Central bank in China is drafting technology and security standards for mobile payments using QR codes that will help resolve two years of regulatory limbo
Third party payment providers facilitating mobile transactions through quick-response (QR) codes has been trapped in regulatory limbo for more than two years, after the central bank took the controversial decision to suspend such services.
But sources close to the matter told Caixin that the People’s Bank of China (PBOC) is working on technology and security standards for such payments, a step toward creating a clear system for regulating the market that could pave the way for the ban to be lifted.
The central bank has authorized China Payment & Clearing Association (CPCA), a non-profit industry organization, to draft standards for purchases made on mobile devices by scanning a QR code — a square grid made up of black and white dots that can be scanned using a smartphone camera to make payments.
The central bank has set out specific requirements on a range of issues including encryption and safeguarding personal information and customers’ money, the sources said.
In March 2014, the PBOC suspended QR code payments handled by third-party payment providers. While the central bank cited security concerns surrounding identification and potential theft of consumers’ personal information and money, critics said the move was aimed at protecting China UnionPay, the state-controlled bankcard association which runs the country’s interbank network and holds a monopoly on processing the country’s bankcard payments.
UnionPay is losing tens of billions of yuan in revenue because mobile payment transactions including those made using QR codes don’t go through its system and so it doesn’t get a fee. The market is dominated by Alipay, an affiliate of Alibaba Group, and Tenpay, owned by Tencent Holdings.
In spite of the temporary ban, QR codes are such a popular way of paying for goods and services that the market has continued to grow albeit in a regulatory gray zone.
Payment providers including Alipay and Tenpay, along with a number of commercial banks, have continued marketing their QR code payment services to reach more users, while many small vendors see it as a convenient and low-cost payment option.
The manager of a technology company that has partnered with Alipay and Tenpay to offer QR code payment services said his business hasn’t been affected since the 2014 suspension because the PBOC didn’t spell out clearly how the ban should be implemented.
A source close to the central bank said that the 2014 ban was put in place because there were no rules or standards for third party QR code payment services, a situation that presented risks and was „irresponsible to consumers.” Now, regulators have agreed to put QR codes under the supervision framework set up as part of guidelines issued in July 2015 on Internet finance.
One source close to the CPCA told Caixin that regulators have held several rounds of talks on QR code payment rules and have formulated a draft plan on technology standards. „Regulators believe it is better to properly guide (the business) than to block it, and to allow fair competition based on unified technology standards,” said the source who declined to be named.
„The final plan will be a compromise,” said Chen Zhongru, director of the Financial Information Research Center at Peking University. „It will be an outcome that reflects the regulatory authorities’ desire to maintain an overall balance” between different payment systems that have been developed as well as the competing interests of the parties involved.
Risk Control
The most widely used QR code payment services on the market, including those from Alipay and Tenpay, require customers to scan a bar code that contains information such as a webpage with a product or order information provided by the vendor. Customers are then redirected to a payment page tin their smartphone’s browser to complete the transaction.
But this process raises security concerns and can expose users to fraud because it takes place in an insecure environment on the Internet. Viruses embedded in the code can capture personal information and hackers may be able to break into mobile devices to steal account information, according to an expert in Internet financial security. Transactions made through QR code systems are also difficult to track because there’s inadequate verification of a user’s identity to guard against fraud.
In December, the central bank issued a guideline requiring third-party payment companies to start providing more than one method to verify a user’s identity. Sources in the payment industry say the QR payment service will subject to the same requirements.
Several sources with knowledge of the matter told Caixin that the CPCA draft of the new regulations will set limits on the value of each transaction and require QR payment service providers to use a technology called tokenization as a method of risk control.
These requirements are in line with guidelines on Internet finance (http://english.caixin.com/2016-07-12/100965719.html) issued in July 2015 and a bankcard risk control rule announced by the central bank in late June this year, which for the first time required Chinese payment service providers to adopt tokenization technology, starting from December 1.
Tokenization offers a way of protecting sensitive data and is aimed at preventing theft of stored credit card information. It substitutes one part of sensitive data with a non-sensitive number, known as a token, that has no value but that can be used to track back to the sensitive data.
Apple Pay, a mobile payment system developed by Apple Inc. that allows users of Apple mobile devices to buy goods and services using their credit and debit cards, uses tokenization. It was rolled out in China in February.
A mobile payment technology expert told Caixin that payment companies have been developing their own payment systems for QR codes based on different security standards. Payment companies and banks will need to update their QR payment technologies to comply with the new standards, the expert said, a move that will improve standards across the industry as a whole.
China UnionPay is also eyeing to regain the lost ground in mobile payments. Sources close to the matter said that UnionPay is drafting its own version of QR code payment rules for its members based on the new CPCA standards as it prepares to make incursions into the mobile payment market.
Payment industry experts said China UnionPay’s foray into to QR code payment service could set the stage for an even bigger battle between the bankcard association and the Internet companies who currently dominate the industry.
A staffer at China UnionPay said the company developed its own QR code payment system back in 2010 but didn’t release it because of concerns about the regulatory hurdles.
In 2015, UnionPay made its mobile payment attempt by launching QuickPass contactless payment service, which allows users of smartphones equipped with the near-field communication (NFC) function to make payments by waving their devices at UnionPay point-of-sale terminals.
Data from iResearch, a market research company, show that mobile transactions handled by third-partly service providers totaled 6.2 trillion yuan in the first quarter of this year, a 202 percent jump from the same period last year.
Source: english.caixin.com
Banking 4.0 – „how was the experience for you”
„So many people are coming here to Bucharest, people that I see and interact on linkedin and now I get the change to meet them in person. It was like being to the Football World Cup but this was the World Cup on linkedin in payments and open banking.”
Many more interesting quotes in the video below: