In an effort to tackle fraud, the People’s Bank of China (PBOC), the national central bank of China, has plans to enact a cap on mobile spending. While solutions such as Apple Pay and Google Pay use NFC technology to process payments, Chinese solutions such as WeChat Pay and AliPay use QR Codes. One particular drawback with QR Codes is the fact that they can be easily falsified. In 2017, 90 million yuan (or $13 million), was reported stolen in Guangdong province alone. There have also been reports of the QR codes on Mobike dockless bicycles being swapped for personal QR codes, ensuring that the fraudster, not the company, gets paid.
Many restaurants and vendors in China display printed QR codes right at the table or at the register for patrons to conveniently scan, which Yusho Cho of Nikkei Asian Review argues, cuts down labor costs, which are rising.
The PBOC’s Provisions for QR Code Security
The regulations will cap individual QR code payments at 500 yuan (roughly $80) per day. After the implementation of security factors, such as digital certificates and electronic signatures, that cap may be raised to 5000 yuan ($765) (link in Chinese). According to the provisions, banks and payment processors can use discretion over the cap if the maximum level of security is achieved.
While the regulations do not offer many hard rules in place, the PBOC is mandating that banks and payment processors begin to self-regulate, and is providing them with guidelines on how to achieve those security objectives. It has also asked an industry group to gather members and experts to investigate how businesses using QR codes can better improve their security.
The issue with commonly used QR codes in China is that they are static. In other words, codes stay as they are and never change. As such, they can be printed on paper and laminated over with a plastic WeChat or AliPay cover at little cost to the vendor. However, the fact that they are static is another reason why they are easily exploitable, as they can be replaced with another code.
The PBOC hopes to see banks and payment processors adopt security measures such as tokenization, expiration dates, and other anti-counterfeit measures. The guidelines also suggest the use of encryption, frequent updates, risk monitoring, and security software. Nevertheless, the provisions laid out by the government read more like guidelines and suggestions for the industry to figure out rather than enforced solutions.
Still, there are fears that the regulations will put the brakes on a fast-growing industry. The PBOC’s policy towards mobile payments have been more or less laissez-faire, taking a backseat to Tencent and Ant Financial’s disruption of the payment industry. The cap on payments might hamper Tencent and Ant Financial’s efforts to push more purchases of big-ticket items.
Whatever the case, Ant Financial is supportive of the regulations. In an emailed statement, an Ant Financial spokesperson said the company fully supports the PBOC’s latest regulations related to third-party reserve funds and barcode payments. It will continue to “collaborate with regulators and industry partners and leverage technological innovation to better cater to the needs of micro and small enterprises and individual consumers.” Tencent has yet to release a statement regarding the regulations.
China’s mobile payments industry has been growing at an exponential rate, to the point where it is directly impacting everyday life. Still, as an industry expands, so too does its vulnerabilities. As static QR codes can easily be replaced or copied, the PBOC has responded with documentation capping daily individual payments. While the documents have laid out suggestions for what security measures can complement QR code payments, it is ultimately up to industry leaders such as Ant Financial and Tencent to fill in the security gap.