PAYO – An Offline Customer Initiated One-Time-QR code based Payment System

Motivation

Have you ever tried to pay with your phone, only to find there’s no internet or the connection is too slow? Many digital payment systems need both the sender and receiver to be online, which isn’t always possible, especially in places with spotty coverage. PAYO was created to make payments easier and more secure, even when you’re offline. The goal is to let anyone pay quickly and safely, no matter where they are.

Introduction

PAYO is a secure, lightweight digital payment solution designed around the concept of offline-generated, ont-time QR codes. Built with React Native (Expo) on the client side and an Express.js backend written in TypeScript. PAYO facilitates real-time payments with minimal infrastructure. The backend utilizes MongoDB (NoSQL) for storage and is currently hosted on Render’s free tier.

How This Works

PAYO uses special QR codes that can be created on your phone without an internet connection. When you want to pay, your app makes a QR code with all the payment details safely locked inside. The person you’re paying (like a shop owner) scans your code with their app, which checks that everything is correct and hasn’t been tampered with. The system uses strong security methods to keep your information safe and to make sure each payment can only be used once. Once the shop’s app is online, it sends the payment details to the server to finish the transaction.

Objectives

1. Minimize customer-side connectivity requirements.
2. Enhance security by limiting tampering possibilities in the transaction payload.
3. Allow seamless integration in low-bandwidth or offline-first environments.

System Architecture

1. Customer App (React Native with Expo)

• QR Code Generation:
  • Encodes transaction metadata including uid, txn_id, and timestamp.
  • A SHA-256 hash of the payload is generated for integrity verification.
  • The payload is encrypted using AES for confidentiality.
• Offline Operation:
  • QR codes are generated without needing an active internet connection.
  • Transaction can be completed and verified while offline for the users side.

2. Merchant App

• Scan and Submit:
  • Scans QR and sends payload to the server for validation.
• Validation Flow:
  • Server decrypts the payload and verifies:
  • SHA-256 hash for integrity
  • Timestamp for expiry
  • Account balance

3. Backend API (Express.js + TypeScript)

• API Endpoints:
  • POST /validate-qr: Validates the payload using AES decryption and SHA-256 hash checks.
  • POST /process-payment: Executes and logs the transaction if all checks pass.

4. Security Features:

• AES encryption for QR confidentiality.
• SHA-256 hashing to prevent tampering.
• Timestamp-based expiry to avoid replay attacks.
• One-time-use validation of txn_id to prevent double spending.

5. Database (MongoDB)

• Stores:
  • User balances
  • Merchant details
  • Transaction records (with unique txn_id)
• Schema Flexibility:
  • NoSQL model allows scalable data evolution and dynamic fields.

6. Hosting (Render)

• Currently deployed on Render’s free tier, suitable for initial development and demos.

Future Ideas

PAYO has significant potential for further development. Planned features include support for additional payment types, enhanced tools for managing spending, and improved functionality for use in areas with no internet connectivity for extended periods. Making it easier for small businesses to participate and enabling usage across different countries are also key goals. The journey for PAYO is just beginning, with many exciting possibilities ahead.

Screenshots