Nowadays, QR code payment is widely used in offline micropayment scenarios such as restaurants, supermarkets and convenience stores. However, there are still hidden risks in the bar code generation mechanism and transmission process, which also leads to the risk cases of payment security, and unfair competition exists in the business promotion process of market institutions (see the report "Sweep, why is the wallet" on May 11, this edition). What measures should relevant departments and payment institutions take to ensure the safety of users’ payment? How to further improve the user experience of QR code payment?
Competent department:
Formulate technical standards and standardize business development
The 2017 China Third Party Mobile Payment Industry Research Report pointed out that the offline scanning code payment industry has entered an accelerated development period. On the one hand, offline scanning code payment is simple and fast, which brings users a convenient consumption experience; On the other hand, merchants who access offline scanning code payment also enjoy the increase in revenue brought by digital marketing and operation.
In promoting the development of industry norms, the People’s Bank of China positioned QR code payment as a small, convenient and effective supplement to bank card payment, and adopted a series of measures to standardize the development of QR code payment business. It includes the establishment of a regulatory idea that whether commercial banks or payment institutions, using bank accounts or payment accounts to carry out QR code payment, should verify the security level according to the transaction, and carry out risk control and security management through the transaction quota.
In recent years, with the wide application of payment marking and other technologies in mobile payment, the security standard of QR code payment has been objectively improved. The People’s Bank of China guides relevant market players to actively improve their technical level, formulate relevant technical standards, and standardize the development of QR code payment services.
The barcode payment business specification previously issued by the central bank has been implemented since April 1, 2018. In view of the technical risks of barcode payment, this specification puts forward a series of targeted requirements. For example, strengthen the security protection of bar codes, take measures such as payment marking, validity control and bar code anti-counterfeiting identification, improve the security protection ability of bar codes in the aspects of generation, storage, display, reading, analysis and use, and effectively guarantee the reliability and effectiveness of bar codes.
Because static bar codes are easy to be tampered with or altered, and it is easy to carry Trojans or viruses, the central bank stipulates that if static bar codes are used for payment, no matter what transaction verification method is used, the cumulative transaction amount of the same customer bank or payment institution in a single day should not exceed 500 yuan. The new payment regulations also require that the payment institution must have a license: "To carry out bar code payment business, the payment institution should obtain the corresponding business license according to the regulations and conduct business according to the corresponding management measures."
Jing Linbo, director of China Social Science Evaluation Center of China Academy of Social Sciences, believes that QR code payment still faces some problems if it wants to develop healthily. For example, QR code, a common QR code, became a national standard in 2000. A few years ago, the state issued relevant policies on QR codes, but a comprehensive standard for QR codes has not yet been issued. "In addition to formulating the business norms of QR code payment, the state should strengthen the top-level design of QR code payment, formulate comprehensive industry standards, and widely promote and use our national standards nationwide." Jing Linbo said.
Payment institution:
Strengthen security and improve payment experience.
As the first commercial bank to launch QR code payment products, the relevant person in charge of ICBC introduced that ICBC QR code payment has all the functions of the mainstream code scanning products in the current market, and uses the internationally leading token technology to mutate the card number to hide the real card number information and ensure the security of account funds. At the same time, through a series of security control measures such as 7×24-hour uninterrupted real-time risk monitoring, transaction limit control, large transaction verification, and 60-second mandatory update of QR code, it provides bank-level protection for customer funds and information security, and effectively improves the payment experience of users. At present, ICBC QR code payment has achieved comprehensive aggregation acceptance function, with security, compatibility and convenience, and has attracted more than 1 billion potential individual users for 5.6 million ICBC e-payment merchants, making it the largest aggregation payment platform in China.
China UnionPay and more than 40 commercial banks launched UnionPay China Unionpay Quick Pass QR code products. The insiders believe that this is an active exploration and innovation of large state-owned commercial banks in QR code payment, and it is a useful attempt to provide users with efficient, convenient and safe mobile payment transactions.
As a third-party payment platform, Alipay has also adopted a number of technical means to reduce transaction risks in "sweeping" payment. Shang Shanhu, a security expert of Alipay, said that in order to prevent information security risks and avoid being parsed out of user account or transaction order information due to the spread of QR codes, Alipay first encrypts the information that needs to be transmitted through QR codes into character strings by an encryption algorithm, and then compiles the character strings to form a QR code. Therefore, even if the QR code is acquired and scanned by others, it can only parse the encrypted character string, but can not further parse any relevant information of the user. Barcodes formed by merchants’ cashiers and by Alipay APP are time-sensitive. After expiration, new barcodes will be formed, while previously generated barcodes will be invalid, thus preventing information and financial risks caused by barcode copying and dissemination.
Alipay also launched the "You dare to accept, I dare to pay" protection plan: if the merchant’s money collection code is maliciously replaced or switched, its lost funds will also be paid through the insurance company.
User public:
Raise awareness of prevention, don’t just scan the code.
If you want to make "sweeping" safer, you can’t do without the efforts of regulatory authorities and market institutions. You also need users to raise their awareness of prevention and strengthen self-protection.
Industry experts reminded that users should have a sense of prevention and be vigilant, and don’t easily believe in brand promotion activities such as free code scanning and gifts in the market. There may be huge security risks hidden behind the "sweeping" behavior, such as the disclosure of personal information, and there may also be some illegal acts. In particular, don’t easily provide personal name, ID card, bank card, telephone number, mailing address and other information. Even a credible QR code application may be maliciously used by some hackers and criminals to become malicious QR codes, so we should always be vigilant.
Shang Shanhu suggested that with the popularity of two-dimensional codes, users should master some relevant knowledge and common cases of two-dimensional codes to raise their awareness of safety precautions. At the same time, we should develop good habits of using mobile phones, including downloading tools and software in official website, not scanning the code, and installing anti-virus software in mobile phones.