well. i don't know how safe it is but it sure is convenient. you generate an id like sushubh@ybl. you give this id to the retailer, in this case Paytm. they would generate a request. the request would appear in your app (PhonePe for @ybl). you can then approve or reject the payment from the app itself. it seems to be better as no secure number (credit card number for example) is shared with retailer or payment gateway. no password is typed in the computer. everything happens in your hands on your phone. and your upi id is just like an email id. nothing private about it. and you can change it anytime you want.