Thales eSecurity Blog

QR Codes: The future with no security shake up

(Originally posted on Cards International)

To reach its tipping point, cashless payment technology has come on a long way since the first magnetic stripe card almost 50 years ago. The development of chip and PIN addressed concerns over security, before the emergence of contactless catered to consumer demands for greater convenience. Today, a new stage in the evolution of payments is growing in popularity. QR codes, already widely used in Asia, will eventually make their way to the rest of the world, offering merchants and consumers alike a simple and secure means of carrying out transactions. New technologies, particularly in advances in payments, will inevitably bring with them new security concerns. However, by making security a priority regardless of the method or technology used, a development such as QR codes need not shake up the industry.

Convenience is king

The prime benefit of QR codes as a payment method is the convenience they offer. Consumers do not need a mobile device containing the latest NFC, Samsung or Apple Pay technology to make a payment – if a merchant has a scanner, the customer is able to present a QR code on their mobile device as a means of payment. The opportunity for a broader deployment is significant. By way of illustration, Paytm is a standards-based platform that has been rolled out across India as part of the government’s ‘demonetisation’ initiative. Rather than being a top-end merchant-based offer, the aim of Paytm was ubiquity – that it would become THE way to transact in India.

QR codes hold benefits for merchants too. Consider the Walmart Pay application where, rather than the typical payment process in which consumers present their payment method to the merchant, a QR code conveys the transaction information to the app on their mobile device where the payment is initiated. Smaller merchants, those without a POS device or even a checkout, such as the increasing number of pop-up food stalls that in the past would have been cash-only, can now enable a consumer to scan a QR code to push a payment in a merchant’s direction. One challenge, however, is that not all retailers have the necessary scanners to read QR codes. However, this may be a simpler option than upgrading payment terminals to accept contactless or NFC payments, or they can choose to provide a QR code that consumers can use to initiate a payment.

Interoperability

Use of QR codes as a payment activity is currently predominantly in Asia. WeChat Pay, for example, is one of the most popular mobile payment solutions in China, with around 600 million users, closely followed by Alipay, with around 400 million. In fact, Alipay overtook PayPal as the world’s largest mobile payment platform in 2013. In trying to accept Alipay as a means of transacting with Chinese customers, for example, US merchants have found to their cost that platforms such as these are not easily interoperable with more traditional approaches, and often require special arrangements and specialised solutions.

Standards developed by EMVCo, a consortium comprising the major payment card companies, will go some way to remedying this situation and, by making them more interoperable, allow QR codes to become a more global option. According to EMVCo: “The clarity provided by the specifications will enable merchants to accept QR Code payment solutions from various providers in a standardised manner. Consumers will also benefit from a more uniform experience that offers greater convenience and flexibility.”

Root of trust

The cashless security model has changed considerably since chip-enabled payments, in which everything was pinned to the authenticated consumer. As with mobile payments, QR codes have the ability to present dynamic or verifiable information and not depend on a static piece of information – and here can lie the danger. Take the Starbucks Wallet: all that is scanned here is a customer’s ID. Should someone snap a photograph of that customer’s screen, this could then be scanned to make a fraudulent payment. The same issue could apply to QR codes.

However, if the code is based on EMVCo standards, it will have unique cryptograms in place to validate any transaction. This way, consumers can be confident that what they are presenting is better than a static card. In fact, contactless, QR codes and mobile payments are all largely similar in terms of security.

From a merchant’s point of view, QR codes could represent more of a risk. As with any technology, as QR codes become more widely adopted, criminals will become more interested in finding ways of diverting funds into their own accounts. The only confirmation a consumer has that a payment has arrived at the proper destination is a merchant’s notification that it has been received. If it has not, there is very little recourse. A root of trust is, therefore, critical for QR codes, especially for merchants. Providing this is as important now as it has been for any other payment technology.

As we move closer to a cashless society, we will look to adopt more convenient, secure alternatives. As the sheer scales of Alipay, WeChat Pay and Paytm demonstrate, there is certainly an appetite for QR codes and their simplicity. Standardisation and security are the final pieces of the puzzle; once these issues are addressed, we will see QR codes quickly become more widely adopted outside Asia.

Follow Thales eSecurity on Twitter, LinkedIn and Facebook.