Connect with us

Glossary

QR codes and the control of mobile money

Behind the humble QR code is an epic struggle over payments infrastructure.

Published

on

Quick question: what does “QR” stand for?

These black-and-white, square codes have exploded in payments channels, becoming ubiquitous almost overnight, especially in Asia. But QR codes have been around for a long time, and their rise is entwined with the ongoing struggle to dominate payments.

“QR” stands for “quick response”, and speed and ease of use are what makes them so useful. QRs are a two-dimensional version of the (one-dimensional) bar code. Bar codes were introduced in the U.S. in 1952 as a way of letting machines read data describing the object on which the code is printed – like the price of a can of soup that gets scanned at a supermarket checkout counter.

China’s “techfin” companies Alibaba and Tencent made QRs relevant to payments. Credit-card companies, having built a gigantic industry on their own technology, now face competitors out to displace their payment infrastructure using humble QRs.

Setting the standard

To understand why QRs have become a big deal, let’s take a quick look at the development of traditional payments. Banks began issuing charge cards in the 1950s and 1960s, forming networks that would become VISA and Mastercard, among others.

These groups in term formed a standard in 1995, EMV, to foster compatibility among “smart cards” using computer chips to store and transmit information. EMVCo, the association set up to manage these standards, now also includes American Express, China UnionPay, Discover Financial and JCB International.

Credit-card companies now face competitors out to displace them using QRs.

Guillaume Yribarren, head of marketing for financial institutions at Idemia, a Paris-based maker of card chips and technology, explains how these work.

A traditional card transaction requires the consumer to give the merchant certain details which, together, form the payment credentials, he says. This includes the card’s 16-digit number (or payment account number), expiration date, and three-digit cardholder verification code (CVC).

These are sensitive credentials that allow anyone (including a thief) to execute payments. Therefore the industry developed point-of-sale (PoS) machines to authenticate the cardholder and secure the data before sending it to the merchant’s acquirer bank, which then transmits it to the bank that issued the consumer’s card – all of which takes place on the “rails” of the credit card companies, for a fee (levied on the merchant).

“Enabling this to happen across multiple cards, banks, and rails has required EMVCo to manage standards behind the scenes,” Yribarren said.

Enter the token

Coordinating chips was one thing: now the tussle is over payment tokens.

A token is a line of code that serves as an alias in place of a real PAN. It looks like a 16-digit card number, but it’s generated dynamically (that is, it changes with every transaction).

Apple was the first to introduce a token, with its ApplePay, which incorporates the account number and another number to identify the device where the token information is stored (in this case, an iPhone).

Enabling this has required EMVCo to manage standards

Guillaume Yribarren, Idemia

EMVCo helped promote tokens because it provides additional security for payments. Instead of using the “real” card credential, a surrogate value (or “token”) is generated for a specific need and can only be used under certain conditions (specific merchant, max amount, etc.). 

A payment token is used during a mobile payment in-store contactless transaction (like Apple Pay, Samsung Pay or Google Pay). A token can also be used for online payment (thanks to a “disposable virtual card” displayed in a smartphone app).

Consumers can simply tap the smartphone on a reader to make a payment, just like using an Oyster card to pay for a ride on the London underground. EMVCo made sure that using Apple Pay in a store or online would seamlessly translate tokens into the real existing payments card numbers issued by the big credit-card companies to process the transaction.

It’s the token that makes e-commerce secure. Yribarren gives the example of buying a Netflix subscription. The movie site doesn’t store your credit card’s PAN. Instead, your payment triggers a request by Netflix to ask VISA or Mastercard for a token that it can store and use instead. Because tokens can be specifically generated for a given retailer , they’re useless to hackers; if someone stole the card details from Netflix, they’d just have a token assigned to its merchant code, a fraud attempt with this token would be instantly detected and rejected. Tokens can also be assigned attributes (such as a short-term expiration date, or spending limits).

Disruption: new rails

But then came AliPay and WeChat Pay, networks that developed completely outside the payments infrastructure of banks and credit-card companies. These companies began in e-commerce and mobile gaming, and found payments were a useful tool to generate incredible scale and bolt on new services. They are closed loops.

This is not new: so is Oyster, for example. But AliPay and WeChat Pay emerged in the quasi-vacuum of a huge market, and triggered a consumption boom in China that is still just getting started. Now they are looking to expand their reach overseas.

Meanwhile PayPal’s Venmo became a popular closed-loop consumer-to-consumer payments tool in the U.S., while more recently, some banks in Asia (DBS, CITIC and HSBC) have launched their own closed-loop payment apps.

But unlike Venmo, the Chinese techfins got their start using QR codes, which are easy to display, and read. Even old phones predating iPhones can read them if they have a screen. And it’s simple for a merchant to print them out. No one needs a PoS, and merchants don’t need to pay the 3% fees associated with accepting charge cards. Payments are almost real-time, so there’s no need for managing against fraud. All that is required is for a merchant and a consumer to both use the same system, such as AliPay, which settles the transaction without involving a bank or other payments provider.

Connecting to the closed loop

Of course at some point, these proprietary systems need to touch the outside world and established payment networks. These gateways began as top-ups via credit cards or bank transfers. And that’s where EMVCo comes back into the picture, because the big credit-card companies want to create QRs that are interoperable or using their existing rails. They are threatened by the advance of systems that otherwise don’t need them.

There are two ways a QR payment can work, depending on who does the scanning: the merchant, or the consumer?

Let’s take a consumer, in this case a Chinese tourist in Paris. Her phone is offline, to avoid roaming charges, but she wants to use AliPay to go shopping at Galeries Lafayette (which, due to the number of Chinese visitors, accepts AliPay and WeChat Pay).

The battle for EMV-compliant QR codes is just heating up

She generates a QR on her phone, which the sales clerk at Galeries Lafayette scans to get the shopper’s token (the store has to be online for this to work). The token contains her name, the name of her bank, her PAN, her expiration date, and her CVC. 

The merchant enters the amount to be paid, scans the customer’s phone for her QR to download a token, and processes that information. This process is basically the same as if the shopper tapped a contactless credit card. 

The second way this works is if the customer scans the merchant’s QR code, which may be printed out at the cashier counter. In this case, the consumer’s mobile must be connected to the internet. When she scans the QR code, Galeries Lafayette generates a token with the amount, the currency, and the store’s information. This token is sent to the shopper’s phone, which passes it on to AliPay’s servers, which confirm the payment back to the merchant.

QR compatibility?

The process for doing this via, say, Apple Pay, is the same – it’s just that Apple Pay will rely on VISA or Mastercard rails, while AliPay uses its own.

EMVCo is trying to push a generic QR standard that allows any merchant or device to read a compliant code. An AliPay or WeChat Pay is only usable when the consumer and the merchant are on the same platform. VISA, on the other hand, is accepted everywhere.

The battle for EMV-compliant QR codes is just heating up. The traditional payment-tech companies now recognize that QRs are going to spread in emerging markets, where credit-card infrastructure is still new and under-developed. The ease for merchants to print out or display a QR, without needing a PoS machine, makes it the perfect tool for the rapid adoption of mobile and digital payments, replacing cash.

But whose QR? Will QRs remain tied to closed-loop systems like AliPay and WeChat Pay? Will these techfins decide they will generate more international business if they conform to EMVCo standards? Will they want to join EMVCo – and will they be admitted into the club?

And how quickly can these competing standards drill down into local markets, where there are plenty of domestic credit cards based on purely local payments infrastructure, unconnected to international rails?

Going local

The rise of domestic payment networks is alluring to both Chinese techfins as well as to traditional card companies. One way to plug into these emerging sources of business is to work with local authorities to make local payments compatible with international ones. But the faster way is to roll out QR codes.

Will these codes by EMV-compliant? Or will the battle go chain by chain, store by store, as retailers, taxi companies and restaurants have to select among multiple payment networks?

In theory, EMVCo is easier because it means instant compatibility with the global majors, but it requires adopting traditional PoS machines and Western IT infrastructure, which aren’t “QR native” – and don’t cater to most Chinese consumers.

The tip of the spear

EMVCo spent years helping promote contactless payments, particularly in the U.S., where consumers were habituated to swipe cards and security in the form of Personal Identification Numbers. In some developed countries like Australia, contactless is now the dominant technology. While Venmo is popular in America as a C2C service, Apple Pay and other mobile payments have only tiny market share.

AliPay and WeChat Pay, on the other hand, have completely skipped cards altogether; everything’s just done by exchanging tokens via mobile phones (usually for debit cards, rather than credit). Moreover they have used QR codes to make payments so easy that they have become “superapps” paying out employees’ salaries and other daily needs, well beyond discretionary spending. They are so comprehensive in China that they have effectively shut out credit-card companies (which is why even China UnionPay is a promoter of EMV).

As the techfins look to take their proprietary systems abroad, they are putting traditional payment rails at risk. QR codes are the surface technology that makes it easy to use mobile payment rails. EMVCo is campaigning to ensure these rails use the same gauge, making them able to carry anyone’s tokens. But Western standards also mean Western costs, while Chinese QRs do not.

The opening phases of the battle depends on whether merchants rely on Chinese consumers, but long-term prospects are about controlling the future of mobile money. The humble QR code is more than a simple tool to transmit information: it is the tip of a massive, complex spear.

Copyright © 2017 Digital Finance Media Limited. All rights reserved.

QR codes and the control of mobile money