Alipay+ DocsAlipay+ Docs
APIs & SDKs

Security Guidelines

Risks to UPM and mitigations

Overview

Security risks to UPM are categorized according to the lifecycle of the Payment Codes, including the following stages:

  • Code generation and storage
  • Transaction processing
  • Message transmission

The following figure depicts the security-risk stages of the Payment Codes lifecycle:

image

Figure 1. Security risks to UPM

Recommended countermeasures are provided to mitigate the risks identified in each stage.

Code generation and storage

For UPM, the security risks in this stage are targeted at the MPP side, and countermeasures are recommended to MPPs.

Transaction processing

Risk #1:

ACQPs cannot correctly process and route the transaction, which may result in transaction failure or user funds losses. Possible reasons are:

  • The code value is not supported.
  • Code routing rules are conflicting.

Recommended countermeasure:

Follow the instructions as described in Transaction Processing Guidelines.

Risk #2:

The Merchant cashier system is vulnerable to attackers who try to steal the code values and use them in other payments.

Recommended countermeasure:

Merchants should use acceptance devices that meet the requirements of local regulators.

Risk #3:

User or Merchant attempts to make repeated payments because they are unsure whether the payment is successful.

Recommended countermeasures:

After the payment transaction is completed, both the merchant acceptance terminal and the user mobile terminal should display the payment result. If the payment fails, the reason for the failure should be displayed.

Message transmission

Risk #1:

“Man-in-the-middle” attack, that is, attackers modify transaction messages for malicious purposes.

Recommended countermeasures:

Security methods such as digital signature and encryption should be adopted to protect the sensitive information enclosed in the transaction message.

Security protocols and strong encryption algorithms should be adopted to secure transaction communication links. Security protocols should be updated to the latest stable versions timely.

Risk #2:

Replay attack, that is, attackers replay a previously successful transaction message and request to perform a payment transaction several times.

Recommended countermeasure:

The transaction message should contain dynamic parameters such as a random number, timestamp, or one-time session token, to prevent replay attacks.

Risks to MPM and mitigations

Overview

Security risks to MPM are categorized according to the lifecycle of the Collection Codes, including the following stages:

  • Code generation and presentation
  • Transaction processing
  • Message transmission (Communication)

The following figure depicts the security-risk stages of the Collection codes lifecycle:

image

Figure 2 Security risks to MPM

Recommended countermeasures are provided to mitigate the risks identified in each stage.

Code generation and presentation

Risk #1:

Key information, such as merchant information or transaction amount, is modified when the Collection Code is generated.

Recommended countermeasure:

ACQPs should ensure that the QR code generated for the merchant and the corresponding collection account information is associated with the merchant.

Risk #2:

The Collection Code that the user scans is replaced with an illegitimate one, resulting in fraudulent transactions.

Recommended countermeasure:

ACQPs should remind the merchant to take action to prevent the code from being overwritten or replaced, and regularly check the integrity of the code.

Risk #3:

The Collection Code is misused in different places and/or for different business purposes from those registered with the ACQP.

Recommended countermeasure:

ACQPs should have measures to monitor code usage. If any code misuse is detected, ACQPs should suspend code usage for the related merchant in time.

For example, when a merchant is registered as an offline merchant, the code issued for this merchant should only be used in in-store payment scenarios and within the registered business scope of the merchant.

Risk #1:

The Collection Code is used for large payments or many small payments, which increases the overall transaction risks.

Recommended countermeasure:

ACQPs should evaluate the transaction risk based on merchant information and code-usage scenarios, and set transaction limits accordingly, such as single transaction limits or daily cumulative transaction limits.

Risk #2:

The qualification of the Merchant expires but their Collection Code can still be used to make payments.

Recommended countermeasure:

During the validity period of the code usage, ACQPs should periodically verify whether the qualification of the merchant is still valid. If the qualification expires, ACQPs should suspend code usage for the related merchant in time.

Message transmission (Communication)

Risk #1:

  • A man-in-the-middle attack, that is, attackers modify transaction messages for malicious purposes.
  • Disclosure of sensitive data during communication. Attackers eavesdrop on the communication channel to obtain sensitive data, such as user identification information, in the message transmission.

Recommended countermeasures:

To ensure the confidentiality and integrity of the data in the transmission process, security methods such as digital signature and encryption should be adopted to protect the sensitive information enclosed in the transaction message.

Secure and reliable mutual authentication should be performed when establishing a connection between the client and the server. The client and the server should use security protocols and encryption algorithms with enough strength for secure and reliable data interaction. The security protocols should be updated to the latest and stable versions timely. For example, use an SSL certificate and HTTPS protocol in network communication.

Risk #2:

Replay attack, that is, attackers replay a previously successful transaction message and request to perform a payment transaction several times.

Recommended countermeasure:

The transaction message should contain dynamic parameters such as a random number, timestamp, or one-time session token, to prevent replay attacks.

Recommendations to both UPM and MPM

Compliance

To conduct code-scanning payment business, ACQPs should comply with AML (anti-money laundering) and CTF (counterterrorist financing) regulations, and other relevant laws and regulations.

Whether directly generating or entrusting a third party to generate the barcode or QR code, ACQPs should ensure that the code generation process conforms to local security regulations and industry standards.

For cross-border payment scenarios, ACQPs should also comply with relevant local legal and regulatory requirements.

For sanctioned regions and regions where local regulations, and laws restrict code-scanning payment business, such business should not be conducted without the approval of local regulators.

Identity and eligibility

ACQPs should verify their merchants’ identity and business qualifications to ensure that code-scanning payment services for merchants comply with local laws, regulations and regulatory requirements. The merchants must provide authentic business information, such as business licenses and code usage, to ACQPs for verification.

In addition, for restricted or high-risk merchants, ACQPs should be able to identify inauthentic transactions, for example, by maintaining a blacklist.

Risk management

To identify risks, ACQPs should take the following measures:

  • Enhance risk analysis capabilities based on risk rules and models.
  • Identify risks of abnormal behaviors such as batch or high-frequency login, and take actions for verification.
  • Obtain information such as the institution, account, and equipment from the code values contained in the transaction process.

To assess and dispose of risks, ACQPs should take the following measures:

  • Evaluate and classify risks by a combination of qualitative and quantitative calculation methods.
  • Set up risk disposal mechanisms, such as transaction rejection and privilege limitation, based on the risk assessment to reduce real-time risks.
  • Set daily cumulative transaction limits for the merchant according to the merchant's risk level and transaction type.

Security education

ACQPs are recommended to provide security education to their merchants, such as:

  • Promote code-scanning payment security knowledge to improve awareness.
  • Disclose the risks of static Collection Code (that is, Entry Code) and the countermeasures.
  • Enhance the education on the protection and management of sensitive information such as passwords.

Learn more about

Home
Get Support
Need more help?