E-Commerce has long relied on the “Card Not Present” payment method. At this point, online consumers can do the routine with their eyes closed: Enter their credit card number and billing address into the website form, flip their card around to key in the security code, and click “Purchase.”
The QR Code – which has had a wild ride – is going to both speed up the e-commerce payment experience and make it more secure.
“Card Not Present” Danger
The security risks associated with the “Card Not Present” payment method are well known. Merchants’ systems – which store all the information criminals need to commit fraud with consumers’ credit or debit cards – have been vulnerable attack points, hence the data breaches we read about daily. They also don’t have a way to confirm whether the information a consumer enters is their own or compromised data.
Online businesses that use this payment method expose themselves to hacking, but even if they’re not hacked, they pay a price since there is a higher fee for processing these higher-risk transactions in which the card is not physically present.
So both consumers and merchants are paying a higher price for the convenience of online shopping. But the emergence of QR Codes for payments will show it doesn’t have to be that way.
QR Code Adoption
Walmart introduced its Walmart Pay application using a QR Code to initiate a payment. Consumers scan the QR code displayed on the checkout lane screen with their phones to pay for their goods with the payment method they have stored on their Walmart app. It’s a completely opposite approach to the typical payment process, in which we present our payment method to the merchant. The QR code conveys the purchase transaction information to the application on the mobile device where the payment is initiated.
One obvious advantage is that the payment information is not carried through a merchant`s store network. It is stored within the merchant’s system, potentially tokenized, thereby decreasing potential exposure during transit or storage. Also, consumers don’t need to have a payment card with them at the store.
Of course, the Walmart Pay approach is something unique to Walmart. For QR codes to be used more broadly in payment transactions, we need standards that both merchants and payment providers can adopt. EMVCo, which developed the EMV standards for the payments industry, issued guidelines just last month on the use of QR codes. They outline both how consumers can convey payment information to a merchant as well as how merchants can convey purchase information to applications that can initiate a payment. According to EMVCo, “The clarity provided by the specifications will enable merchants to accept QR Code payment solutions from various providers in a standardized manner. Consumers will also benefit from a more uniform experience that offers greater convenience and familiarity.”
The QR Code Flips the Script
Earlier this year I blogged about our increasing use of mobile devices to make online purchases. Now mobile devices will play a part in how QR codes can simplify payments – not only in physical stores but also in e-commerce.
What if we used a QR code to convey purchase information not only from a physical store – as in Walmart’s case – but also from a web transaction? Instead of the web merchant asking consumers to enter their payment information, they would just display a QR code on consumers’ screens, similar to how Walmart presents a QR code on the checkout lane. The consumers would then hold up their mobile phone to the screen and read the code with a payment application on the device to initiate the payment. There’s no entering of sixteen-digit numbers, expiration dates, less room for errors or exposure of sensitive information!
The QR Code can be used to reverse the payment flow on which the “Card Not Present” method is based. Instead of the consumer providing payment information to the merchant, which then has to request the funds from the consumer’s bank, the consumer obtains the purchase information from the merchants and pushes a payment to them. The use of QR Codes in e-commerce empowers the consumer to approve and send a payment rather than relying on the merchant to request the payment with consumers’ sensitive information. In essence, the web is no longer the avenue for the payment phase of the transaction.
And, I would add, all parties will have a more secure method to process their e-commerce transactions. I won’t go so far as to say data breaches will start to lessen in frequency, but I do expect to see QR Code adoption increase fairly quickly over the next 12 months in the e-commerce space.
For more information on Thales e-Security’s mobile payments security solutions, click here.
This is a Security Bloggers Network syndicated blog post authored by Jose Diaz. Read the original post at: Data Security Blog | Thales e-Security