under a tightly controlled model. This payment mechanism is coined as “UPI on IoT”.
Before we move forward, it is worthwhile to discuss certain key terms here:
Let's start with the term “UPI Circle”, wherein the primary user (i.e., the bank account holder) may opt to authorise a secondary user to initiate UPI payments using the primary user’s UPI account. Such authorisation is subject to controls such as transaction limits, verification by the primary user of the secondary user’s UPI ID and contact number, selection of delegation type – partial or full, etc. Importantly, the underlying bank account remains solely in the name of the primary user, and liability continues to rest with the primary user. From the looks of it, UPI Circle was prepared for enabling payment delegation from one natural person to another natural person.
However, in a significant development, the NPCI vide its circular dated October 8, 2025 (“Circular”) extended the UPI Circle to IoT devices and software profiles. This expanded framework, termed “UPI on IoT,” enables a primary user to delegate payment initiation not merely to another individual, but to non-human endpoints such as IoT devices and embedded software profiles. As clarified by NPCI, such delegation may be extended to devices and profiles, including smart wearables, smart televisions, artificial intelligence-based software profiles, etc., capable of initiating payment instructions.
As per the Circular, participants in the UPI on the IoT framework are to comply with the following:
The members shall adhere to the Reserve Bank of India’s guidelines on the ‘Harmonization of Turn Around Time and customer compensation for failed transactions using authorized payment systems’ dated September 20, 2019 (“TAT Guidelines”). This requirement assumes particular importance in the context of UPI on IoT, where payment initiation may occur through delegated, automated, or device-led interfaces operating across multiple technical layers. In such an environment, transaction failures may originate at the device, software, or trigger layer. However, the above-named TAT Guidelines ensure that such failures do not alter the customer’s entitlement to timely reversal and compensation.
Members shall implement a user-friendly online dispute resolution mechanism providing a transparent, efficient, and standardised process for users to raise and resolve disputes arising from UPI on IoT transactions, including those involving delegated or device-initiated payment flows.
Reconciliation and settlement of UPI on IoT transactions shall be carried out in accordance with the existing UPI guidelines and settlement processes.
Participants may onboard only NPCI-approved secondary devices under the UPI on IoT framework.
Participants must ensure that the primary and secondary devices are in close physical proximity at the time of linking.
Only domestic person-to-merchant (“P2M”) transactions are permitted under the UPI on IoT framework.
Participants shall ensure that transactions initiated through delegated devices or software profiles under the UPI on IoT framework are subject to defined monetary controls, including a monthly delegation limit of INR 15,000 per device or software profile and a per-transaction cap of INR 5,000, in order to mitigate risks associated with automated and device-led payment initiation. Additionally, a 24-hour cooling-off period applies post-linking, during which cumulative transactions are capped at INR 5,000.
Delegation shall be automatically revoked where the IoT device or software profile remains inactive for a continuous period of six months, and may be withdrawn with immediate effect in the event of security concerns, including suspected or actual device tampering.
Primary UPI Applications - Primary UPI applications are required to ensure transparency and user control in relation to delegated and device-initiated payments. Primary apps must clearly display details of the linked secondary device or software profile, obtain explicit user consent through two-factor authentication, and provide lifecycle management features, including limit configuration and de-linking. Primary apps must also ensure visibility of transaction history for such payments and permit authorisation of up to five IoT devices or software profiles per user.
Secondary Applications and PSP Banks - Secondary applications and PSP banks are responsible for the secure onboarding and operation of IoT-enabled payment solutions. This includes conducting due diligence and security assessments prior to onboarding, registering devices through mobile number verification and OTP-based validation, and capturing and validating device IDs or user IDs at both the registration and transaction stages. Further, secondary PSPs must ensure that only paid software profiles are enabled, avoid exclusive arrangements (particularly in the case of screen-less IoT devices) and comply with NPCI-prescribed requirements relating to data localisation, security reporting, and user data protection.
Issuer Banks - Issuer banks continue to act as the final control point in the UPI on IoT payment flow. They are required to validate device or user identification details and verify authorisation credentials before permitting any debit from the customer’s account.
The introduction of UPI on IoT makes it significantly more convenient to transact on UPI by enabling payments to be initiated seamlessly through connected devices and software profiles, without real-time user intervention.
While this makes payments significantly easier for the users by shifting payment initiation away from explicit, user-driven actions towards delegated, automated, and context-based triggers, it may lead to the users raising disputes relating to whether a transaction was duly authorised, whether the scope of delegation was exceeded, or whether the payment accurately reflected the user’s intent at the time of initiation.
Not only this, the Circular provides that participants may onboard only NPCI-approved secondary devices under the UPI on IoT framework. However, as of now, there is no clarity on the type of devices that will be approved by NPCI. This creates uncertainty for participants, particularly device manufacturers, software providers, and payment service providers, who are not presently sure whether their devices or software profiles will qualify for onboarding under the framework, or what technical, security, and compliance benchmarks such approval will be assessed against.
About the author: Namrata Dubey is a Senior Associate at NovoJuris Legal.
Disclaimer: The opinions expressed in this article are those of the author(s). The opinions presented do not necessarily reflect the views of Bar & Bench.
If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.