Skip to content
PRSINDIA

RBI · UPI/NPCI · eKYC · PCI-DSS

Fintech Software Development

In fintech a bug is a reconciliation break. We build double-entry ledgers that tie out to the bank daily, UPI integrations that survive the rail's real failure modes, and KYC modelled as a state machine from sprint one.

  • Double-entry ledger, append-only
  • Daily automated bank reconciliation
  • Idempotent UPI with status sweeps
  • PCI scope kept at zero
The real problem

A balance is not a column. It is a consequence.

The most common thing we are called in to fix in fintech is a product where the user's balance is a number on a table. It gets updated inside a transaction. Somebody writes a migration to correct a discrepancy. Within a year the sum of the balances does not match the money in the bank, and because a stored balance has no history, nobody can say why. A balance is the sum of an immutable, append-only, double-entry ledger. A correction is a reversing entry, never an edit. Any account's balance at any moment in history is derivable, and it ties out against the bank statement every day, automatically, with an alarm on any break. We build that first — before the app, before the onboarding flow, before anything a founder wants to demo. Everything else in a fintech product is downstream of the money being provably correct.

Talk about your product
0
Unexplained breaks

Daily automated reconciliation against the bank statement. A break raises an alarm; it does not wait for a month-end discovery.

0%
Idempotent writes

Every payment request carries an idempotency key. A retry cannot debit twice, which is the bug you cannot apologise your way out of.

T+0
Reconciliation cycle

Against the NPCI settlement file. Payment success and money arriving are two different events — we track both.

0
PCI scope

No card number ever touches your servers. Tokenised, hosted fields. PCI becomes a questionnaire rather than a programme.

What fintech engineering actually demands

Fintech is the one domain where a bug is not a bug. It is a reconciliation break, a regulatory breach, or somebody's salary that did not arrive. The engineering discipline is different, and it starts before the first line of code with a question most teams answer too late: what licence are you operating under, and whose?

Every rupee is double-entry. There is no shortcut.

The most common architectural failure we are called in to fix is a fintech product where the balance is a column on the users table. It gets updated in a transaction, somebody writes a migration to fix a discrepancy, and within a year nobody can explain why the sum of the balances does not match the money in the bank.

A balance is not a number you store. It is the sum of an immutable ledger. Every movement of value is a double-sided entry, entries are append-only, and a correction is a reversing entry that leaves the original intact and visible. The system must be able to produce, for any account at any moment in history, a balance derived from its entries — and that derived balance must tie out against the bank statement, every single day, automatically, with an alarm on any break. Building this is not optional and it is not something you add in year two.

UPI is not a payment gateway

UPI is an interbank rail, and its failure modes are its own. A collect request can be approved by the user thirty seconds after your system timed it out. A callback can arrive twice, or never. A transaction can sit in a genuinely indeterminate state where neither success nor failure is a safe assumption — and the only correct action is to query status, with backoff, until the rail tells you.

So: idempotency keys on every request, so a retry cannot debit twice. A status reconciliation job that sweeps pending transactions rather than trusting callbacks to arrive. Never mark a payment successful on a callback alone; verify against the rail. And a settlement reconciliation against the NPCI file, because the payment succeeding and the money arriving are two different events separated by a day and, occasionally, by a dispute.

KYC has tiers, and the tier decides the product

eKYC through Aadhaar has constraints on who may use it and how. Video KYC has an RBI-prescribed process with recording, geotagging and a real human. Minimum KYC caps what a wallet may hold and what it may do. CKYC lets you fetch an existing record rather than collecting it again.

These are product decisions wearing compliance clothing, and they must be made before design, not during it. A wallet whose limits change when a user completes full KYC needs that modelled as a state machine from the first sprint. Bolting it on afterwards means touching every transaction path in the codebase, and you will miss one.

The unglamorous rest

Data localisation: payment data stays in India, full stop. PCI-DSS scope, minimised by never touching a card number — tokenise, use the gateway's hosted fields, and keep your servers out of scope entirely. Audit logs that are append-only and that an engineer with production access cannot edit. Segregated environments with sandbox rails. And a runbook for the day the rail is down, because it will be, and "we will figure it out then" is not a plan when money is in flight.

Modules

What we build into a fintech platform.

Double-entry ledger

Immutable, append-only, every movement double-sided. Balances derived, never stored. Corrections are reversing entries.

Reconciliation engine

Daily automated matching against bank statements and NPCI settlement files, with an alarm on every unexplained break.

UPI and payment rails

Idempotency keys, status sweep jobs for indeterminate transactions, and never trusting a callback as proof of success.

KYC state machine

Minimum, full eKYC, video KYC and CKYC fetch — as a modelled state machine where limits and permissions follow the tier.

Risk and fraud rules

Velocity checks, device fingerprinting, a rules engine an analyst can edit without a deploy, and a case queue for review.

Onboarding and consent

Aadhaar eKYC, PAN and bank penny-drop verification, with drop-off measured at every step because that is where CAC is decided.

Regulatory reporting

The reports the regulator asks for, produced from the ledger rather than assembled by hand in a spreadsheet the night before.

Operations console

Maker-checker on every manual adjustment, full audit trail, dispute handling and a refund flow that cannot be run twice.

Customer app

Biometric unlock, certificate pinning, no sensitive data at rest on the handset, and a security posture built to survive review.

India, specifically

The regulatory surface, stated plainly.

None of this is advice from a compliance consultant. It is the engineering consequence of rules we have already built against.

  • RBI data localisation

    Payment system data stays in India. That includes the offshore error tracker logging full request payloads, which is where teams quietly fail an audit.

  • PCI-DSS, scoped to zero

    Tokenisation and hosted fields keep card numbers off your infrastructure entirely, which turns PCI from a programme into a questionnaire.

  • KYC tiers and limits

    Minimum KYC, full eKYC, RBI-prescribed video KYC with recording and geotag, CKYC fetch. The tier determines what the product may do.

  • UPI / NPCI rails

    Idempotency, status reconciliation, settlement file matching. The payment succeeding and the money arriving are separate events.

  • Audit trails that hold

    Append-only, and not editable by an engineer with production access. If your audit log is a table someone can UPDATE, it is not an audit log.

  • Secrets and key management

    A managed vault, rotation, and no credentials in environment files or CI logs. Assume the repository will leak one day and design accordingly.

The metrics that matter

What a fintech board asks about.

Uptime is table stakes and nobody will thank you for it. These are the numbers that decide whether the business works, and every one of them should be derivable from the ledger without anyone opening a spreadsheet.

Talk to us
0%
Payment success rate

By rail, by bank, by hour. A drop on one issuing bank is a signal, not noise, and it should page somebody.

0%
KYC drop-off

Per step, not overall. The step that leaks is where your customer acquisition cost is actually being set.

<0.01
Reconciliation breaks

And every one of them is investigated. A tolerated break is a break that becomes a habit.

0min
Dispute first response

Median. Because a customer whose money is missing is not measuring your uptime.

Does your balance tie out to the bank today?

Not at month end — today, automatically, with an alarm if it does not. If that question makes you uncomfortable, it is the right time to talk, and it is a great deal cheaper to fix now than after you are carrying live customer balances.

The stack

Built on tools that will still be here in five years.

  • Laravel
  • Node.js
  • PostgreSQL
  • Redis
  • Kafka
  • UPI / NPCI
  • Razorpay
  • Cashfree
  • Aadhaar eKYC
  • CKYC
  • Karza / Signzy
  • AWS (India region)
  • HashiCorp Vault

FAQ

The questions you were going to ask on the call.

You can, and it will work for about a year. Then the sum of your balances will not match the money in your bank account, and because a stored balance has no history, nobody will be able to explain why. A balance is the sum of an immutable double-entry ledger. Entries are append-only and a correction is a reversing entry that leaves the original visible. That is what lets you derive any account's balance at any point in history and tie it out against the bank statement daily, automatically, with an alarm on any break.

Teams treat it like a card gateway and it is not — it is an interbank rail with its own failure modes. A collect request gets approved thirty seconds after you timed it out. A callback arrives twice, or never. A transaction sits genuinely indeterminate, where assuming success or failure are both unsafe. The fixes are unglamorous: idempotency keys so a retry cannot double-debit, a status reconciliation job that sweeps pending transactions instead of trusting callbacks, never marking success on a callback alone, and settlement reconciliation against the NPCI file.

That is a product question before it is a compliance one, and it has to be answered before design rather than during it. Minimum KYC caps what a wallet may hold and do. Full KYC via Aadhaar eKYC has constraints on who may use it. Video KYC follows an RBI-prescribed process with recording, geotagging and a live human. CKYC lets you fetch an existing record rather than collecting it afresh. If your product's limits change as a user upgrades tier, that must be a state machine from sprint one — retrofitting it means touching every transaction path, and you will miss one.

By never letting a card number touch your servers. Tokenisation, the gateway's hosted fields or iframe, and card-on-file tokens held by the gateway rather than by you. That keeps your infrastructure out of scope, which turns PCI from a programme costing lakhs and consuming quarters into a self-assessment questionnaire. Where scope is genuinely unavoidable we will tell you plainly what it costs, but for most products it simply is not necessary.

Payment system data stays in India. We deploy to Indian regions, keep backups in-country, and are careful about which third-party services ever see transaction data — an offshore analytics SDK or an error tracker with full request payloads is a quiet breach that surfaces during an audit, not before. We also keep secrets in a managed vault rather than environment files, and we keep audit logs append-only so that an engineer with production access cannot alter them.

A focused product — ledger, KYC, one payment rail, an admin and reconciliation — is typically 20 to 30 weeks and starts around ₹30,00,000. We build the ledger and reconciliation first, before any user-facing feature, because everything else is downstream of the money being provably correct. It is not the sequence founders want, and it is the one that means you are not rebuilding the core in year two while carrying live customer balances.

Proof

Shipped, measured, still running.

All case studies

NM Company

A portfolio and enquiry site for events firm NM Company

A visual portfolio and enquiry website for an event management and supplies firm — presenting a full...

Read it

Swasthya Sarathi

A healthcare-companion platform for Swasthya Sarathi

A multi-service healthcare platform that helps people find hospitals, doctors, labs, medical stores,...

Read it

MV Tech Education

A course and admissions platform for MV Tech Education

A course-catalogue and admissions website for a Bihar vocational institute — leading with industrial...

Read it

Let's talk fintech software development

Bring us the hard version of the problem.

A senior engineer reads every enquiry. You'll get a real answer — scope, risk and a number — within one business day.